locked
MAC address authorization 802.11X RRS feed

  • Question

  • I'm trying to setup mac address authorization on an NPS that is already running EAP-TLS for our wireless access points.

    So far, I've added a user account to the local computer's store and set the username and password equal to the mac address of the computer I am trying to connect with.

    I've also created a new network policy, setting a condition for NAS Port Type Wireless - IEEE 802.11 OR Wireless - Other
    For constraints, I've checked Unencrypted authentication (PAP, SPAP) under Authentication methods

     

    I have also created a REG_DWORD value of user Identity Attribute and set it to 31 (decimal) under HKLM\System\CurrentControlSet\services\RemoteAccess\Policy

    When I attempt to connect with my laptop, it fails. I can see the denial record in the event log.

    Below is some of the error:

    Reason Code: 16
    Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

     

    The only problem I can see is that the error references our domain in the Account Domain field in the error and includes DOMAIN\MAC in the Fully qualified account name field. The user account I created for the MAC address is not in AD, it is in the local store. Is this my problem? How can I get NPS to reference the local user store?

     

    I've been referencing this TechNet article: http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx

    Thursday, November 17, 2011 2:42 AM

All replies

  • Hi,

     

    As you mentioned, we should create the user account for each MAC address in AD ranther than in local users and groups. If your NPS server is a member server in AD, it is configured by default to use the AD database for authentication and authorization. However, we can change this setting by modify the registry key on NPS server.

     

    Please refer to the below article to configure the NPS server to use local database:

     

    Configure NPS to Use the Security Accounts Manager Database

    http://technet.microsoft.com/en-us/library/cc771364(WS.10).aspx

     

     

    Best Regards

    Aiden

    Friday, November 18, 2011 7:22 AM
  • Thanks Aiden!

    The only other thing we use this NPS for is 802.11X PEAP-TLS and all of the certificates have the user's UPN.  If I change the default database to the SAM, the domain lookups using the UPN should still work, right?

     

    Thanks,

    Jeff

    Friday, November 18, 2011 3:29 PM
  • Okay, I've changed the registry setting and when I attempt to connect to the wireless network I can see in the event log on the NPS server that access was granted.  However, my computer doesn't join the network.  It gets stuck at "Validating Identity" and I see a baloon pop-up that says "Windows was unable to find a certificate to log you on to the network"

    On the NPS, I have two network policies, one for PEAP-TLS and another for Mac Address authorization.  On the Mac Address authorization policy, I have the following settings defined:

    Ignore User Dial-In Properties:  True
    Access permission:  Grant Access
    Authentication Method: Unencrypted authentication (PAP, SPAP)
    NAP Enforcement:  Allow full network access
    Update Noncompliant Clients: True
    Framed-Protocol: PPP
    Service-Type:  Framed
    Encryption Policy:  Enabled
    Encryption: 
    BAP Percentage of Capacity:  Reduce Multilink if server reaches 50% for 2 minutes

    Friday, November 18, 2011 7:51 PM
  • Hi Jeff,

     

    Since your CA was installed on domain level, NPS server must contact the AD to verify that the client certificate is valid. Given this situation, you have two chooses to deploy your NPS settings:

    1.       NPS server use SAM database, and we only use MAC address authorization for security, disable the PEAP-TLS authentication.

    2.       Change back the setting, make NPS server to contact with AD database, then, use PEAP-TLS authentication, give up the MAC address authorization or as the guide said, put all MAC addresses in AD not local users and groups.

     

    However, MAC address filtering is not recommended for Microsoft Windows-based 802.11 wireless networks. For best practice, I recommend that we use option 2 in your environment. For your reference, please read the following article:

     

    Planning for Recommended Security Configurations

    http://technet.microsoft.com/en-us/library/dd348504(WS.10).aspx

     

     

    Best Regards,

    Aiden

    Wednesday, November 23, 2011 9:47 AM
  • Aiden,

    When I disable my PEAP-TLS policy on NPS so that only the PAP policy is enabled, I still receive the same message about a certificate on the laptop when it is validating identity.

    I understand that MAC authorization is not reccomended, as they can be spoofed. However, we're only using it to grant temporary internet access to visitors. Our idea is that staff will fill out a form with the device's MAC and it will grant internet access to that device for a 24 hour period.

    Thanks,

    Jeff

    Wednesday, November 23, 2011 4:28 PM
  • Hi Jeff,

     

    From your description, I understand that you want personal derives of employees can grant a temporary Internet access. In order to archive this, I recommend that we use Dynamic VLAN assignment with NPS server to separate the corp computers and personal computers. In this way, we can limited the guest network access. And client transmissions may be redirected to a different logical or physical network. For your information, please check the following Link:

     

    Configure NPS for VLANs

    http://technet.microsoft.com/en-us/library/cc731649(WS.10).aspx

    VLAN Attributes Used in Network Policy

    http://technet.microsoft.com/en-us/library/cc754422(WS.10).aspx

     

    However, if you insist using the MAC address authentication, you may disable the IEEE 802.1X authentication for the wireless adapter on client side and check if it helps.

     

     

    Best Regards,

    Aiden

    Thursday, November 24, 2011 6:02 AM
  • Aiden,

    Thanks again for your help on this.  Yes, we want employees to be able to grant access to devices for visitors to the internet.  We're using Cisco Aironet and have already created a seperate SSID and VLAN for the guests which keeps them completly seperate from our internal VLANs, so that isn't a concern for us.

    I'll give disabling 802.11X authentication a try to see if that resolves the cert issue I am having.

    Jeff

    Thursday, November 24, 2011 2:16 PM