locked
MAC-based Authentication and the DHCP Server (Using the already existing DHCP Server database to validate MACs.) RRS feed

  • Question

  • I want to use the existing DHCP Server database running on my Server 2008 box as the validator for MAC-based Authentication on my network switches and routers via RADIUS.


    I have spent the last few hours reading everything I can find, and it would seem that I am the only person in the world that thinks it is insane to create AD user accounts containing MAC addresses as the username and turning off the password policy to accept none, in order to use MAC based authentication on a box that is already running DHCP server.
    Why can’t I point the RADIUS server to the DHCP server’s database, it’s there already, it has all the MAC addresses in it for the reservations that we would want to authorize on the network.
    I can’t be the only one that thinks that using a separate 3rd party RADIUS server that can use a separate database (FreeRadius), and a separate database of MACs on a Windows Server 2008 box is a FAIL.
    Not only that, but DHCP server should be linked to RADIUS already, with check boxes to do things like, “Allow RADIUS authentication on this scope for devices not existing in the Reservations list” (for open scopes, or for initial setup).
    Enabling port security on every port on every switch and router device is crazy, and a nightmare to initiate and maintain.  Why has Microsoft not implemented this DHCP/MAC/RADIUS merge for the last decade?  I noticed that I can now “Convert Lease to Reservation” under the new DHCP, which is nice (I had been waiting for 10 years for that too).
    I can see why the whole “Health Check” thing is great for IA guys, but us network techs are being left to do everything twice (and create a mess in our ADs), or hand jam thousands of MACs and re-enable ports. 

    Please explain, and if what I asked is possible, then I apologize for my rant, and please show me where I can find the information to link the DHCP Server database to the RADIUS Server for MAC-based Authorization relating to switch and router port security. 

    Friday, July 29, 2011 2:07 PM

Answers

  • Hi,

     

    Thanks for update.

     

    Yes there are many shortages on MAC based authentication and we don’t recommend to use this method in authenticated network deployment. Some 802.1x certificate or password based authentication methods will be more secure and suggested to use:

     

    Authentication

     

    Following are the best practices for authentication:

     

    Use authentication methods, such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP), that provide authentication types, such as Transport Layer Security (EAP-TLS and PEAP-TLS) and Microsoft Challenge Handshake Authentication Protocol version two (PEAP-MS-CHAP v2), that support the use of certificates for strong authentication. Do not use password-based authentication methods because they are vulnerable to a variety of attacks and are not secure.

     

    Use PEAP, which is required for all Network Access Protection (NAP) enforcement methods. Determine the PEAP authentication types that you want to use, such as PEAP-TLS and PEAP-MS-CHAP v2, and then plan and deploy your public key infrastructure (PKI) to ensure that all computers and users can enroll the certificates required by the authentication types.

     

    Deploy a certification authority (CA) by using Active Directory® Certificate Services (AD CS) if you use strong certificate-based authentication methods that require the use of a server certificate on NPS servers. You can also use your CA to deploy computer certificates to domain member computers and user certificates to members of the Users group in Active Directory.

     

    Planning for Recommended Security Configurations

    http://technet.microsoft.com/en-us/library/dd348504(WS.10).aspx

     

    Planning for Recommended Wired Security Configurations

    http://technet.microsoft.com/en-us/library/dd378927(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, August 3, 2011 6:39 AM

All replies

  • Hi,

     

    Thanks for posing and suggestions.

     

    Yes, NPS/IAS will unable to directly read the DHCP reservation database for MAC base authentication so far. We will report your suggestions to PG and do some evaluations in order to improve our products in future.

     

    At the moment, as a workaround you might consider to export the reserved MAC addresses form DHCP database by using “netsh dhcp server [ip address] scope [scope address] dump” command and programly modify the attribute of AD objects by scripts.

