Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE machine authentication timeout

Hi all,

We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
How have you bypassed the timeout of mar cache?

My ISE version is 1.2 with 2 patches installed

Thank you

Sent from Cisco Technical Support iPad App

4 REPLIES
Cisco Employee

ISE machine authentication timeout

Hi

Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.

Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.

When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:

• If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.

• If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

Bronze

Re: ISE machine authentication timeout

The timer will be reset with every session when user login in to ISE.

Please Check the below guide which may be help for you:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1053958

New Member

Re: ISE machine authentication timeout

Thank you all for your answers

Aqeel Javed wrote:

The timer will be reset with every session when user login in to ISE.

Please Check the below guide which may be help for you:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1053958

Because I can't find it anywhere documented can you tell me if you have tried yourself or found it somewhere?

Cisco Employee
2558
Views
5
Helpful
4
Replies
CreatePlease login to create content