ISE MAR cache

Similar Messages

• ISE MAR cache 2-node deployment

  I understand the Pros and Cons described in this document:
  http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html
  And I'm OK with getting people to reboot their machine while connected wirelessly to trigger host authentications on Windows machines.
  My issue is related to the 2-node ISE deployment (I'm running 1.2):
  It appears that MAR cache is not synchronized between the ISE nodes (Primary and Secondary).
  For example, a user reboots his machine, and host authentication is answered by the Primary ISE, and user authentication is subsequently succeeds.
  Subsequent user authentication requests, if they are answered by the Secondary ISE will fail, because Secondary ISE node does not have a corresponding host record in its MAR cache - only Primary ISE does.
  Can someone confirm if this behavior is expected?  If I can't get the Secondary ISE node to mirror MAR host entries, I'm going to have a LOT of failures, and a lot of user problems?  Is there even a workaround for this?

  Yes, it is called EAP-Chaining, and all the shortcomings of MAR are resolved by this.

• ISE 1.2 - MAR cache with PEAP vs EAP Chaining

  Does EAP chaining with EAP-FAST v2 and NAM 3.1 present the machine certificate for authentication during each connection to wireless?  It's not still tied to the windows log in event as with PEAP?
  I found this article, but would like to see if anyone has experience working with EAP chaining in ISE.
  https://tswireless.wordpress.com/2012/09/22/cisco-ise-machine-authentication-cache/

  Yes if you set up NAM for EAP-Chaining - Machine and User, and then select EAP-TLS w/cert, nam will send both when a user logs in. When the machine is booting only the machine identity will be sent (because we don't know the users identity before they have attempted to log in).

• ISE MAR in a Kiosk Environment

  Situation:
  Windows native supplicant configured for "Machine or User authentication."
  ISE configured for MAR with cache timeout of 24 hours.
  Questions in Red:
  1. Every morning Machine boots and successfully authenticates wiht 802.1X.   Machine dACL pushed by ISE to switch for Machine session.
  2. Few minutes later, UserA logs on successfully with 802.1X.   UserA dACL pushed by ISE to NAD for UserA Session.  UserA dACL supercede Machine dACL.
  3. UserA logs off.
  What is happening to the UserA dACL on the switch for that session?
  Does the workstation supplicant tells the NAD that UserA has disconnected?
  Does the workstation supplicant performs a new Machine authentication so the Machine dACL will now be reapplied to the session or is the switch still stuck with UserA dACL for that session?
  4. UserB logs. ISE will push UserB dACL. 
  Thanks.
  Cath.

  Cath,
  What version of OS are the kiosks on?
  First answers to your questions -
  What is happening to the UserA dACL on the switch for that session? - The user login will trigger a new dacl to be applied to the switch port, the machine dacl is then removed since this triggers a new aaa session.
  Does the workstation supplicant tells the NAD that UserA has disconnected? - When the user logs off, computer authentication then occurs which will apply the machine acl to the port, since this triggers a new aaa session.
  Does  the workstation supplicant performs a new Machine authentication so the  Machine dACL will now be reapplied to the session or is the switch  still stuck with UserA dACL for that session? - When the user logs off the machine acl should be applied, if the user locks the machine then the userA acl is still on the port.
  Here is some information that will provide insight to when the machine authentication is triggered, logging off of the client should be one of those scenarios.
  http://social.technet.microsoft.com/Forums/windows/en-US/5e1bbaa4-9dad-40da-8e53-a7d67e17c20b/windows-7-wireless-supplicant-user-or-computer-authentication
  Here are few issues when using MAR -
  ◦ Ethernet/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user authentication; MAC address will change when laptop moves from wired to wireless breaking the MAR linkage.
  ◦ Machine state caching: The state cache of previous machine authentications is neither persistent across ACS/ISE reboots nor replicated amongst ACS/ISE instances.
  ◦ Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then moves to a different location, or comes back into the office the following day, where machine auth cache is not present in new RADIUS server or has timed out.
  I think the best solution out right now is the anyconnect nam with eap chaining, they perform machine authentication when booting up and logging off, and they perform eap chaining when users authenticatioin each and everytime. You can also remove the machine authenticated condition and use the eap-chaining condition instead.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE Authentication cache in CWA for Guest

  Ciao,
  do you known how I can cache a guest authentication ? 
  For example a Guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After that every time the guest logoff and login,  no authentication is required during the same days.
  Thanks

  You can find "Automatically register guest devices /Allow guests to register devices"  option here -> Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > Guest Device Registration Settings.
  using this option -Automatically create an endpoint for the device from which the guest is accessing this portal. The endpoint will be added to the endpoint identity group specified for this portal and is subject to the identity group's purge policy.
  An authorization rule can now be created to allow access to endpoints in that identity group, so that web authentication is no longer required.
  And you have "ActivatedGuest" option in 1.2

