How to Deny by Mac Address RRS feed

  • Question

  •  I have a Public SSID that I want to deny the company laptops from accessing. I have a generic logon for the BYOD's to access it. I am using 802.1x via a Cisco Wireless controller and it points to the NPS via the radius server settings in the controller. So the first Policy would be a deny policy (looking for the mac address's I can input via User manager or what ever works) then it would go to the ALLOW policy using the name and password to authenticate. The DHCP server I am using for this is the ISP router we have set up going directly to the internet so they cannot access the local lan. Is this possible? I have looked long and hard but I have not been able to find a solution.Any help is appreciated. Thanks.
    Tuesday, May 13, 2014 12:54 PM


  • Hi,

    I’m sorry to tell you that you can’t deny a client by MAC address in NPS policy.

    It is recommended that you use the Machine Group to match the machine which you need to deny.

    To create a group for a network policy, please follow the steps below:

    1. Open the Active Directory Users and Computers console, and then click the domain where you want to create a group.
    2. To create a group whose members are computers, in the details pane, right-click Computers, click New, and then click Group. To create a group whose members are users, in the details pane, right-click Users, click New, and then click Group. The New Object - Group dialog box opens.
    3. In New Object - Group, in Group name, type a name for the group.
    4. In Group scope, select Domain local, Global, or Universal.
    5. In Group type, ensure that Security is selected, and then click OK.
    6. Double-click either Computers or Users, depending on where you created your group, and then double-click the group you created to open group properties.
    7. In group properties, click the Members tab, and then click Add. The Select Users, Contacts, Computers, or Groups dialog box opens.
    8. In Select Users, Contacts, Computers, or Groups, in Enter the object names to select, type the object names that you want to add to the group, and then click OK twice.
    9. Open the Network Policy Server console and double-click Policies. Right-click Network Policies, and then click New. The New Network Policy wizard opens.
    10. Run the wizard, making selections appropriate to your deployment, until you reach the Specify Conditions page.
    11. In Specify Conditions, click Add. The Select condition dialog box opens. If you created a group of computers, click Machine Groups. If you created a group of users, click User Groups. Click Add. The Windows Groups dialog box opens. Click Add Groups.
    12. The Select Group dialog box opens. In Enter the object name to select, type the name of the group that you created in AD DS, and then click OK.
    13. Configure additional conditions for your deployment as needed, and then continue running the New Network Policy wizard until you have completed creating a new network policy.

    For detailed information, please view the link below:

    Network Policy Conditions Properties


    Checklist: Configure NPS for 802.1X Authenticating Switch Access


    Hope this helps.

    Steven Lee

    TechNet Community Support

    Wednesday, May 14, 2014 7:48 AM