Guest

Preview Tool

Cisco Bug: CSCul48151 - TLS Machine Auth for MAR needs AD binary compare

Last Modified

Jun 08, 2016

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.2(0.899)

Description (partial)

Symptom:
With MAR (Machine Access Restriction), we first perform a machine auth so its MAC address will cache on PSN for a configured aging time. Within the aging time, subsequent user auth may use "Network Access:WasMachineAuthenticated" as a condition to validate the user is using an authenticated and authorized machine.

Since MAR is a property of AD and the machine is using certificates (EAP-TLS) for authentication, the certificate auth profile needs to select the option "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory" and the AD as the source for comparison.

Our UG is not clear about this so customers ask to doc it.

Conditions:
Deployment with MAR (Machine Access Restriction) and the machines/computers are using EAP-TLS certificate-based authentication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.