locked
802.1x deployment with MAC filtering RRS feed

  • Question

  • Hi All

    I read "Enhance your 802.1x deployment security with MAC filtering" on NAP blogs with link as below.

    http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx

    I am wondering this tip might not be correct somehow and would like to know how to imployment it correctly.

    First of all, there is only a "Verify Caller ID" field in "dial-in" tab of user properties, not "Calling Station ID". I tried to add MAC address in this field and the authenticaiton works.

    As the description of the tip, we can add multiple MAC addresses in that field but it doesn't work. I tried to use
    "AA-BB-CC-DD-EE-FF | BB-AA-FF-EE-DD-CC" format as multiple MAC address and IAS always responce error with wrong calling staiton ID. Does anyone know how to correctly add multiple MAC addresses in "Verify Caller ID"?

    Thanks
    Monday, October 29, 2007 8:56 AM

Answers

  • The field might have any "friendly name" that relate to the "calling station ID" radius attribute. There are two ways to add multiple MAC addresses in that field. One is by using regular expressions. However care needs to be taken while entering the regular expression in this case since different vendors will send that mac address in different ways. I observed the following formats but there might be more: AA: BB:CC: DD..., AA-BB-CC-DD, AABBCCDD. You will need to do a quick netmon sniff for the radius traffic to determine the format being sent. The second method to add multiple values is to use one of the AD tools such as ADSIEdit or LDP. You might also consider using a script to update the AD object with an array of values instead of a single value. However, the moment the object is updated through the UI, it will retain a single instance. Therefore I recommend that you go with the first method. Although it's possible, I would actually recommend using a single account per MAC.
    Wednesday, November 28, 2007 1:18 AM

All replies

  • The field might have any "friendly name" that relate to the "calling station ID" radius attribute. There are two ways to add multiple MAC addresses in that field. One is by using regular expressions. However care needs to be taken while entering the regular expression in this case since different vendors will send that mac address in different ways. I observed the following formats but there might be more: AA: BB:CC: DD..., AA-BB-CC-DD, AABBCCDD. You will need to do a quick netmon sniff for the radius traffic to determine the format being sent. The second method to add multiple values is to use one of the AD tools such as ADSIEdit or LDP. You might also consider using a script to update the AD object with an array of values instead of a single value. However, the moment the object is updated through the UI, it will retain a single instance. Therefore I recommend that you go with the first method. Although it's possible, I would actually recommend using a single account per MAC.
    Wednesday, November 28, 2007 1:18 AM
  • Hi Sam

    Thank you for your reply.

    I would like to explain why I want to use multiple MAC addresses authenticaiton for an account on a singel AD.
    Genereally, 802.1X can be imploymeted for wired and wireless authenticaiton on many network devices in a company or entriprise. An employee in a company or entriprise is supposed to have only one account but might have multiple devices such as a PC, laptop, or PDA. For the convenience of authenticaiton imployment, I think I should only create an account for that person and make a MAC filtering for any devices he is autrorized to use.

    I had tried the first example you mention but it didn't work. The switch and wireless gateway I used for test only sent one MAC address (calling station  ID) to AD and AD only recognized the first MAC address of all MAC addresses I key in. Of course, your example can be succesful if the device sends multiple MAC addresses simultaneously because AD thinks the those "MAC addresses" is just one string or one calling staiton ID. But that's is not what I want.

    Anyway, I will try the second way you suggest.
    Thanks a lot.
    Monday, December 3, 2007 4:22 PM
  • Try using ";" then a space. ex. "AA:BB:CC:DD:EE:11; AA:BB:CC:DD:EE:12"

    btw im using 2008 r2.

    Tuesday, May 25, 2010 9:17 AM
  • Just thought I'd add to this.  Under NPS in Windows 2k8r2, when you create a network policy, by default the option 'ignore user account dial-in properties' is enabled on the policy.  You have to turn it off to get the mac filtering to work.  Hopefully this will save someone an hour or two.  I'm not having any lucky with multiple mac adresses though.  I've tried the following:

    mac1|mac2
    mac1; mac2
    mac1, mac2

    and a bunch of different spaces inserted over the place.

    Wednesday, November 21, 2012 4:29 AM
  • OK we solved the issue on our end:


    If you enable the 'verify caller-ID' field under the AD user's properties (and add the first mac), you can then add additional MAC addresses by using ADSI edit, finding the user, navigating to the 'msNPCCallingStationID' attribute for the user and adding the other MAC addresses that way. Worked for us :)

    • Proposed as answer by SSA IT Friday, November 23, 2012 2:17 AM
    Friday, November 23, 2012 2:17 AM
  • Hello All,

    can I use wild cards in the Verify Caller ID field in dial-in tab? I have  a vendor-only devices using that specifical NPS policy network. That would save me to know in advance all MAC addresses...

    Thank you in advance for your prompt reply.

    beppe


    giuseppe

    Wednesday, January 29, 2014 12:56 PM