Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1220
Views
5
Helpful
1
Replies

ISE MAR in a Kiosk Environment

cpaquet
Level 1
Level 1

‎07-31-2013 09:19 AM - edited ‎03-10-2019 08:42 PM

Situation:

Windows native supplicant configured for "Machine or User authentication."

ISE configured for MAR with cache timeout of 24 hours.

Questions in Red:

1. Every morning Machine boots and successfully authenticates wiht 802.1X.   Machine dACL pushed by ISE to switch for Machine session.

2. Few minutes later, UserA logs on successfully with 802.1X.   UserA dACL pushed by ISE to NAD for UserA Session.  UserA dACL supercede Machine dACL.

3. UserA logs off.

What is happening to the UserA dACL on the switch for that session?

Does the workstation supplicant tells the NAD that UserA has disconnected?

Does the workstation supplicant performs a new Machine authentication so the Machine dACL will now be reapplied to the session or is the switch still stuck with UserA dACL for that session?


4. UserB logs. ISE will push UserB dACL. 

Thanks.

Cath.

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎07-31-2013 10:25 AM

Cath,

What version of OS are the kiosks on?

First answers to your questions -

What is happening to the UserA dACL on the switch for that session? - The user login will trigger a new dacl to be applied to the switch port, the machine dacl is then removed since this triggers a new aaa session.

Does the workstation supplicant tells the NAD that UserA has disconnected? - When the user logs off, computer authentication then occurs which will apply the machine acl to the port, since this triggers a new aaa session.

Does  the workstation supplicant performs a new Machine authentication so the  Machine dACL will now be reapplied to the session or is the switch  still stuck with UserA dACL for that session? - When the user logs off the machine acl should be applied, if the user locks the machine then the userA acl is still on the port.

Here is some information that will provide insight to when the machine authentication is triggered, logging off of the client should be one of those scenarios.

http://social.technet.microsoft.com/Forums/windows/en-US/5e1bbaa4-9dad-40da-8e53-a7d67e17c20b/windows-7-wireless-supplicant-user-or-computer-authentication

Here are few issues when using MAR -

◦ Ethernet/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user authentication; MAC address will change when laptop moves from wired to wireless breaking the MAR linkage.

◦ Machine state caching: The state cache of previous machine authentications is neither persistent across ACS/ISE reboots nor replicated amongst ACS/ISE instances.

◦ Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then moves to a different location, or comes back into the office the following day, where machine auth cache is not present in new RADIUS server or has timed out.

I think the best solution out right now is the anyconnect nam with eap chaining, they perform machine authentication when booting up and logging off, and they perform eap chaining when users authenticatioin each and everytime. You can also remove the machine authenticated condition and use the eap-chaining condition instead.

Thanks,

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents