Machine access restrictions – Cisco 3.3 User Manual

13-19

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 13 User Databases

Windows User Database

that was added to the local machine storage later. As with PEAP-based machine
authentication, the computer name must appear in the CiscoSecure user database
in the format contained in the computer client certificate and the user profile
corresponding to the computer name must be configured to authenticate using the
Windows external user database. If you enable unknown user processing,
Cisco Secure ACS adds the computer names to the CiscoSecure user database
automatically once they authenticate successfully. It also automatically
configures the user profiles created to use the external user database that the user
was found in. For machine authentication, this will always be the Windows
external user database.

Machine Access Restrictions

You can use the machine access restrictions (MAR) feature as an additional means
of controlling authorization for Windows-authenticated EAP-TLS and Microsoft
PEAP users, based upon machine authentication of the computer used to access
the network. When you enable the MAR feature, Cisco Secure ACS does the
following:

•

For every successful machine authentication, Cisco Secure ACS caches the
value received in IETF RADIUS Calling-Station-Id attribute (31) as evidence
of the successful machine authentication. Cisco Secure ACS stores each
Calling-Station-Id attribute value for the number of hours specified on the
Windows User Database Configuration page before deleting it from the
cache.

•

When a user authenticates with an EAP-TLS or Microsoft PEAP end-user
client, Cisco Secure ACS searches the cache of Calling-Station-Id values
from successful machine authentications for the Calling-Station-Id value
received in the user authentication request. Whether Cisco Secure ACS finds
the user-authentication Calling-Station-Id value in the cache affects how
Cisco Secure ACS assigns the user requesting authentication to a user group.

–

Calling-Station-Id value found in the cache—Cisco Secure ACS
assigns the user to a user group by normal methods, which include
manual specification of a group in the user profile, group mapping, or
RADIUS-based group specification. For example, if a user logs in with a
computer that was successfully authenticated and the user profile
indicates that the user is a member of group 137, Cisco Secure ACS
applies to the user session the authorization settings specified in group
137.