Hello All,
I'm currently testing the use of NPS for wired 802.1x MAC address authentication for Lync VoIP Phones. I've been able to get a laptop to authenticated with AD credentials with one network policy, but having issue with MAC authencitation in
another policy. I have an AD account for the phone's MAC address and the network policy has the MAC address in the Calling Station ID field. When the server recieves the request everything matches up, but the request is
still denied due to "The user attempted to use an authentication method that is not enabled on the matching network policy." We have Microsoft/Polycom CX700 Phones and Dell Powerconnect 6248 switches. The only thing
I can find is that this may be due to the lack of EAP-MD5 on the NPS (NPS & EAP-MD5), but I would like confirmation
that this is the problem before I start making changes within the registry (I'm a network guy, not a server guy so the registry scares me). Any help would be greatly appreciated. Thanks.
Network policy configuration:
---------------------------------------------------------
Name = LyncPhones
State = Enabled
Processing order = 2
Policy source = 0
Condition attributes:
Name Id
Value
---------------------------------------------------------
Condition0 0x1f "00:04:f2:bb:15:ed"
Profile attributes:
Name Id
Value
---------------------------------------------------------
NP-Allow-Dial-in 0x100f "TRUE"
NP-Allowed-Port-Types 0x1008 "0xf"
NP-Authentication-Type 0x1009 "0x7"
MS-Quarantine-State 0x1faf "0x0"
Quarantine-Update-Non-Compliant 0x1fc8 "TRUE"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
Saved-Machine-HealthCheck-Only 0x1fdc "0x1"
Log Entry:
---------------------------------------------------------
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: CORP\0004f2bb15ed
Account Name: 0004F2BB15ED
Account Domain: CORP
Fully Qualified Account Name: corp.kace.com/KACE Resources/Lync Test
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-23-ae-d1-00-f3
Calling Station Identifier: 00:04:f2:bb:15:ed
NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: 00-23-ae-d1-00-f1
NAS Port-Type: Ethernet
NAS Port: 1
RADIUS Client:
Client Friendly Name: sjc3labaacctest
Client IP Address: 10.159.12.49
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections
Network Policy Name: LyncPhones
Authentication Provider: Windows
Authentication Server: CATCH.corp.kace.com
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
802.1x Wired MAC Authentication for VoIP Phones
