Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2012
Views
1
Helpful
4
Replies

Cisco ISE 2.1 MAR Feature

Go to solution
Jay233
Level 1
Level 1

‎12-02-2016 06:34 AM - edited ‎03-11-2019 12:16 AM

All,

Machine Access Restriction (MAR) Cache Persistency

Cisco ISE stores the MAR cache content, calling-station-ID list, and the corresponding time stamps to a file on its local disk when you manually stop the Cisco ISE application services. Cisco ISE does not store the MAR cache entries of an instance when there is an accidental restart of its application services.

Cisco ISE reads the MAR cache entries from the file on its local disk based on the cache entry time to live when the Cisco ISE application services get restarted. When the application services of a Cisco ISE instance come up after a restart, Cisco ISE compares the current time of that instance with the MAR cache entry time. If the difference between the current time and the MAR entry time is greater than the MAR cache entry time to live, then Cisco ISE does not retrieve that entry from disk. Otherwise, Cisco ISE retrieves that MAR cache entry and updates its MAR cache entry time to live.

Does anyone have any config for this feature and brief explanations of operation,  TTL's etc.

Cheers,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎12-06-2016 07:00 AM

There is no such config for this feature.

The Policy Service nodes in a distributed deployment do not share their Machine Access Restriction (MAR) cache with each other. If you have enabled the MAR feature in Cisco ISE and the client machine is authenticated by a Policy Service node that fails, then another Policy Service node in the deployment handles the user authentication. However, the user authentication fails because the second Policy Service node does not have the host authentication information in its MAR cache.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#concept_6D26AEAD132A45DB91C51ED0B8890746

Regards

Gagan

rate if it helps!!!

View solution in original post

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-06-2016 10:19 AM

Gagan is correct. The MAR cache share/sync between nodes is currently only available for Cisco ACS. On ISE this feature is still not available. The latest MAR enhancement with version 2.1 is the Persistent MAR Cache where the MAR data is stored on the local disk of each ISE server:

Persistent Machine Access Restriction (MAR) Cache
Cisco ISE stores the MAR cache content, calling-station-ID list, and the corresponding time stamps to a file on its local disk when you manually stop the Cisco ISE application services. Cisco ISE does not store the MAR cache entries of an instance when there is an accidental restart of its application services.
Cisco ISE reads the MAR cache entries from the file on its local disk based on the cache entry time to live when the Cisco ISE application services get restarted. When the run-time services of an Cisco ISE instance come up after a restart, Cisco ISE compares the current time of that instance with the MAR cache entry time. If the difference between the current time and the MAR entry time is greater than the MAR cache entry time to live, then Cisco ISE does not retrieve that entry from disk. Otherwise, Cisco ISE retrieves that MAR cache entry and updates its MAR cache entry time to live.

Also MAR comes with tons of limitations and as a result I always advice against it. A while back we had a good discussion here. Here is the link for it:

https://supportforums.cisco.com/discussion/12735486/machine-access-restrictions-mar

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

4 Replies 4

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎12-06-2016 07:00 AM

There is no such config for this feature.

The Policy Service nodes in a distributed deployment do not share their Machine Access Restriction (MAR) cache with each other. If you have enabled the MAR feature in Cisco ISE and the client machine is authenticated by a Policy Service node that fails, then another Policy Service node in the deployment handles the user authentication. However, the user authentication fails because the second Policy Service node does not have the host authentication information in its MAR cache.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#concept_6D26AEAD132A45DB91C51ED0B8890746

Regards

Gagan

rate if it helps!!!

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-06-2016 10:19 AM

Gagan is correct. The MAR cache share/sync between nodes is currently only available for Cisco ACS. On ISE this feature is still not available. The latest MAR enhancement with version 2.1 is the Persistent MAR Cache where the MAR data is stored on the local disk of each ISE server:

Persistent Machine Access Restriction (MAR) Cache
Cisco ISE stores the MAR cache content, calling-station-ID list, and the corresponding time stamps to a file on its local disk when you manually stop the Cisco ISE application services. Cisco ISE does not store the MAR cache entries of an instance when there is an accidental restart of its application services.
Cisco ISE reads the MAR cache entries from the file on its local disk based on the cache entry time to live when the Cisco ISE application services get restarted. When the run-time services of an Cisco ISE instance come up after a restart, Cisco ISE compares the current time of that instance with the MAR cache entry time. If the difference between the current time and the MAR entry time is greater than the MAR cache entry time to live, then Cisco ISE does not retrieve that entry from disk. Otherwise, Cisco ISE retrieves that MAR cache entry and updates its MAR cache entry time to live.

Also MAR comes with tons of limitations and as a result I always advice against it. A while back we had a good discussion here. Here is the link for it:

https://supportforums.cisco.com/discussion/12735486/machine-access-restrictions-mar

I hope this helps!

Thank you for rating helpful posts!

Go to solution
Freemen
Level 1
Level 1
In response to nspasov

‎01-18-2019 09:28 AM

can we put all ISE in the same node group? so the MAR can be sync? but the ISE PSN is over WAN

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Freemen

‎02-17-2019 08:47 AM

Potentially yes but not recommended as it may contribute to delays in ISE auth processes.

PS: Please start your own thread and reference an existing one instead of posting to a thread that dormant for months and already answered.

0 Helpful
Customers Also Viewed These Support Documents