• Cisco ISE Machine Access Restrictions MAR

  I want to test out MAR.  I notice there is a tick box on the ISE for MAR under: Identity Management --> External Identity Sources --> Active Directory --> Advanced Settings --> [tick] Enable Machine Access Restrictions
  but also there is this condition that is to be used in the AuthZ Policy
  Network Access:WasMachineAuthenticated           
  So...
  What does the tick box option do?
  Are they related or refer to different things?
  Are both needed to get a MAR AuthZ to work?
  Any of clarifying or beneficial info?
  thanks

  Hi,
  Your are correct you will have to create an authorization condition that checks if the machine authenticated successfully.
  So...
  What does the tick box option do?
  When you enable MAR globally it lets the ISE know to build a cache  for endpoints that successfully perform machine authentication.
  Are they related or refer to different things?
  They work hand in hand.
  Are both needed to get a MAR AuthZ to work?
  Yes, you will have to create another authorization policy to allow domain computers to connect.
  Any of clarifying or beneficial info?
  When MAR is enabled, you will have to enable machine and user authentication to your laptop, after MAR succeeds ISE builds an entry in its database mapping the endpoint (mac address) to a successful machine authentication, after when a user authenticates not only do they have to provide the correct credentials but the mac address they are authenticating through will have an entry in the "MAR cache", keep in mind that some supplicants only perform machine authentication when logging on and off, and on boot up. If you want to use MAR i suggest using the Anyconnect NAM client, there is a new feature in ISE 1.1.1 and the latest client that allows you to perform eap chaining.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Caching credentials for webauth in ISE 1.2?

  We are providing internet access through a Guest portal. The portal is provided by the ISE through webauth and the user is created through the ISE Sponsor Portal.
  When an account is created and the enduser logs in to it, I would like for the ISE to cache the credentials for that user for a period of time; at least 1 or more days before it prompts them to log back in again. Right now, if a user disconnects for a short period and then goes to reconnet, it prompts for the username/password again.
  Where (and how) in the ISE do you configure that?
  Thank you.                  

  Thanks for the quick reply Charles. I am reading through the details of it now.
  It looks like DRW basically registers the MAC of a connecting device in an identity store and then allows that device to connect. Does it still match the MAC to a guest user so that we can set time profiles against it and does it expire like the guest accounts do?
  Any ETA on the release of ISE 1.3?

• ISE machine authentication timeout

  Hi all,
  We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
  Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
  As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
  My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
  How have you bypassed the timeout of mar cache?
  My ISE version is 1.2 with 2 patches installed
  Thank you
  Sent from Cisco Technical Support iPad App

  Hi
  Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
  Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
  When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
  • If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
  • If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

• ISE behind load balancer

  I have a question regarding ISE profiling servers that are placed behind a load balancer:
  If you have a ISE environment where both computers and users are being authenticated, and Machine Access Restriction (MAR) is enabled (so users can only authenticate on a previously authenticated machine), are the ISE servers aware of all succesfull computer authentications handled by the other ISE servers?
  For example:
  There are 2 ISE appliances (ISE01 and ISE02) behind a load balancer.
  A user starts up his computer, and computer authentication is handled by ISE01 (and the authentication is successful). At the moment the user logs in on that computer, the load balancer chooses ISE02 to authenticate the user.
  Will ISE02 be aware that the corresponding computer was already succesfully authenticated on ISE01, so that the user is able to log in? Or will it deny the user authentication because it thinks the computer is not (yet) authenticated and Machine Access Restrictions is enabled?
  Kind regards,
  Bert

  >> they are independant servers that just replicate their configuration.
  So a user should authenticate always with the same ISE.
  Moreover a load balancer kills profiling since profiling requires you to span some traffic to an ISE <<
  Not entirely correct.  Policy Service nodes are most certainly supported behind a load balancer which is the intention of a node group. This is often the preferred method for high availability and scaling.  In addition to supporting load distribution of RADIUS and other requests, members of a node group maintain a heartbeat to determine if a peer member should fail.  If so, the Monitoring node is queried to determine if there are any transient sessions which may require clean-up via RADIUS COA to help ensure that an endpoint is left in a defunt auth state.  LB functionality will depend on load balancer used.  Cisco ACE for example supports stickiness of RADIUS transactions based on source IP, Calling-Station-ID, or Framed-IP-Address.
  The impact of LB on profiling or other Policy Service node functions depends on the service/probe in question.  For services like client provisioning, posture, and central web auth, https redirection always occurs back to the node which terminated the RADIUS session, so LB is transparent provided direct access is permitted to the real IP for redirected https trnasactions (RADIUS tranasactions would be sent to virtual IP).
  Specific to profiling, SNMP Queries can be triggered and will be sent by Policy Service node that received the RADIUS Accounting Start packet (assumes RADIUS probe enabled) or SNMP Trap (assumes SNMP Trap probe enabled).  SPAN is only one data collection method used primarily for HTTP or DHCP capture.  Methods other than SPAN/RSPAN are available to capture this data, but if used, then it is correct that there is no specific mechansim to move SPANs from one interface to another in case of NIC or node failure.  I believe intelligent taps are available that can accomplish this, or else traffic can be mirrored to multiple nodes at the cost of duplicating profile data.
  As noted, replication of MAR cache will be added to ACS 5.4, and no, this feature is not altogether trivial due to the number of transactions and updates that must be replicated and kept in sync across each node performing RADIUS services. 
  /CH