     

    Netsh Commands for Dynamic Host Configuration Protocol server

    http://technet.microsoft.com/en-us/library/cc772372(WS.10).aspx

     

    For more information regarding on how to programly modify AD objects , please post and acquire the methods form script forum :

     

    http://social.technet.microsoft.com/Forums/en/ITCG/threads

     

    Meanwhile, we have also added new MAC base filter feature in Windows Server 2008 R2 DHCP service and also provide useful utility that will help users to manage their address database:

     

    MAC Filter Import Tool

    http://blogs.technet.com/b/teamdhcp/archive/2009/02/16/mac-filter-import-tool.aspx

     

    http://blogs.technet.com/b/teamdhcp/archive/tags/mac+filtering/

     

    Thanks for supporting windows server products.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, August 2, 2011 5:47 AM
  • Thank you for your reply, I was afraid that you were going to tell me that there was no clean way of doing it with Server 2008. 
    I fully understand that the move from a closed/filtered DHCP based security solution to MAC based port security gives only minimal protection to the network, but currently that move involves a tremendous amount of manpower and inconvenience to the customer and the network techs involved, but it is always the next level of security we are asked to implement after closed scopes (the current MAC filter is worthless if someone sets their IP to static in a closed scope without the complementing switch level security).  To a network tech, we understand that is really is just a small speed bump to an intruder as they will just spoof their MAC to match an authorized machine, or simply boot up off a “Live” OS on an authorized box.  The problem is it can take thousands of hours for us to implement and maintain port security, and having the ability to point our numerous switches and routers to an already existing closed scope DHCP server makes all of those man-hours and troubles go away, and gives that next level of security with a comparable level of work to be done by us. 
    For large organizations with lots of non-Windows devices, we can’t simply turnoff AD password policies and create thousands of junk MAC users to use NPS/IAS easily in its current form, so that just leaves hand-jamming or port stickying and then the inevitable clearing of shut/disabled ports, and clearing of violations, or we have to run non-trusted 3rd party software on top of our Enterprise level MS servers and maintain an exported MAC database.
    You couldn’t get any easier than pointing your switches via RADIUS to the DHCP server and checking a box in DHCP to turn on MAC based authentication.  We could even use it in a mixed mode, with open scopes in general, but MAC based authorization based on reservations, so that computers could move throughout various scopes as long as they had a reservation in another, or let that be a selective option for specific computer reservations (global network tech laptop reservation).
    I firmly believe this feature alone would be enough to make most network technicians recommend upgrading from Server 2008 to Server 2008 R2 if it were made available in R2.
    Please ask some network technicians about the value this would give us.  Hopefully it won’t take another 10 years to implement it (like “Convert lease to reservation” did).

    Again, thank you for your reply and listening to me rant. (Can you guess the task that the security people want me to implement soon, BTW?)

    Tuesday, August 2, 2011 9:01 AM
  • Hi,

     

    Thanks for update.

     

    Yes there are many shortages on MAC based authentication and we don’t recommend to use this method in authenticated network deployment. Some 802.1x certificate or password based authentication methods will be more secure and suggested to use:

     

    Authentication

     

    Following are the best practices for authentication:

     

    Use authentication methods, such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP), that provide authentication types, such as Transport Layer Security (EAP-TLS and PEAP-TLS) and Microsoft Challenge Handshake Authentication Protocol version two (PEAP-MS-CHAP v2), that support the use of certificates for strong authentication. Do not use password-based authentication methods because they are vulnerable to a variety of attacks and are not secure.

     

    Use PEAP, which is required for all Network Access Protection (NAP) enforcement methods. Determine the PEAP authentication types that you want to use, such as PEAP-TLS and PEAP-MS-CHAP v2, and then plan and deploy your public key infrastructure (PKI) to ensure that all computers and users can enroll the certificates required by the authentication types.

     

    Deploy a certification authority (CA) by using Active Directory® Certificate Services (AD CS) if you use strong certificate-based authentication methods that require the use of a server certificate on NPS servers. You can also use your CA to deploy computer certificates to domain member computers and user certificates to members of the Users group in Active Directory.

     

    Planning for Recommended Security Configurations

    http://technet.microsoft.com/en-us/library/dd348504(WS.10).aspx

     

    Planning for Recommended Wired Security Configurations

    http://technet.microsoft.com/en-us/library/dd378927(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, August 3, 2011 6:39 AM