Filter
Top Products
8-45
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
Machine Access Restrictions
MAR helps tying the results of machine authentication to user authentication and authorization process.
The most common usage of MAR is to fail authentication of users whose host machine does not
successfully authenticate. The MAR is effective for all authentication protocols.
MAR functionality is based on the following points:
• As a result of Machine Authentication, the machine's RADIUS Calling-Station-ID attribute
(31)
is cached as an evidence for later reference.
• Administrator can configure the time to live (TTL) of the above cache entries in the AD settings
page.
• Administrator can configure whether or not MAR is enabled in the AD settings page. However for
MAR to work the following limitations must be taken into account:
–
Machine authentication must be enabled in the authenticating protocol settings
–
The AAA client must send a value in the Internet Engineering Task Force (IETF) RADIUS
Calling-Station-Id attribute (31).
–
ACS does not replicate the cache of Calling-Station-Id attribute values from successful
machine authentications.
–
ACS do not persevere the cache of Calling-Station-Id attribute. So the content is lost in
case you restart ACS or if it crashes. The content is not verified for consistency in case the
administrator performs configuration changes that may effect machine authentication.
• When the user authenticates with either PEAP or EAP-FAST, against AD external ID store then ACS
performs an additional action. It searches the cache for the users
Calling-Station-Id. If it is found
then Was-Machine-Authenticated attribute is set to true on the session context, otherwise set to
false.
• For the above to function correctly, the user authentication request should contain the
Calling-Station-Id. In case it does not, the Was-Machine-Authenticated attribute shall be set to
false.
• The administrator can add rules to authorization policies that are based on AD GM attribute and on
Machine authentication required attribute. Any rule that contains these two attributes will only apply
if the following conditions are met:
–
MAR feature is enabled
–
Machine authentication in the authenticating protocol settings is enabled
–
External ID store is AD
• When a rule such as the one described above is evaluated, the attributes of AD GM and
Was-Machine-Authenticated are fetched from the session context and checked against the rule's
condition. According to the results of this evaluation an authorization result is set.
• Exemption list functionality is supported implicitly (in contrast to ACS 4.x). To exempt a given user
group from the MAR the administrator can set a rule such that the column of AD Group consists of
the group to exempt and the column of Machine Authentication Required consists of No. See the
second rule in the table below for an example.
For example, the administrator will add rules to the authorization policy as follows: