NAP Mac Authentication Bypass RRS feed

  • Question

  • Hello,

    we have dot1x and MAB implementation between Juniper Cisco Switches and Microsoft NAP and all dot1x accounts are working well.

    Non-dot1x devices like Phones will use mac authentication bypass , i have read a lot of documents to create AD account for each mac-address using the username/password to be the device mac.

    of course we don't need to do that for 500 account !! we just need NAP to authorize them without referring to AD , can it be done ??

    i tried making a network policy with setting the calling-station-ID to ^001b4f which is the OUI of the devices mac-address but still can't authenticate as below " we need to bypass this authentication step ".

        Security ID:            NULL SID
        Account Name:            001b4f4921fd
        Account Domain:            Domain
        Fully Qualified Account Name:    Domain\001b4f4921fd

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        b0-c6-9a-d4-0d-80
        Calling Station Identifier:        00-1b-4f-49-21-fd

        NAS IPv4 Address:
        NAS IPv6 Address:        -
        NAS Identifier:            Switch3
        NAS Port-Type:            Ethernet
        NAS Port:            78

    RADIUS Client:
        Client Friendly Name:        SW3
        Client IP Address:  

    Authentication Details:
        Connection Request Policy Name:    Use Windows authentication for all users
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        NAP.DOMAIN.LOCAL
        Authentication Type:        EAP
        EAP Type:            -
        Account Session Identifier:        384F322E317838313133306132323030303364313030
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            8
        Reason:                The specified user account does not exist.

    Wednesday, May 27, 2015 6:53 AM