I want to test out MAR. I notice there is a tick box on the ISE for MAR under: Identity Management --> External Identity Sources --> Active Directory --> Advanced Settings --> [tick] Enable Machine Access Restrictions
but also there is this condition that is to be used in the AuthZ Policy
Your are correct you will have to create an authorization condition that checks if the machine authenticated successfully.
What does the tick box option do?
When you enable MAR globally it lets the ISE know to build a cache for endpoints that successfully perform machine authentication.
Are they related or refer to different things?
They work hand in hand.
Are both needed to get a MAR AuthZ to work?
Yes, you will have to create another authorization policy to allow domain computers to connect.
Any of clarifying or beneficial info?
When MAR is enabled, you will have to enable machine and user authentication to your laptop, after MAR succeeds ISE builds an entry in its database mapping the endpoint (mac address) to a successful machine authentication, after when a user authenticates not only do they have to provide the correct credentials but the mac address they are authenticating through will have an entry in the "MAR cache", keep in mind that some supplicants only perform machine authentication when logging on and off, and on boot up. If you want to use MAR i suggest using the Anyconnect NAM client, there is a new feature in ISE 1.1.1 and the latest client that allows you to perform eap chaining.
We are running with ISE 1.4.1 with PEAP (Machine + User ) Authentication with multi domain. This works as expected first domain auth then user auth but if we connects non domain laptop with 802.1x service enable still it’s getting access to network.
can you guide me how we can restrict this scenario?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...