Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6072
Views
5
Helpful
5
Replies

Machine Access Restrictions MAR

Go to solution
tonyp8581
Level 1
Level 1

‎12-23-2015 07:32 AM - edited ‎03-10-2019 11:21 PM

Hi,

I'm want to identify Corporate devices against BYOD.  So, I'm thinking of using condition "WasMachineAuthenticated", Here is my config:

ISE 1.3 Patch 3

Windows 7 Supplicant with Machine and User Auth.  Using PEAP.

I have policy for Machine Auth and User Auth.

In External Identity Sources, MAR is enabled with 192 hrs Aging Time.

Lately, I have been reading up on this subject, and I have come across several comments about certain caveats.  What are those caveats?

Has anybody succesfully implementied this feature  ?  BTW, for me EAP Chaining is not an option.

Thanks !

Tony

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-23-2015 03:08 PM

Hi Tony-

Yes, MAR comes with many limitations and gotchas and as a result, I would highly recommend that you avoid it. I have posted about this in previous threads. Take a look at the following links and let me know if you have any other questions:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

https://supportforums.cisco.com/discussion/12209441/cisco-ise-machine-failed-machine-authentication

https://supportforums.cisco.com/discussion/11639846/machine-authentication-not-working-after-workstation-unattented-ovr-night-ise

If EAP-Chaining is not an option then you have some other options:

1. You can use profiling and the help of DHCP class-identifier to distinguish corp machines vs non-corporate

2. You can utilize posture assessment and have the NAC agent look for some hidden file or registry that only corporate machines have (Both the file and registry can be pushed via GPO)

3. You can also make the authentication to be "Machine Only" This will prevent non-domain joined machines from authenticating

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to tonyp8581

‎12-28-2015 12:33 PM

Hmm, I believe the "username" for machines when using PEAP is something like this "host/FQDN..." Thus, you could probably use a rule that states if the RADIUS username "contains" either your domain or a pattern used by machines on your domain.

However, the easiest way to distinguish between domain joined and non-domain joined is the have ISE check with AD. Thus, your rule can have something like this:

1. If "external group" = "domain computers"

2. If "identity access restricted" = "false"

3. Then "full access"

This will ensure that the computer that is trying to authenticate and authorize on the network is actually joined to the domain. One thing you will need to make sure that your AD is locked down because I think by default any domain users can join up to 10 workstations to the domain.

Thank you for rating helpful posts!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-23-2015 03:08 PM

Hi Tony-

Yes, MAR comes with many limitations and gotchas and as a result, I would highly recommend that you avoid it. I have posted about this in previous threads. Take a look at the following links and let me know if you have any other questions:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

https://supportforums.cisco.com/discussion/12209441/cisco-ise-machine-failed-machine-authentication

https://supportforums.cisco.com/discussion/11639846/machine-authentication-not-working-after-workstation-unattented-ovr-night-ise

If EAP-Chaining is not an option then you have some other options:

1. You can use profiling and the help of DHCP class-identifier to distinguish corp machines vs non-corporate

2. You can utilize posture assessment and have the NAC agent look for some hidden file or registry that only corporate machines have (Both the file and registry can be pushed via GPO)

3. You can also make the authentication to be "Machine Only" This will prevent non-domain joined machines from authenticating

I hope this helps!

Thank you for rating helpful posts!

Go to solution
tonyp8581
Level 1
Level 1
In response to nspasov

‎12-24-2015 08:14 AM

Hi Neno,

Thanks for the links !  I'll scrap MAR for now.  Not a viable option anymore.

For now, I'm using only RADIUS probe for profiling.  In the new year,  I'll enable DHCP probe.

One more question:

I'm was thinking of using Computer name to distinguish Corp vs non-corp.  In Authorization Compound list, is there a condition that would allow me to use Computer name?

Thanks again

Tony

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to tonyp8581

‎12-28-2015 12:33 PM

Hmm, I believe the "username" for machines when using PEAP is something like this "host/FQDN..." Thus, you could probably use a rule that states if the RADIUS username "contains" either your domain or a pattern used by machines on your domain.

However, the easiest way to distinguish between domain joined and non-domain joined is the have ISE check with AD. Thus, your rule can have something like this:

1. If "external group" = "domain computers"

2. If "identity access restricted" = "false"

3. Then "full access"

This will ensure that the computer that is trying to authenticate and authorize on the network is actually joined to the domain. One thing you will need to make sure that your AD is locked down because I think by default any domain users can join up to 10 workstations to the domain.

Thank you for rating helpful posts!

0 Helpful

Go to solution
tonyp8581
Level 1
Level 1
In response to nspasov

‎01-05-2016 10:50 AM

Hi Neno,

I would like to start off by wishing you a good 2016.  This morning, I was back from holiday's.

I found your last post very interesting.  The RADIUS username works as expected.  However, if the user enters "domain\username", ISE will grant the user access.  I'm trying to see if I can make this solution work for me.

The second option doesn't apply to me because the user is matching the User Auth Policy not the Machine Auth.

Meanwhile, there's a condition called Microsoft:MS-Machine-Name in the Microsoft condition list.  Do you know how to populate this parameter ?

Thanks !

Tony

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to tonyp8581

‎03-20-2016 07:15 PM

Hi Tony and happy new year to you as well!! I am very sorry but somehow the notification message about this thread ended up in my Spam Folder :(

Were you able to find a solution about your issue? If not, pls let me know where things stand now and I will try to help you. 

Best regards!

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents