Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8110
Views
3
Helpful
6
Replies

ISE MAR cache

tgrundbacher
Level 1
Level 1

‎05-14-2014 05:02 AM - edited ‎03-10-2019 09:43 PM

Does anybody know what's going to happen if one changes the MAR cache timeout/aging setting found under Identity Management > External Identity Sources > Active Directory > Advanced Settings? Are the current cache entries going to get cleared or are they going to stay? Is there a way to actually see these entries somewhere (per PSN), and can one selectively delete them?

Depending on the answer to these questions, I have to make the aging timeout change during a maintenance window on the customer's infrastructure. Using ISE 1.2, patch 6.

Oh, and another question: Are there any drawbacks (e.g. cache size or security issues, other constraints) that would suggest to not increase the default aging timeout to a value of a full week or even more?

Thanks

Toni

Labels:
0 Helpful
6 Replies 6

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎05-14-2014 05:32 AM

Hi Toni,

Machine Access Restriction for Active Directory User Authorization

Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.

Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the “Time to Live” parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.

When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:

  • If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
  • If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_authz_polprfls.html

 

HTH

Sandy

0 Helpful

tgrundbacher
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎05-14-2014 05:42 AM

Thanks for your reply, Sandy; unfortunately, it doesn't answer any of my questions.

0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to tgrundbacher

‎05-14-2014 05:51 AM

Hi ,

 If i understand your request , your questionnaire is about MAR cache time out during your maintenance window right ?? or You  look for some other things

MAR cache timeout/aging setting found under 

 

HTH

Sandy

0 Helpful

tgrundbacher
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎05-14-2014 05:59 AM

  • Are the current cache entries going to get cleared or are they going to stay?
  • Is there a way to actually see these entries somewhere (per PSN), and can one selectively delete them?
  • Are there any drawbacks (e.g. cache size or security issues, other constraints) that would suggest to not increase the default aging timeout to a value of a full week or even more?
0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to tgrundbacher

‎05-14-2014 07:45 AM

 

Hi 

  • Are the current cache entries going to get cleared or are they going to stay? : Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the “Time to Live” parameter in the Active Directory Settings page expires
  • Is there a way to actually see these entries somewhere (per PSN), and can one selectively delete them?  yes you can see in logs

  • CacheTracker

    ise-tracking.log

 

See under Downloading Debug Logs

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mnt.html

HTH

Sandy

tgrundbacher
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎05-14-2014 08:06 AM

Thanks for your input, Sandy.

  1. The Cisco documentation still doesn't state what happens to the entries in the cache when you MODIFY the MAR aging timeout during operation. I'm well aware what happens if you LEAVE the timer as it is. Up to this point we can only speculate that the entries will stay, but I have to be sure before I go ahead.
  2. It's good to know that there is a log for the cache tracker, thanks.
  3. Reading the last link won't let me think that increasing the MAR cache aging timer will degrade performance, security or functionality in any way, so...I guess I can only find out if that's true if I try it out.
0 Helpful
Customers Also Viewed These Support Documents