locked
802.1x Wired MAC Authentication for VoIP Phones RRS feed

  • Question

  • Hello All,

    I'm currently testing the use of NPS for wired 802.1x MAC address authentication for Lync VoIP Phones.  I've been able to get a laptop to authenticated with AD credentials with one network policy, but having issue with MAC authencitation in another policy.  I have an AD account for the phone's MAC address and the network policy has the MAC address in the Calling Station ID field.  When the server recieves the request everything matches up, but the request is still denied due to "The user attempted to use an authentication method that is not enabled on the matching network policy."  We have Microsoft/Polycom CX700 Phones and Dell Powerconnect 6248 switches.  The only thing I can find is that this may be due to the lack of EAP-MD5 on the NPS (NPS & EAP-MD5), but I would like confirmation that this is the problem before I start making changes within the registry (I'm a network guy, not a server guy so the registry scares me).  Any help would be greatly appreciated.  Thanks.

     

    Network policy configuration:
    ---------------------------------------------------------
    Name             = LyncPhones
    State            = Enabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1f        "00:04:f2:bb:15:ed"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Allowed-Port-Types                   0x1008      "0xf"
    NP-Authentication-Type                  0x1009      "0x7"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

     

    Log Entry:
    ---------------------------------------------------------

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:

    Security ID: CORP\0004f2bb15ed

    Account Name: 0004F2BB15ED

    Account Domain: CORP

    Fully Qualified Account Name: corp.kace.com/KACE Resources/Lync Test

    Client Machine:

    Security ID: NULL SID

    Account Name: -

    Fully Qualified Account Name: -

    OS-Version: -

    Called Station Identifier: 00-23-ae-d1-00-f3

    Calling Station Identifier: 00:04:f2:bb:15:ed

    NAS:

    NAS IPv4 Address: -

    NAS IPv6 Address: -

    NAS Identifier: 00-23-ae-d1-00-f1

    NAS Port-Type: Ethernet

    NAS Port: 1

    RADIUS Client:

    Client Friendly Name: sjc3labaacctest

    Client IP Address: 10.159.12.49

    Authentication Details:

    Connection Request Policy Name: Secure Wired (Ethernet) Connections

    Network Policy Name: LyncPhones

    Authentication Provider: Windows

    Authentication Server: CATCH.corp.kace.com

    Authentication Type: EAP

    EAP Type: -

    Account Session Identifier: -

    Logging Results: Accounting information was written to the local log file.

    Reason Code: 66

    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

    Tuesday, November 8, 2011 11:55 PM

Answers

  • Hi Dasyon,

    Thank you for your post.

    It's ok to enable NPS EAP-MD5 following KB922574.
    If it still does not work, patch KB981190 on your NPS server.

    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan


    • Edited by Rick Tan Thursday, November 10, 2011 7:10 AM
    • Marked as answer by Rick Tan Monday, November 14, 2011 5:51 AM
    Thursday, November 10, 2011 7:09 AM

All replies

  • yeah, NPS cannot do the EAP-MD5, i had to use cisco radius servers instead of the NPS for the 802.1x for phones.  I didnt use the mac address bypss (MAB) tho.
    Wednesday, November 9, 2011 2:06 PM
  • Hi Dasyon,

    Thank you for your post.

    It's ok to enable NPS EAP-MD5 following KB922574.
    If it still does not work, patch KB981190 on your NPS server.

    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan


    • Edited by Rick Tan Thursday, November 10, 2011 7:10 AM
    • Marked as answer by Rick Tan Monday, November 14, 2011 5:51 AM
    Thursday, November 10, 2011 7:09 AM