locked
NPS as Radius Server for 802.1x - Mac Filtering RRS feed

  • Question

  • I have sucessfully deployed a DHCP with mac filtering, how ever still open security since, Access Points doesnt have any security.

    Just putting a static ip will give access to the network.

    The wireless lan clients are windows and non windows devices such as laptops, desktops and handhelds.

    So the idea is to implement NPS and to configure the Radius server creating a policy just for filtering the mac address of the device.

    Is this possible using NPS?

    How can i specify the Mac address list of all devices?

    all this will be for windows and non windows devices

    Hope the requirement is clear.

    lovalles


    lovalles
    Thursday, December 16, 2010 1:26 AM

Answers

  • Hi Lovalles,

    You can use the NPS+Mac authorization to achieve that.

    In order to do that, you should firstly enable the MAC authorization in the NAS(network access server), then create the user accounts for each MAC address in the AD(Active directory Domain server), modify the registry key "User Identity Attribute" under HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy to 31 in the NPS server.

    For more detials, please refer to http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx.

    Regards

    Qunshu

    Thursday, December 16, 2010 5:53 PM

All replies

  • Hi Lovalles,

    You can use the NPS+Mac authorization to achieve that.

    In order to do that, you should firstly enable the MAC authorization in the NAS(network access server), then create the user accounts for each MAC address in the AD(Active directory Domain server), modify the registry key "User Identity Attribute" under HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy to 31 in the NPS server.

    For more detials, please refer to http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx.

    Regards

    Qunshu

    Thursday, December 16, 2010 5:53 PM
    1. Enable MAC address authorization on access servers, such as wireless access points (APs).
    2. Enable unauthenticated access on the appropriate NPS network policy for MAC address-based authentication, and enable Password Authentication Protocol (PAP).
    3. In the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, create a user account for each MAC address for which you want to provide MAC address authorization. The name of the user account must match the MAC address of the network adapter installed in the computer from which the user is connecting. The format of the password assigned to the account is determined by the network access server vendor. Review the network access server documentation to determine the appropriate password.
    4. Set the User Identity Attribute registry value to 31 on the NPS server. This registry value location is: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy
    5. To always use the MAC address as the user identity, on the NPS server set the Override User-Name registry value to 1. This registry value location is: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy

      When i follow this steps. on section 4 this entry doest not appear on the NPS server. i am creating it. so the question is, shoud it be a DWORD 32? is the registry valio 31 a hexageximal value or a decimal value.

    Same question for Override User-Name as User Identity Attribute

    thanks


    lovalles
    Monday, December 20, 2010 8:40 PM
  • Both User Identity Attribute and  Override User-Name registry keys are DWORD decimal value.

    Please let me know if any other questions.

    Regards

    Qunshu


    Clarification: Microsoft doesn't own any liability & responsibility for any of my posting.
    • Proposed as answer by Andrew [MSFT] Wednesday, December 22, 2010 8:01 AM
    Wednesday, December 22, 2010 8:01 AM
  • Can you provide the information  on how should i configure the Network Policy?
    lovalles
    Tuesday, January 4, 2011 3:51 PM
  • I hope this post is not closed yet. There remain some issues to be answered here. Once the Mac addresses are created as users, what password should you allocate them ? I have seen a CISCO forum post suggesting that you should use MAC address as the password as well. What's the format of the mac address to be used as a User id ? do we use ":" as the separator ? This needs to be answered as the  NAS will be sending it's message in a certain format to the NPS server.

     

    Further what Group policy do you set up for windows client to only log on to a specific SSID ? How do do this ? I know  how to do this in a standard NPS PEAP / MSCHAP sort of implentation but no in this instance. Can someone help please ? Our wireless vendor MERU has no clear infomation about it anywhere nor can thier local support people give clear guidance on this.  We will be grateful for any help.

     

    Nalin.

    Wednesday, June 15, 2011 6:13 AM
  • I am in desperate need of help configuring a 2008R2 NPS Radius Server with mac filtering enabled. I am new to this so please step by step
    Thursday, January 3, 2013 6:13 PM
  • Another option is to do this on your switches or on your firewall.  I use NPS for wireless auth but I use firewall/DHCP for MAC auth.  That way my auth policy is spread out and if my NPS server goes down I am not completely out of luck!
    • Edited by NBAYIT Sunday, June 12, 2016 10:50 PM
    Sunday, June 12, 2016 10:49 PM