cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3473
Views
0
Helpful
7
Replies

Machine Authentication not working after workstation unattented ovr night - ISE 1.1.1 -

rcianci
Level 1
Level 1

I am running an ISE 1.1.1 patch 2 and authetntication Windows XP machine using PEAP authentication with both user and machine authentication.

The issue is that when a machine is powered on the machine authentication processes fine and the user authentication is successful. The issue is that after the machine is left connected and left unattended for may hours I am bounced into a guest VLAN  -  ISE logs say that they can no longer validate the the machine was authenticated via AD. If the user reboots the computer it is fine again.

Are there timers in AD or the machine that are flushing the RADIUS:WasMachineAuthenticated status? Can anyone tell me if there is a  recommended configuration where the machine authentication is maintained throughout a workday or overnight?

3 Accepted Solutions

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

Hello rcianci-

You are experiencing this issue due to your authorization rule "WasMachineAuthenticated." This process (aka MAR - Machine Access Restriction) only occurs when a machine is rebooted or powered on. Once the MAR timer expires the machine will fail authentication until it is rebooted again.

Here are a couple of ways you can try to tackle this issue:

1. I have used MAR in the past and:

     a. Set the timer to 168 hours (1 Week)

     b. Educated users that they must reboot their machines on weekly basis

This worked "OK" but it was always in irritant to end users. It can also cause issues if you are doing this for wireless and wired because the MAC address will change and ISE/ACS will not see the new mac address as authenticated, thus forcing the user to perform yet another reboot

2. A better way to be to get rid of MAR all together. If you want to keep it simple you can just use PEAP machine based authentication which will use the machine credentials. This is not always ideal but if your AD is locked down properly where only certain users can join machine to a domain then you should be good to go. On the other hand, if you still want to use machine+user then you will need to look into something a bit more complex such as EAP-Chaining.

I hope this helps...let me know if you have more questions

Thank you for rating!

View solution in original post

You may also want to consider the anyconnect 3.1 supplicant since eap-chaining is now supported. This will send the host and user credentials through when it joins the network.

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Oh yes, forgot to mention that! AnyConnect is a must if you want to do EAP-Chaining. Perhaps microsoft will be nice enough and build this functionality in Windows 8

View solution in original post

7 Replies 7

nspasov
Cisco Employee
Cisco Employee

Hello rcianci-

You are experiencing this issue due to your authorization rule "WasMachineAuthenticated." This process (aka MAR - Machine Access Restriction) only occurs when a machine is rebooted or powered on. Once the MAR timer expires the machine will fail authentication until it is rebooted again.

Here are a couple of ways you can try to tackle this issue:

1. I have used MAR in the past and:

     a. Set the timer to 168 hours (1 Week)

     b. Educated users that they must reboot their machines on weekly basis

This worked "OK" but it was always in irritant to end users. It can also cause issues if you are doing this for wireless and wired because the MAC address will change and ISE/ACS will not see the new mac address as authenticated, thus forcing the user to perform yet another reboot

2. A better way to be to get rid of MAR all together. If you want to keep it simple you can just use PEAP machine based authentication which will use the machine credentials. This is not always ideal but if your AD is locked down properly where only certain users can join machine to a domain then you should be good to go. On the other hand, if you still want to use machine+user then you will need to look into something a bit more complex such as EAP-Chaining.

I hope this helps...let me know if you have more questions

Thank you for rating!

You may also want to consider the anyconnect 3.1 supplicant since eap-chaining is now supported. This will send the host and user credentials through when it joins the network.

thanks,

Tarik Admani
*Please rate helpful posts*

Oh yes, forgot to mention that! AnyConnect is a must if you want to do EAP-Chaining. Perhaps microsoft will be nice enough and build this functionality in Windows 8

Hi Tarek,

Thanks for the input - I found that reference in my research and in my discussions with my local Cisco rep.

Hi,

Thanks for the input - I arrived at the same conclusion after much research.

In your second point - you mean to say to perform only machine authentication instead of machine and user authentication with AD?

Thanks for the clarification.

Robert Cianci

Hello Robert-

Yes, that is exactly what I meant. I have deployed ACS in such manner in the past where only PEAP machine based authentication is performed. The idea is that you need a domain username/password to login to the computer to begin with so in a way you are already doing a user check Now, I know that a user can potentially use "cached" credentials to login to the machine and then theoretically gain access to the network that way. However, you can perhaps create  special AD group for "blocked computers" and move machines there that should no longer have access to your network. Also, it is very important that your AD is locked down where only a handful of users can join a computer to the domain becuase by default any domain users can join a machine to the domain

Thanks for the clarification.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: