locked
IAS and 802.1x/MAC authentication to replace VMPS RRS feed

  • Question

  • Hello,

     

    Sorry but I could not find a forum directly for IAS and this seemed a closest fit.

     

    I'm researching how we will move our network from VMPS (a soon-to-be end-of-lifed Cisco MAC address based wired switch port authentication and VLAN assignment mechanism) to a combination of 802.1x and MAC authentication and would like to see if Microsoft IAS RADIUS would fit the bill.  I've read about IAS on technet and see that by using remote access policies, you should be able to map MAC addresses to VLAN assignments.  My question is, does anyone know of an automation tool that can take a flat file of MAC address to VLAN mappings and create the necessary IAS remote access policies for MAC address to VLAN mappings?  We have thousands of changing MAC addresses and hundreds of VLANs that we need to keep track of and already have a system in place to generate a flat file of MAC address to VLAN mappings. I've looked at the Cisco ACS server and it's not very scalable so wanted to see how well IAS (or whatever new RADIUS server Microsoft is running these days) would work before delving into freeRADIUS which has it's own issues when trying to communicate with AD via Samba since we dont allow NTLM on our network.

     

    Any help or suggestions would be appreciated!

     

    Thanks,

     

    Mark

    Wednesday, February 6, 2008 11:21 PM

Answers

  • Hi Mark,

     

    You can review this forum post to review some of the methods used to incorporate MAC addresses into Network Policy Server (NPS) policies [Microsoft's new RADIUS server in Windows Server 2008]: http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2470343&SiteID=17, but it sounds like you may already understand that this is possible.

     

    As for dynamically creating policies from a flat file, I am guessing that would need to be scripted. I'm not aware of any automation tool that can do this for you.

     

    Since you can use pattern matching when creating authentication (connection request) and authorization (network) policies in NPS, the Calling-Station-ID condition can be used to match multiple clients if you wish, and make the VLAN assignment - eliminating the need to create a policy for each individual MAC address. Since NPS configuration is in XML format, importing changes is not complicated.

     

    I hope this helps!

     

    -Greg

     

    P.S. A couple other forums that may provide help for you are the Migration forum (http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=574&SiteID=17) and the Network Infrastructure Severs forum (http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1510&SiteID=17).

    Friday, February 8, 2008 7:41 AM

All replies

  • Hi Mark,

     

    You can review this forum post to review some of the methods used to incorporate MAC addresses into Network Policy Server (NPS) policies [Microsoft's new RADIUS server in Windows Server 2008]: http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2470343&SiteID=17, but it sounds like you may already understand that this is possible.

     

    As for dynamically creating policies from a flat file, I am guessing that would need to be scripted. I'm not aware of any automation tool that can do this for you.

     

    Since you can use pattern matching when creating authentication (connection request) and authorization (network) policies in NPS, the Calling-Station-ID condition can be used to match multiple clients if you wish, and make the VLAN assignment - eliminating the need to create a policy for each individual MAC address. Since NPS configuration is in XML format, importing changes is not complicated.

     

    I hope this helps!

     

    -Greg

     

    P.S. A couple other forums that may provide help for you are the Migration forum (http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=574&SiteID=17) and the Network Infrastructure Severs forum (http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1510&SiteID=17).

    Friday, February 8, 2008 7:41 AM
  • Is there a specific need to manage machines via MAC as opposed to managing network access on a per-user or per-machine basis?

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, February 21, 2008 9:48 PM
  • Thanks Chris,

     

    At this point we're looking for a VMPS replacement which is MAC based but will want to have a solution that also does user authentication as well (like 802.1x).  We just need to be able to assign vlans based on the MAC address either way since many of our users have multiple machines with different vlan assignments.  At this point we have the MAC address to vlan data that can be put into VMPS easily but need to move away from VMPS eventually since Cisco is phasing out CatOS.  Currently looking at non-Microsoft products for this as well (like freeNAC).

     

    Thanks,

     

    Mark

    Monday, February 25, 2008 7:27 PM