Cisco Bug: CSCul48151 - TLS Machine Auth for MAR needs AD binary compare
Jun 08, 2016
- Cisco Identity Services Engine
Known Affected Releases
Symptom: With MAR (Machine Access Restriction), we first perform a machine auth so its MAC address will cache on PSN for a configured aging time. Within the aging time, subsequent user auth may use "Network Access:WasMachineAuthenticated" as a condition to validate the user is using an authenticated and authorized machine. Since MAR is a property of AD and the machine is using certificates (EAP-TLS) for authentication, the certificate auth profile needs to select the option "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory" and the AD as the source for comparison. Our UG is not clear about this so customers ask to doc it. Conditions: Deployment with MAR (Machine Access Restriction) and the machines/computers are using EAP-TLS certificate-based authentication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases