MAR is also not ideal as it comes with tons of limitations :) In addition, it also uses the MAC address of the machine as the username which is sent in plain text :) So I would not recommend MAR.
Why don't you try PEAP machine based authentication? This will allow only domain joined (corporate owned) computers to authenticate. If the computer is not part of the domain, authentication will fail.
I have never been a fan of trying to lock down things via mac addresses since mac addresses can be easily spoofed.
If you are already using PEAP and if your machines are part of AD then an easier and more secure solution would be to use "Machine (PEAP)" based authentication. That way ISE will consult with AD and confirm that the authenticating machine is both joined to the domain and enabled.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...