802.1x Wireless protection with DHCP MAC filtering RRS feed

  • Question

  • Hi all,

    I've read through several threads, but can't seem to find exactly what I'm looking for, so hopefully you can help. We are beginning to roll out iPads to senior management, and for obvious reasons, would like them to connect to our network over wifi. However, I've hit a stumbling block in getting the server configured properly. Here's my setup:

    • Server 2008 R2
    • Cisco Small Business WAP4410N wireless access point

    I've successfully gone through the wizard in NPS to configure RADIUS for 802.1x wireless connections, and I can get devices to connect using AD user credentials. However, I'd really like to do MAC filtering as well. The DHCP service will happily handle this for me, but it doesn't stop someone from just using a static IP.

    So, my question is this: Is it possible to configure the NPS policies in such a way that devices can ONLY connect if they use DHCP, and therefore be in the MAC filter list? Or, is there a better way of doing this that I'm overlooking entirely? My intention is that each device will have a unique AD user, if that's of any help.


    Wednesday, March 21, 2012 4:56 PM

All replies

  • Hi Chris,

    Thanks for posting here.

    Perhaps we can specify the NAS type to DHCP in policy :

    DHCP Server. If specified, NPS evaluates the network policy for connection requests that originate from servers that are running Dynamic Host Configuration Protocol (DHCP).

    Network Policy Overview Properties

    But MAC filter is not a good idea to do the authentication and restriction .


    Tiger Li

    Tiger Li

    TechNet Community Support

    Thursday, March 22, 2012 9:14 AM
  • Thanks for the response.

    Sorry, should have mentioned this before, but I've tried that already. When I set it this way, it fails on the default "Connections to other access servers" rule. I've tried configuring it to allow DHCP connections, but I have to confess that I've been stymied by it.

    And the MAC filtering is just an additional layer of security. I'm still using the Active Directory users for authentication.

    Thanks again!

    Thursday, March 22, 2012 1:45 PM
  • Hi Chris,

    Thanks for update.

    According to how NPS processes incoming requests , it will evaluate the rules one by one with starting form the first rule in list, then the second, and so on, until a match is found, so did we set our customized rule top one in that list ?

    Network Policies

    Meanwhile, workaround in the blog post below might help:

    Configuring Custom NPS Policies Per DHCP scope


    Tiger Li

    Tiger Li

    TechNet Community Support

    Friday, March 23, 2012 1:17 AM
  • Thanks again for the info. Yes it is the first rule in the list. When I look at the event log for NPS, I see the following under Authentication Details:

    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: Connections to other access servers

    This leads me to believe that it's not matching the "Secure Wireless Connections" network rule for some reason. I've looked before at the blog post you mentioned, and tried to configure my wireless access rule to match, but I get the same result. I believe what's happening is that the device tries to obtain a DHCP address before it authenticates with username & password, and therefore gets denied.

    Thanks for the suggestions, though. They're appreciated.


    • Edited by UbayChris Friday, March 23, 2012 2:26 PM missed punctuation
    Friday, March 23, 2012 2:25 PM