none
NPS: Override User-Name and User Identity Attribute RRS feed

  • Question

  • After configuring NPS and using http://technet.microsoft.com/en-us/library/dd197535%28WS.10%29.aspx it's possible to authenticate based on MAC Addresses.

    Is it by design that all authentication requests handled, are changed to MAC Address Authentication?

     

    We want to have three Network Access Policies, two based on Active Directory Account, one based on MAC Address.

    After entering the registry values and rebooting the server, it's only possible to authenticate based on MAC Address.

     

    Do we need seperate NPS servers, one for MAC based authentication and one for A.D. account authentication?

     

    Thank you in advance.

    Friday, July 15, 2011 1:12 PM

Answers

  • Hi GerardVU4,

    Thank you for your post.

    Is it by design that all authentication requests handled, are changed to MAC Address Authentication?
    To always use the MAC address as the user identity, on the NPS server set the Override User-Name registry value to 1.
    If you set Override User-Name to 1 and the User Identity Attribute to 31, the authenticating server can perform only Automatic Number Identification/Calling Line Identification (ANI/CLI)-based authentication. Normal authentication by using authentication protocols, such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and Extensible Authentication Protocol (EAP), is disabled.
    So please remove Override User-Name registry entry on your NPS server first.

    Do we need separate NPS servers, one for MAC based authentication and one for A.D. account authentication?
    No, you could set up three Network Access Policies on same NPS server.
    Network Access Policies based on MAC Address, just select Authentication Methods PAP in policy Constraints TAB.
    Network Access Policies based on Active Directory Account, Keep the default Authentication Methods MS-CHAP-v2& MS-CHAP.

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Monday, July 18, 2011 3:00 AM
    Moderator

All replies

  • Hi GerardVU4,

    Thank you for your post.

    Is it by design that all authentication requests handled, are changed to MAC Address Authentication?
    To always use the MAC address as the user identity, on the NPS server set the Override User-Name registry value to 1.
    If you set Override User-Name to 1 and the User Identity Attribute to 31, the authenticating server can perform only Automatic Number Identification/Calling Line Identification (ANI/CLI)-based authentication. Normal authentication by using authentication protocols, such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and Extensible Authentication Protocol (EAP), is disabled.
    So please remove Override User-Name registry entry on your NPS server first.

    Do we need separate NPS servers, one for MAC based authentication and one for A.D. account authentication?
    No, you could set up three Network Access Policies on same NPS server.
    Network Access Policies based on MAC Address, just select Authentication Methods PAP in policy Constraints TAB.
    Network Access Policies based on Active Directory Account, Keep the default Authentication Methods MS-CHAP-v2& MS-CHAP.

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Monday, July 18, 2011 3:00 AM
    Moderator
  • Hi Rick,

    Thank you for the reply.

    So when only using the User Identity Attribute to 31 registry key, I should be able to configure all three NAPs?

    Regards,

    Gerard Verwey

    Monday, July 18, 2011 7:53 AM
  • Hi GerardVU4,

    Yes, only using the User Identity Attribute.


    Regards,
    Rick Tan
    Tuesday, July 19, 2011 1:32 AM
    Moderator
  • Hi Rick, Many thanks for your post, I think it is helping me head towards what I am trying to achieve. Please could you help with some specific information regarding setting up 802.1x authentication based on AD login and MAC address. I have created user accounts in AD for users for wireless authentication, but I would also like to authenticate against the MAC address too. I have users successfully authenticating with their AD login, but would like to restrict to particular MAC addresses, and not authenticate purely based on their MAC. I would like to be able to enter their MAC address into the AD user account and then configure the correct NPS policy to authenticate against that. If you could please provide more specific instructions on how to achieve this I would greatly appreciate it. Regards, Liam
    • Edited by Malizim Monday, June 10, 2013 11:52 AM Mistake
    Monday, June 10, 2013 9:22 AM
  • Gerard, were you able to get both MAC and user/pass working for your NPS setup?

    i cannot get the MAC working, it only works with user/pass.

    The error I get is:

    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect

    any pointers?  thanks

    Monday, July 8, 2013 7:06 PM
  • Did u get both MAC and user/pass working for your setup?

    i cannot get the MAC working, only user/pass.

    Error:Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect

    any pointers?  please email to djpennin.yahoo.com

    Monday, July 8, 2013 7:09 PM
  • I would like to know the solution to this issue too :-)

    Any chance of posting it here ?

    Thursday, August 7, 2014 7:41 AM
  • hi guys, its seems a lot of time ago for  the last post, but im in the same problem, we also need the solution for this issue to, thanks in advance.
    Wednesday, March 11, 2020 5:15 PM