MAC based authentication RRS feed

  • Question

  • I've been reading forum after forum on this and have not been able to find a direct answer.  With IAS it was possible to setup MAC based authentication, the NPS solutions are all work arounds.  I'm using HP switches and I want to be able to use these two lines:

    aaa authentication port-access eap-radius
    aaa authentication mac-based chap-radius

    THe first line will use NAP and 802.1x enforcment.  The second would use MAC based enforcment.  If you fail both of those you are hosed.  My design here is that if you are a NAP client you go through NAP, if you aren't, and you a printer/unix/whatever you go to the second.  I need a simple MAC solution and Windows 2008 R2 DHCP MAC filter is not enough.  I want the port to be disabled if you do not authenticate, NAP only authenticates using NT credentials of some sort, FreeRadius would allow me to autheniticate using just MAC address, I would love it if I could do this with just one NAP server.
    Tuesday, September 22, 2009 3:00 PM


All replies

  • Hi Gunnarw,

    If i understood the scenario correctly, I think NPS supports your needs.

    NPS supports MAC based authentication, You can follow the steps mentioned here http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx to do the mac based authenthentication. 

    Tuesday, September 22, 2009 5:10 PM
  • I've seen that blog, it's about putting MAC on top of 802.1x, for 802.1x to work you have to have a client that supports it.  Every printer on my network does not support 802.1x.  Any other ideas?
    • Marked as answer by gunnarwb Tuesday, September 22, 2009 8:26 PM
    • Unmarked as answer by gunnarwb Tuesday, September 22, 2009 8:26 PM
    Tuesday, September 22, 2009 5:43 PM
  • I finally figured this out.  I asked a question but didn't follow my own rules.  I had to setup MAC and 802.1x at the same time as I state in my first question.  To do this these articles are very helpful.



    I was forgetting to program the switch and kept troubleshooting the problem from the NAP side.  Man I feel dumb.  I can see the requests hitting my NAP server now and I see the MAC address in those requests so now I just need to setup the AD accounts.  THis will work for me for the time being.
    • Marked as answer by gunnarwb Tuesday, September 22, 2009 8:29 PM
    Tuesday, September 22, 2009 8:29 PM
  • Hi GunnarWB,
      Is your deployment issue resolved or do you still need any help ? There are couple of ways you can do MAC Authentication with NPS all with small different tweaks. Are you doing deployment with HP ProCurve ?
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Saturday, September 26, 2009 12:55 AM
  • If you are interested doing a single authentication for all the Non NAP Awares hosts, you can just one username for all the MAC based Authentication machine and in the NPS you can replace the MAC address with single username for authentication, with this you can avoid creating multiple user account in the AD.
     You can find more information on Realm Name @ http://msdn.microsoft.com/en-us/library/bb960703(VS.85).aspx

    -RamaSubbu SK

    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Monday, September 28, 2009 11:40 PM
  • I'm deploying over HP ProCurve's.

    I still have issues now and again, for the most part they seem to be client related and I am having a hard time finding solid documentation on how to setup an XP Client.

    The biggest problem I have is if you don't authenticate, I still need you to authenticate.  Meaning I need it to fall back to a policy, becuase non-auth users need to go to a certain VLAN.  I have this working for non-NAP clients becuase the switch supports a non-auth VLAN for Mac-based auth.  HOwever, if the client supports NAP, I have been unsuccessful in getting the non-auth VLAN to work.
    Wednesday, September 30, 2009 12:09 PM
  • Please send me some more links on this manipulation technique I can see how that would be very handy.
    Wednesday, September 30, 2009 12:10 PM
  • I think properly ordering the network policies properly would solve the problem. Have the fall back policy (i.e. un authenticate vLAN) at the end of all other policies and all other NAP policies above this fallback policy.

    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Friday, October 2, 2009 1:34 AM