locked
How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users? RRS feed

  • Question

  • I have a Network Policy Server running on Server 2012 R2.  I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication and that works great.

    Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the mac address.  I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute. 

    I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password.  I do not want to do that.  This is not an option.

    I have also found several posts about using ieee802Device.  I can't find a way to get that to work.

    I also found a suggestion to use msNPCallingStationID ad attribute.  I can easily set this for each user as their mac addresses but how do I configure the NPS server to use this attribute to authenticate this?

    If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!

    Thank you for your assistance!
    Tuesday, July 15, 2014 2:57 AM

Answers

  • Hi,

    I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.

    MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need add the MAC address as the computer user name and password,

    To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.

    If you want to combine the MAC address MAC filtering and  EAP Authentication, you can refer the following related article:

    Enhance your 802.1x deployment security with MAC filtering

    http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx

    More information:

    MAC Address Authorization

    http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx

    Authorization by User and Group

    http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx

    The similar thread:

    NPS: Override User-Name and User Identity Attribute

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP

    The related third party article:

    Configuring IEEE 802.1x Port-Based Authentication

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569

    MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example

    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo

    Hope this helps.

    • Edited by Alex Lv Wednesday, July 16, 2014 7:57 AM
    • Marked as answer by Alex Lv Thursday, August 7, 2014 9:47 AM
    Wednesday, July 16, 2014 7:51 AM
  • you can choose the EAP or MAC address, if you want to choose both, you have to create the MAC as user name, you can create the speific OU for this user name they don't have any security issue!
    • Proposed as answer by Alex Lv Tuesday, July 22, 2014 9:53 AM
    • Marked as answer by Alex Lv Thursday, August 7, 2014 9:47 AM
    Thursday, July 17, 2014 5:41 AM

All replies

  • Hi,

    I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.

    MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need add the MAC address as the computer user name and password,

    To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.

    If you want to combine the MAC address MAC filtering and  EAP Authentication, you can refer the following related article:

    Enhance your 802.1x deployment security with MAC filtering

    http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx

    More information:

    MAC Address Authorization

    http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx

    Authorization by User and Group

    http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx

    The similar thread:

    NPS: Override User-Name and User Identity Attribute

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP

    The related third party article:

    Configuring IEEE 802.1x Port-Based Authentication

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569

    MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example

    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo

    Hope this helps.

    • Edited by Alex Lv Wednesday, July 16, 2014 7:57 AM
    • Marked as answer by Alex Lv Thursday, August 7, 2014 9:47 AM
    Wednesday, July 16, 2014 7:51 AM
  • Alex,

    I do understand that.  I was just trying to avoid the creation of thousands of ad users with just a mac address as the username and password.  I have no issue scripting it.  It just seems like a lot of garbage in my AD infrastructure and potential security issue.  What methods do others use to lock down those users to ensure they can only be used for radius mac authentication?

    Wednesday, July 16, 2014 1:44 PM
  • you can choose the EAP or MAC address, if you want to choose both, you have to create the MAC as user name, you can create the speific OU for this user name they don't have any security issue!
    • Proposed as answer by Alex Lv Tuesday, July 22, 2014 9:53 AM
    • Marked as answer by Alex Lv Thursday, August 7, 2014 9:47 AM
    Thursday, July 17, 2014 5:41 AM