Friday, 20 October 2017

What is Machine Access Restriction?

--> Machine Access Restriction (MAR) allows the Machine in the network to be authenticated using Cisco ISE.

--> MAR was invented because user and the machine authentications are totally separate.With MAR, the ISE  enforces, for a given user authentication, that there must be a valid machine authentication in the X hours (typically 8 hours, but this is configurable) that precedes the user authentication for the same endpoint.

--> In simple terms, MAR allows the user to be only logged in corporate machines. If the user tries to login via non-corporate machine in the company network, ISE server is going to reject the connection even though username/password is valid.

-->  It is entirely up to the network administrator to determine if a successful machine authentication provides full access to the network or only a restricted access.

--> Microsoft Windows performs machine authentication only at boot-time (when the login screen appears); as soon as the user enters the user credentials, a user authentication is performed. Also, if the user logs off (returns to the login screen), a new machine authentication is performed.

--> Here is an example scenario that shows why MAR sometimes causes problems:
User X worked all day on his laptop, which was connected via a wireless connection. At the end of the day, he simply closes the laptop and leaves work. This places the laptop into hibernation. The next day, he comes back into the office and opens his laptop. Now, he is unable to establish a wireless connection.

--> Cisco AnyConnect has the advantage of pre-configured profiles that trigger machine and user authentication. However, the same limitations as seen with Microsoft Windows supplicant are encountered, with regards to machine authentication only occurring when you log off or reboot.

--> Also, with AnyConnect Versions 3.1 and later, it is possible to perform EAP-FAST with EAP-chaining. This is basically a single authentication, where you send two pairs of credentials, the machine username/password, and the user username/password, at the same time.

--> ISE, then, more easily checks that both are successful. With no cache used and no need to retrieve a previous session, this presents greater reliability.

--> When the PC boots, AnyConnect sends a machine authentication only, because no user information is available. However, upon user login, AnyConnect sends both the machine and user credentials simultaneously.

--> Also, if you become disconnected or unplug/replug the cable, both the machine and user credentials are again sent in a single EAP-FAST authentication, which differs from the earlier versions of AnyConnect without EAP-chaining.





No comments:

Post a Comment