cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1809
Views
0
Helpful
7
Replies
Beginner

Machine Authentication not working after workstation unattented ovr night - ISE 1.1.1 -

I am running an ISE 1.1.1 patch 2 and authetntication Windows XP machine using PEAP authentication with both user and machine authentication.

The issue is that when a machine is powered on the machine authentication processes fine and the user authentication is successful. The issue is that after the machine is left connected and left unattended for may hours I am bounced into a guest VLAN  -  ISE logs say that they can no longer validate the the machine was authenticated via AD. If the user reboots the computer it is fine again.

Are there timers in AD or the machine that are flushing the RADIUS:WasMachineAuthenticated status? Can anyone tell me if there is a  recommended configuration where the machine authentication is maintained throughout a workday or overnight?

3 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Machine Authentication not working after workstation unattented

Hello rcianci-

You are experiencing this issue due to your authorization rule "WasMachineAuthenticated." This process (aka MAR - Machine Access Restriction) only occurs when a machine is rebooted or powered on. Once the MAR timer expires the machine will fail authentication until it is rebooted again.

Here are a couple of ways you can try to tackle this issue:

1. I have used MAR in the past and:

     a. Set the timer to 168 hours (1 Week)

     b. Educated users that they must reboot their machines on weekly basis

This worked "OK" but it was always in irritant to end users. It can also cause issues if you are doing this for wireless and wired because the MAC address will change and ISE/ACS will not see the new mac address as authenticated, thus forcing the user to perform yet another reboot

2. A better way to be to get rid of MAR all together. If you want to keep it simple you can just use PEAP machine based authentication which will use the machine credentials. This is not always ideal but if your AD is locked down properly where only certain users can join machine to a domain then you should be good to go. On the other hand, if you still want to use machine+user then you will need to look into something a bit more complex such as EAP-Chaining.

I hope this helps...let me know if you have more questions

Thank you for rating!

View solution in original post

Highlighted
Advocate

Machine Authentication not working after workstation unattented

You may also want to consider the anyconnect 3.1 supplicant since eap-chaining is now supported. This will send the host and user credentials through when it joins the network.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

Highlighted
Cisco Employee

Machine Authentication not working after workstation unattented

Oh yes, forgot to mention that! AnyConnect is a must if you want to do EAP-Chaining. Perhaps microsoft will be nice enough and build this functionality in Windows 8

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

Machine Authentication not working after workstation unattented

Hello rcianci-

You are experiencing this issue due to your authorization rule "WasMachineAuthenticated." This process (aka MAR - Machine Access Restriction) only occurs when a machine is rebooted or powered on. Once the MAR timer expires the machine will fail authentication until it is rebooted again.

Here are a couple of ways you can try to tackle this issue:

1. I have used MAR in the past and:

     a. Set the timer to 168 hours (1 Week)

     b. Educated users that they must reboot their machines on weekly basis

This worked "OK" but it was always in irritant to end users. It can also cause issues if you are doing this for wireless and wired because the MAC address will change and ISE/ACS will not see the new mac address as authenticated, thus forcing the user to perform yet another reboot

2. A better way to be to get rid of MAR all together. If you want to keep it simple you can just use PEAP machine based authentication which will use the machine credentials. This is not always ideal but if your AD is locked down properly where only certain users can join machine to a domain then you should be good to go. On the other hand, if you still want to use machine+user then you will need to look into something a bit more complex such as EAP-Chaining.

I hope this helps...let me know if you have more questions

Thank you for rating!

View solution in original post

Highlighted
Advocate

Machine Authentication not working after workstation unattented

You may also want to consider the anyconnect 3.1 supplicant since eap-chaining is now supported. This will send the host and user credentials through when it joins the network.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

Highlighted
Cisco Employee

Machine Authentication not working after workstation unattented

Oh yes, forgot to mention that! AnyConnect is a must if you want to do EAP-Chaining. Perhaps microsoft will be nice enough and build this functionality in Windows 8

View solution in original post

Highlighted
Beginner

Machine Authentication not working after workstation unattented

Hi Tarek,

Thanks for the input - I found that reference in my research and in my discussions with my local Cisco rep.

Highlighted
Beginner

Machine Authentication not working after workstation unattented

Hi,

Thanks for the input - I arrived at the same conclusion after much research.

In your second point - you mean to say to perform only machine authentication instead of machine and user authentication with AD?

Thanks for the clarification.

Robert Cianci

Highlighted
Cisco Employee

Machine Authentication not working after workstation unattented

Hello Robert-

Yes, that is exactly what I meant. I have deployed ACS in such manner in the past where only PEAP machine based authentication is performed. The idea is that you need a domain username/password to login to the computer to begin with so in a way you are already doing a user check Now, I know that a user can potentially use "cached" credentials to login to the machine and then theoretically gain access to the network that way. However, you can perhaps create  special AD group for "blocked computers" and move machines there that should no longer have access to your network. Also, it is very important that your AD is locked down where only a handful of users can join a computer to the domain becuase by default any domain users can join a machine to the domain

Highlighted
Beginner

Machine Authentication not working after workstation unattented

Thanks for the clarification.