• Machine authentication with Windows 7

  Version: ISE 1.2p12
  Hello,
  I'm doing user and machine authentication with ISE.
  I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
  Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
  Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
  If I disable and enable again the network card of that windows machine it works.
  Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
  Thank you

  Hi Mika. My comments below:
  a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
  NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
  b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
  NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
  z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
  NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
  https://tools.ietf.org/html/rfc7170
  Thank you for rating helpful posts!

• ACS 5.4 and machine authentication

  Hi,
  I am installing ACS 5.4 for WiFI user and using EAP-TLS/ certificate based authentication.
  I have Authorization profile created as shown in attachement.
  Under authorization profile i have selcted "Was Machine Authenticated=True"Condition.
  Somehow clients are not able to connect. When I looked at logs on ACS it shows that the requests are not matching this rule bu default rule.
  As soon as I disable this condition, user gets connected
  I have already selected "Enable Machine Authentication" under AD & "Process host Lookup" in allowed protocol.
  Any Suggesions?
  Regards,
  Shivaji

  Shivaji,
  The purpose of the "wasmachineauthenticated" attribute is for user authentication, this is your typical "chicken or the egg" scenario since machine authentication needs to be performed without this attribute for successful authentication.
  When successful machine authentication occurs there is a MAR cache within ACS uses to track the mac address of the device. In your case you are forcing ACS to look for a "WasMachineAuthenticated" during the initial machine authentication which will not succeed.
  In my experience it is best to set this in environments where users' can only authenticate through registered workstations (typically machines that are joined to AD), so when a user attempts to use their 802.1x credentials on a smart phone or non-registered asset, they get denied since the device does not have machine credentials to join the network.
  I hope this bring some clarification to Edward's recommendation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 2 factor authentication for third party devices

  Can anyone recommend a 2factor authentication service that will query a OD user database and process authentication for third part devices ie firewall/vpn via RADIUS?

  Yes it is and you have the following options:
  OTP using external RADIUS server and RSA tokens
  EAP-Chaining using the AnyConnect Agent and Cisco ISE
  MAR (machine access restrictions).  If the machine had not performed authentication the user will not be authorized
  Layer 3 security on the Wireless LAN Controller

• 2 factor authentication for wifi

  I want to know if it is possible to enable 2 factor authentication to connect to a intranet wifi. When the employee logs into the company domain, wifi is connected. Here, I want the employee to enter second factor auth to connect to wifi.
  I dont have much information on the customer set up as of now but know that they are using Cisco ISA .
  Any help would be greatly appreciated.

  Yes it is and you have the following options:
  OTP using external RADIUS server and RSA tokens
  EAP-Chaining using the AnyConnect Agent and Cisco ISE
  MAR (machine access restrictions).  If the machine had not performed authentication the user will not be authorized
  Layer 3 security on the Wireless LAN Controller

• ISE offloading syslogs real time to MARS

  I am working on my implementation of ISE and I want to offload real time logs from ISE to MARS.  Is this possible and is there anything special that is needed to perform this?                  

  To collect logs externally, you configure external syslog servers, called targets.Logging targets are locations where the system logs are collected. In Cisco ISE, targets refer to the IP addresses of the servers that collect and store logs. You can generate and store logs locally, or you can FTP them to an external server. Cisco ISE has the following default targets, which are dynamically configured in the loopback addresses of the local system:
  •LogCollector—Default syslog target for the Log Collector.
  •ProfilerRadiusProbe—Default syslog target for the Profiler Radius Probe.
  To create an external logging target, complete the following steps:
  Step 1 From the ISE Administration Interface, choose Administration > System > Logging > Remote Logging Targets.
  The Remote Logging Targets page appears.
  Click Add.
  Step 2 The Log Collector page appears.
  Step 3 Configure the following fields:
  a. Name—Enter the name of the new target.
  b. Target Type—By default it is set to Syslog. The value of this field cannot be changed.
  c. Description— Enter a brief description of the new target.
  d. IP Address—Enter the IP address of the destination machine where you want to store the logs.
  e. Port—Enter the port number of the destination machine.
  f. Facility Code—Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7.
  g. Maximum Length— Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes.
  Step 4 Click Save.

