locked
IAS RADIUS MAC authentication problem RRS feed

  • Question

  • Hi! I set up a 2003 DC as an IAS RADIUS server, and I've configured the wireless AP's to use this server for authentication.
    I use only MAC authentication, because we have some old XP laptops with network cards that don't handle WPA/WPA2 keys too well. 

    I see in event viewer on the server that the computers are trying to connect to the wireless network, but they get rejected with Reason-Code 16.

    User 00-00-XX-XX-0X-X0 was denied access.
    
     Fully-Qualified-User-Name = ELEV\00-00-XX-00-0X-X0
     NAS-IP-Address = 10.0.2.8
     NAS-Identifier = <not present> 
     Called-Station-Identifier = 00-00-0X-X0-00-X0:WiFi_SSID
     Calling-Station-Identifier = 00-00-XX-00-0X-X0
     Client-Friendly-Name = Netgear_8
     Client-IP-Address = 10.0.2.8
     NAS-Port-Type = Wireless - IEEE 802.11
     NAS-Port = <not present> 
     Proxy-Policy-Name = Use Windows authentication for all users
     Authentication-Provider = Windows 
     Authentication-Server = <undetermined> 
     Policy-Name = <undetermined> 
     Authentication-Type = PAP
     EAP-Type = <undetermined> 
     Reason-Code = 16
     Reason = Authentication was not successful because an unknown user name or incorrect password was used. 

    The computers that is supposed to get access is added in AD as users, where username and password are the same as their MAC in lowercase. I have enabled Dial-In on them.
    I have one AP where this works great. This AP sends the MAC adress to the IAS server in lowercase. But the APs that don't work send the MAC in uppercase letters.

    Is there a better more stable way of doing this? Or is there a fix I can try? 

    Thanks!

     

    Tuesday, January 31, 2012 12:17 PM

Answers

  • Hi there -

    It sounds like you have it set up correctly per http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx, and there is no other way that I know of to configure MAC address authorization.

    If you haven't done so already, you might investigate firmware upgrades for the APs that are sending the UN/PW in uppercase.

    Also, if you just have a few XP based computers that require the use of MAC address authorization, I think you'd be better off creating a couple of AD user groups - one for the XP laptops - and base your remote access policy on the group membership of the users. That way you can also create one or more remote access policies for users who have more up to date OS's and deploy a more secure authentication method for those users' connections.

    Just a suggestion. :-)

    Thanks -

     


    James McIllece
    Tuesday, January 31, 2012 10:04 PM