NAC Appliance and NPS for MAC Authentication


Let me preface this by saying I am brand new to NAC. I am setting up a windows 2012 NPS server as a RADIUS Proxy in NAC to authenticate clients via MAC Address. My question is how the NAC appliance knows which OU to look in for the MAC Address. I have dug around and cannot find anything pertaining to this. When using NPS as a RADIUS proxy for IdentiFI Wireless it was a matter of creating Access Polices. Is it the same for NAC? Any help is appreciated.

3 replies

Userlevel 6
Hello,

Typically we don't proxy MAC authentication to the back end NPS RADIUS server. In a typical deployment MAC authentication is handled locally, and the NAC is designed to auto accept any MAC authentication request regardless of password, username, or even RADIUS shared secret. MAC Authentication is used to identify the end system, more than as an authentication mechanism.

We do have a few customers that use NAC to proxy the MAC authentication back to NPS, but there isn't much known regarding what their configuration is. I suspect they have users with either usernames of the MAC address, or an alias that serves as the username of the MAC address.

Thanks
-Ryan
I found this article

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-computer-using-802-1x-and-LDAP-lookups-to-ensure-the-user-AND-computer-is-in-the-domain-denying-access-to-users-with-valid-domain-credentials-on-BYOD-devices

However I'm stuck at using the NAC Appliance itself as a RADIUS server. I was able to setup my NPS as RADIUS servers using shared keys...
Userlevel 6
Hello,

Are you looking for configuration of MAC authentication or 802.1x authentication?

All you have to do for MAC authentication is put the switch in the "Switches" tab, enforce the NAC, and verify RADIUS is configured on the switch. :edit: Also you'll need to make sure MAC authentication is enabled on the desired ports as well. :edit:

For 802.1x check out the following:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-NTLM-authentication-on-EA...

Thanks
-Ryan

Reply