Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, July 15, 2014 2:57 AM
I have a Network Policy Server running on Server 2012 R2. I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication and that works great.
Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the mac address. I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute.
I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password. I do not want to do that. This is not an option.
I have also found several posts about using ieee802Device. I can't find a way to get that to work.
I also found a suggestion to use msNPCallingStationID ad attribute. I can easily set this for each user as their mac addresses but how do I configure the NPS server to use this attribute to authenticate this?
If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!
Thank you for your assistance!
All replies (4)
Wednesday, July 16, 2014 7:51 AM ✅Answered
Hi,
I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.
MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need add the MAC address as the computer user name and password,
To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.
If you want to combine the MAC address MAC filtering and EAP Authentication, you can refer the following related article:
Enhance your 802.1x deployment security with MAC filtering
http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
More information:
MAC Address Authorization
http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx
Authorization by User and Group
http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx
The similar thread:
NPS: Override User-Name and User Identity Attribute
The related third party article:
Configuring IEEE 802.1x Port-Based Authentication
MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
Hope this helps.
Thursday, July 17, 2014 5:41 AM ✅Answered
you can choose the EAP or MAC address, if you want to choose both, you have to create the MAC as user name, you can create the speific OU for this user name they don't have any security issue!
Wednesday, July 16, 2014 1:44 PM
Alex,
I do understand that. I was just trying to avoid the creation of thousands of ad users with just a mac address as the username and password. I have no issue scripting it. It just seems like a lot of garbage in my AD infrastructure and potential security issue. What methods do others use to lock down those users to ensure they can only be used for radius mac authentication?
Tuesday, July 22, 2014 9:53 AM
Hi,
Just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Regards.