Cisco Secure ACS and Machine Access Restrictions (MAR)

Unanswered Question
Mar 3rd, 2010

Has anyone here ever used the ACS feature Machine Access Restrictions in a wireless enviornment with PEAP?  I am looking for a way to prevent non-corporate owned assets from getting on to our wireless network.  Right now, I have PEAP working with the ACS but users are able to give their password to contractors allowing them to connect to our network.  This is a huge security issue.  Any thouhgts on going with MAR or should I stick with Microsoft Radius?  I have heard that MAR is buggy but those bugs may have been worked out.  Any help and especially documentation on setting this up would be a great help.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Erick Delgado Sun, 03/14/2010 - 17:51


Well machine authentication can be buggy on the supplicant side.

Try Machine authentication first and if everything work good MAR is a good option.

Also you can use access policy so the user can only have a minimun of session active at the same time.

I need more detail information about your enviroment so I can help you better on your security setup.


mariusz.zawadzki Wed, 04/07/2010 - 04:06

Hello Erick,

I have a problem with MAR too.

Right now, I  have PEAP-MS-CHAPv2 working with the ACS and Windows AS (as an Ext.  Databases in ACS).

I use ACS appliance 4.1.

A few days ago I  set up MAR to prevent non-corporate laptop to access to the wifi  network and now I see a problem not everyone laptop can connect to the  wlan.

WiFi policy configuration is the same  on the clients  desktop (I hope... made by GPO) but some laptops (eg. HP 8510p, 2530p)  have problem with connection.

We use  windows wireless client.

In ACS Failed Attempts logs I see:

External DB user access denied (Machine Access Restriction)

I don't know what is wrong, maybe some settings on windows system or  something else.

Do you have any idea what may be wrong?

Have youe had similiar expierience.

Tahnks for support.




This Discussion