none
802.1x with MAC address authentication RRS feed

  • Question

  • Hello,

    We have a 2008R2 NPS which is authenticating clients via 802.1x (PEAP-TLS - computer based authentication).  This is working fine.

    We now want to allow certain non 802.1x supplicants (printers etc) to connect to the network via the same NPS.  I have created a user in AD with the username and password as the MAC address of the non-802.1x device.  I then set the following reg values on the NPS (as detailed by Microsoft to allow the NPS to read the Calling-station ID value as a username) :

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\User Identity Attribute
    This registry setting tells the authenticating server to use the calling number (RADIUS attribute 31, Calling-Station-ID) as the identity of the calling user. The user identity is set to the calling number only when there is no user name being supplied in the connection attempt.
    To always use the calling number as the user identity, set the following registry value to 1 on the authenticating server:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Override User-Name

    After I set these and restart the NPS the non-802.1x client now authenticates successfully however all 802.1x clients fail authentication !

    If I remove the above registry values and restart the NPS 802.1x clients can authenticate successfully again but the non 802.1x device fails !

    Is there a way to get both 802.1x and MAC address authentication working on the same NPS ?

    Thanks

    Thursday, July 5, 2012 8:34 AM

Answers