locked
Mac Authentication Bypass suddenly fails RRS feed

  • Question

  • Hello all,

    I am having an issue with MAB failing all of a sudden. When I look at the logs, I see that it's due to an invalid auth type (I see IAS_INVALID_AUTH_TYPE in the logs). MAB used to work, and user and computer authentication still work fine. I can't figure out what has changed since then - the only change I can see is the fact that our DCs were issued a new cert by our CA recently, but if that makes a difference, wouldn't that affect user and computer authentication as well? 

    We are using MS-CHAP v2 for authentication, and MAC addresses are stored as user accounts in AD (user name and password are set as the MAC address). The clients are Windows 7 PCs, and they are authenticating against our 2008 R2 NPS server. Any help on this would be much appreciated. Thank you.

    Regards,

    Nikita

    Thursday, August 21, 2014 11:42 PM

Answers

  • Hi Nikita,

    NAS also means Network Access Server. According to the logs, it should be a cisco switch.

    INVALID_AUTH_TYPE means that either the client computer attempted to use an authentication method that is not enabled on the matching network policy or the client computer attempted to authenticate as Guest, but guest authentication is not enabled.

    MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method.

    MAC address authorization is enabled when you do the following:

    1. Enable MAC address authorization on access servers, such as wireless access points (APs).
    2. Enable unauthenticated access on the appropriate NPS network policy for MAC address-based authentication, and enable Password Authentication Protocol (PAP).
    3. In the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, create a user account for each MAC address for which you want to provide MAC address authorization. The name of the user account must match the MAC address of the network adapter installed in the computer from which the user is connecting. The format of the password assigned to the account is determined by the network access server vendor. Review the network access server documentation to determine the appropriate password.
    4. Set the User Identity Attribute registry value to 31 on the NPS server. This registry value location is: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy
    5. To always use the MAC address as the user identity, on the NPS server set the Override User-Name registry value to 1. This registry value location is: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy

    For detailed information, please refer to the link below,

    MAC Address Authorization

    http://technet.microsoft.com/en-us/library/dd197535(v=WS.10).aspx

    Best Regards.



    Steven Lee

    TechNet Community Support

    • Marked as answer by NikitaY Tuesday, August 26, 2014 11:54 PM
    Monday, August 25, 2014 5:34 AM

All replies

  • Hi Nikita,

    Please check that if there is any warning or error in the event viewer of NPS server.

    If it is possilble, please post here. It's useful for troubleshooting.

    Besides, what's your NAS? Have you consult the manufacturer of the NAS about this issue? Do they give any hints?

    Best Regards.



    Steven Lee

    TechNet Community Support

    Friday, August 22, 2014 3:24 PM
  • Looking at the logs, the cause for termination is INVALID_AUTH_TYPE. Here's the full event:

    Name Value
    Called Station Id F4-7F-35-90-17-01
    Calling Station Id C8-AC-6F-A4-6B-2B
    Client Friendly Name Cisco-2960S
    Client IP Address 10.xx.xx.xx
    Connect Request IAS_INVALID_AUTH_TYPE
    Connect Result Rejected
    Duration 00:00:00
    FQ User Name domain.com/Computers/Workstations/MACs/c8ac6fa46b2b
    NP Policy Name MAB
    Record Count 2
    Server IP 10.xx.xx.xx
    Server Name NPSServer
    Server NasPort 60,000
    Start DateTime 08/22/2014 08:05:34
    Stop DateTime 08/22/2014 08:05:34
    Terminate Cause INVALID_AUTH_TYPE
    User Name c8ac6fa46b2b
    Start Date 08/22/2014
    Start Time 08:05:34
    Stop Date 08/22/2014
    Stop Time 08:05:34
    Class 311 1 10.xx.xx.xx 08/14/2014 02:17:49 12445
    NAS Port Type Ethernet
    SAM Account Name EC\c8ac6fa46b2b
    Proxy Policy Name VLAN Assignment
    SQ User Name c8ac6fa46b2b
    IAS Session Id 12,445

    Excuse the question, but how would Network Attached Storage have an effect on our authentication issues? Thank you.

    Regards,

    Nikita

    Friday, August 22, 2014 4:11 PM
  • Hi Nikita,

    NAS also means Network Access Server. According to the logs, it should be a cisco switch.

    INVALID_AUTH_TYPE means that either the client computer attempted to use an authentication method that is not enabled on the matching network policy or the client computer attempted to authenticate as Guest, but guest authentication is not enabled.

    MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method.

    MAC address authorization is enabled when you do the following:

    1. Enable MAC address authorization on access servers, such as wireless access points (APs).
    2. Enable unauthenticated access on the appropriate NPS network policy for MAC address-based authentication, and enable Password Authentication Protocol (PAP).
    3. In the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, create a user account for each MAC address for which you want to provide MAC address authorization. The name of the user account must match the MAC address of the network adapter installed in the computer from which the user is connecting. The format of the password assigned to the account is determined by the network access server vendor. Review the network access server documentation to determine the appropriate password.
    4. Set the User Identity Attribute registry value to 31 on the NPS server. This registry value location is: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy
    5. To always use the MAC address as the user identity, on the NPS server set the Override User-Name registry value to 1. This registry value location is: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy

    For detailed information, please refer to the link below,

    MAC Address Authorization

    http://technet.microsoft.com/en-us/library/dd197535(v=WS.10).aspx

    Best Regards.



    Steven Lee

    TechNet Community Support

    • Marked as answer by NikitaY Tuesday, August 26, 2014 11:54 PM
    Monday, August 25, 2014 5:34 AM
  • Allowing unauthenticated access, in addition to enabling PAP in the Connection Request Policy, fixed the problem. Thank you for your help.

    Regards,

    Nikita

    Tuesday, August 26, 2014 11:54 PM