Cisco Systems OL-24201-01 manual Machine Access Restrictions

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Machine Access Restrictions

MAR helps tying the results of machine authentication to user authentication and authorization process. The most common usage of MAR is to fail authentication of users whose host machine does not successfully authenticate. The MAR is effective for all authentication protocols.

MAR functionality is based on the following points:

•As a result of Machine Authentication, the machine's RADIUS Calling-Station-ID attribute

(31)is cached as an evidence for later reference.

•Administrator can configure the time to live (TTL) of the above cache entries in the AD settings page.

•Administrator can configure whether or not MAR is enabled in the AD settings page. However for MAR to work the following limitations must be taken into account:

–Machine authentication must be enabled in the authenticating protocol settings

–The AAA client must send a value in the Internet Engineering Task Force (IETF) RADIUS

Calling-Station-Id attribute (31).

–ACS does not replicate the cache of Calling-Station-Id attribute values from successful machine authentications.

–ACS do not persevere the cache of Calling-Station-Id attribute. So the content is lost in case you restart ACS or if it crashes. The content is not verified for consistency in case the administrator performs configuration changes that may effect machine authentication.

•When the user authenticates with either PEAP or EAP-FAST, against AD external ID store then ACS performs an additional action. It searches the cache for the users Calling-Station-Id.If it is found then Was-Machine-Authenticatedattribute is set to true on the session context, otherwise set to false.

•For the above to function correctly, the user authentication request should contain the Calling-Station-Id. In case it does not, the Was-Machine-Authenticatedattribute shall be set to false.

•The administrator can add rules to authorization policies that are based on AD GM attribute and on Machine authentication required attribute. Any rule that contains these two attributes will only apply if the following conditions are met:

–MAR feature is enabled

–Machine authentication in the authenticating protocol settings is enabled

–External ID store is AD

•When a rule such as the one described above is evaluated, the attributes of AD GM and Was-Machine-Authenticatedare fetched from the session context and checked against the rule's condition. According to the results of this evaluation an authorization result is set.

•Exemption list functionality is supported implicitly (in contrast to ACS 4.x). To exempt a given user group from the MAR the administrator can set a rule such that the column of AD Group consists of the group to exempt and the column of Machine Authentication Required consists of No. See the second rule in the table below for an example.

For example, the administrator will add rules to the authorization policy as follows: