Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE MAR in a Kiosk Environment

Situation:

Windows native supplicant configured for "Machine or User authentication."

ISE configured for MAR with cache timeout of 24 hours.

Questions in Red:

1. Every morning Machine boots and successfully authenticates wiht 802.1X.   Machine dACL pushed by ISE to switch for Machine session.

2. Few minutes later, UserA logs on successfully with 802.1X.   UserA dACL pushed by ISE to NAD for UserA Session.  UserA dACL supercede Machine dACL.

3. UserA logs off.

What is happening to the UserA dACL on the switch for that session?

Does the workstation supplicant tells the NAD that UserA has disconnected?

Does the workstation supplicant performs a new Machine authentication so the Machine dACL will now be reapplied to the session or is the switch still stuck with UserA dACL for that session?


4. UserB logs. ISE will push UserB dACL. 

Thanks.

Cath.

1 REPLY

Re: ISE MAR in a Kiosk Environment

Cath,

What version of OS are the kiosks on?

First answers to your questions -

What is happening to the UserA dACL on the switch for that session? - The user login will trigger a new dacl to be applied to the switch port, the machine dacl is then removed since this triggers a new aaa session.

Does the workstation supplicant tells the NAD that UserA has disconnected? - When the user logs off, computer authentication then occurs which will apply the machine acl to the port, since this triggers a new aaa session.

Does  the workstation supplicant performs a new Machine authentication so the  Machine dACL will now be reapplied to the session or is the switch  still stuck with UserA dACL for that session? - When the user logs off the machine acl should be applied, if the user locks the machine then the userA acl is still on the port.

Here is some information that will provide insight to when the machine authentication is triggered, logging off of the client should be one of those scenarios.

http://social.technet.microsoft.com/Forums/windows/en-US/5e1bbaa4-9dad-40da-8e53-a7d67e17c20b/windows-7-wireless-supplicant-user-or-computer-authentication

Here are few issues when using MAR -

◦ Ethernet/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user authentication; MAC address will change when laptop moves from wired to wireless breaking the MAR linkage.

◦ Machine state caching: The state cache of previous machine authentications is neither persistent across ACS/ISE reboots nor replicated amongst ACS/ISE instances.

◦ Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then moves to a different location, or comes back into the office the following day, where machine auth cache is not present in new RADIUS server or has timed out.

I think the best solution out right now is the anyconnect nam with eap chaining, they perform machine authentication when booting up and logging off, and they perform eap chaining when users authenticatioin each and everytime. You can also remove the machine authenticated condition and use the eap-chaining condition instead.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
757
Views
5
Helpful
1
Replies
CreatePlease login to create content