• ISE CWA with COA not work on 3750X.

  Hello.
  I use ISE version 1.2.0.899 this patch number 4. I configure Central Web Auth for wired client.  In first time client open web brouser, and ISE redirect him to guest portal. User input correct credentionals, and after that switch ignor CoA packet. In ISE logs  "5417 Dynamic Authorization failed". If I use domain computer, authentification succecful whis use dot1x.  All on Port g1/0/1. I use 3750X this version IOS 15.0(2)SE2, 15.0(2)SE4, 15.0(2)SE5, 15.2(1). On all of this version ios I have this mistake.
  Config:
  3750X-ISE# sh running-configBuilding configuration...Current configuration : 9575 bytes!! No configuration change since last restart! NVRAM config last updated at 01:29:01 GMT Wed Mar 30 2011!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname 3750X-ISE!boot-start-markerboot-end-marker!!!username admin privilege 15 secret 5 ----username radius-test secret 5 -----aaa new-model!!aaa group server radius end!aaa group server radius ise server name ise3 server name ise4!aaa authentication login default localaaa authentication login CON noneaaa authentication enable default noneaaa authentication dot1x default group radiusaaa authorization network default group radiusaaa authorization network ise group radiusaaa accounting dot1x default start-stop group radius!!!!!aaa server radius dynamic-author client 192.168.102.53 server-key P@ssw0rd client 192.168.102.54 server-key P@ssw0rd client 192.168.102.51 server-key P@ssw0rd client 192.168.102.52 server-key P@ssw0rd server-key P@ssw0rd!aaa session-id commonclock timezone GMT 0 0switch 1 provision ws-c3750x-24psystem mtu routing 1500ip routing!!ip dhcp snooping vlan 701-710ip dhcp snoopingip domain-name com.ruip device trackingvtp mode transparent!!device-sensor filter-list dhcp list DHCP-LIST option name host-name option name default-tcp-ttl option name requested-address option name parameter-request-list option name class-identifier option name client-identifier option name client-fqdn!device-sensor filter-list cdp list CDP-LIST tlv name device-name tlv name address-type tlv name version-type tlv name platform-type tlv name power-type tlv name external-port-id-typedevice-sensor filter-spec dhcp include list DHCP-LISTdevice-sensor filter-spec cdp include list CDP-LISTdevice-sensor accountingdevice-sensor notify all-changes!license boot level ipservices!!!dot1x system-auth-control!spanning-tree mode rapid-pvstspanning-tree extend system-id!!!!!!!!!vlan internal allocation policy ascending!!vlan 102!vlan 701 name ISE-network1!!lldp run!!!!!!!!!!no macro auto monitor!interface FastEthernet0 no ip address no ip route-cache shutdown!interface GigabitEthernet1/0/1 switchport access vlan 701 switchport mode access switchport nonegotiate authentication event fail action next-method authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator spanning-tree portfast!interface Vlan102 ip address 192.168.102.60 255.255.255.0!interface Vlan701 ip address 192.168.107.1 255.255.255.240 ip helper-address 192.168.102.50 ip helper-address 192.168.102.53!ip http serverip http secure-server!ip route 0.0.0.0 0.0.0.0 192.168.102.1!ip access-list extended ACL-WEBAUTH-REDIRECT deny   udp any any eq domain deny   tcp any host 192.168.102.51 deny   tcp any host 192.168.102.52 deny   tcp any host 192.168.102.53 deny   tcp any host 192.168.102.54 permit tcp any any eq www permit tcp any any eq 443!!!snmp-server community test ROsnmp-server community test2 RWsnmp-server trap-source Vlan102snmp-server source-interface informs Vlan102snmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notification change movesnmp-server host 192.168.102.53 version 2c test2!radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request includeradius-server dead-criteria time 5 tries 3radius-server host 192.168.102.53 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 key P@ssw0rdradius-server host 192.168.102.53 pac key P@ssw0rdradius-server key P@ssw0rd!!!line con 0 login authentication CONline vty 0 4 exec-timeout 60 0line vty 5 15 exec-timeout 60 0!ntp master 5ntp server 198.123.30.132 prefermac address-table notification changemac address-table notification mac-moveend
  Please, help me.

  Use these Cisco IOS commands to monitor and troubleshoot CoA functionality on the switch:
  •debug radius
  •debug aaa coa
  •debug aaa pod
  •debug aaa subsys
  •debug cmdhd [detail | error | events]
  •show aaa attributes protocol radius