none
Trying to setup 802.1x auth via MAB using the Calling Station ID for authentication. RRS feed

  • Question

  • We are currently testing setting up 802.1x for port authentication using our NPS server.  We have been able to successfully test domain joined PC's.  Now we are needing to authenticate IP Phones that most users use to attach their PC to.  All of our phones are from one vendor so I was hoping to just challenge the Calling Station ID for the first part of the MAC address.  In my test I actually set the entire calling station ID to the MAC of the test phone.  

    NPS is seeing the request but denying the attempt.  

    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
    	Security ID:			NULL SID
    	Account Name:			0004f2bd531f
    	Account Domain:			xxxx
    	Fully Qualified Account Name:	xxxx\0004f2bd531f
    
    Client Machine:
    	Security ID:			NULL SID
    	Account Name:			-
    	Fully Qualified Account Name:	-
    	Called Station Identifier:		F0-B2-E5-D2-BC-02
    	Calling Station Identifier:		00-04-F2-BD-53-1F
    
    NAS:
    	NAS IPv4 Address:		192.168.150.8
    	NAS IPv6 Address:		-
    	NAS Identifier:			-
    	NAS Port-Type:			Ethernet
    	NAS Port:			50102
    
    RADIUS Client:
    	Client Friendly Name:		xxxxxx-Switches-Lab
    	Client IP Address:			192.168.150.8
    
    Authentication Details:
    	Connection Request Policy Name:	dot1x
    	Network Policy Name:		-
    	Authentication Provider:		Windows
    	Authentication Server:		awsapp07.AD.xxxx.xxx
    	Authentication Type:		PAP
    	EAP Type:			-
    	Account Session Identifier:		-
    	Logging Results:			Accounting information was written to the local log file.
    	Reason Code:			16
    	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

    Something that the log showed that I found interesting is that it showed the correct Connection Request Policy Name but no Network Policy Name.

    My settings are:

    Not sure what I'm doing wrong.  I really would like to avoid having to add all the phones in our AD as users if at all possible. 

    Wednesday, September 18, 2019 8:16 PM

All replies

  • Hi ,

    Since the limit of the resource, we could not test in our lab to reproduce your problem.

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    Candy



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Wednesday, September 25, 2019 7:54 AM
    Moderator