cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

NAC Appliance and NPS for MAC Authentication

NAC Appliance and NPS for MAC Authentication

dcsdne
New Contributor III


Let me preface this by saying I am brand new to NAC. I am setting up a windows 2012 NPS server as a RADIUS Proxy in NAC to authenticate clients via MAC Address. My question is how the NAC appliance knows which OU to look in for the MAC Address. I have dug around and cannot find anything pertaining to this. When using NPS as a RADIUS proxy for IdentiFI Wireless it was a matter of creating Access Polices. Is it the same for NAC? Any help is appreciated.
3 REPLIES 3

Ryan_Yacobucci
Extreme Employee
Hello,

Are you looking for configuration of MAC authentication or 802.1x authentication?

All you have to do for MAC authentication is put the switch in the "Switches" tab, enforce the NAC, and verify RADIUS is configured on the switch. :edit: Also you'll need to make sure MAC authentication is enabled on the desired ports as well. :edit:

For 802.1x check out the following:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-NTLM-authentication-on-EA...

Thanks
-Ryan

dcsdne
New Contributor III
I found this article

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-compu...

However I'm stuck at using the NAC Appliance itself as a RADIUS server. I was able to setup my NPS as RADIUS servers using shared keys...

Ryan_Yacobucci
Extreme Employee
Hello,

Typically we don't proxy MAC authentication to the back end NPS RADIUS server. In a typical deployment MAC authentication is handled locally, and the NAC is designed to auto accept any MAC authentication request regardless of password, username, or even RADIUS shared secret. MAC Authentication is used to identify the end system, more than as an authentication mechanism.

We do have a few customers that use NAC to proxy the MAC authentication back to NPS, but there isn't much known regarding what their configuration is. I suspect they have users with either usernames of the MAC address, or an alias that serves as the username of the MAC address.

Thanks
-Ryan

GTM-P2G8KFN