Link to home
Start Free TrialLog in
Avatar of Casey Weaver
Casey WeaverFlag for United States of America

asked on

Will Radius solve this issue?

I've got a K-12 client that is using the Meru Wireless Network system with the MC3000 controller. The controllers have a 1000 mac address limit and they were told by support that they would have to use RADIUS to go beyond that limit. On the other side they want to also secure the physical ports themselves so students can't just plug in any device.

Every mac address is known, and getting them into a system usable by whatever is an acceptable thing, we won't frown away from entering 2500 MACs if we have to. We have all summer.

The idea is to use Windows Server 2008 R2's NAP role with DHCP callout. Right now this particular server is also a DHCP server, KMS server, and one of the backup DNS servers, so the server has plenty of load leftover. But if we need to provision another server, they have the licenses and the spare servers sitting around for it.

Right now the network is open using mac filtering from Meru. By GPO (and the base image) when the systems turn on they automatically bond to the SSID allowing domain login for the student. It would be preferable if it stayed that way. In other words, we'd like the system to be transparent so that there's no extra logging in, the wireless device is simply authenticated by its mac address. We'd also like the same for the ports, so that a device can be plugged in anywhere in the building as long as its mac address is allowed.

Current backend equipment is as follows:

2 Dell Poweredge servers as esx 4.1 hosts.
Multiple SANS
BackupExec server and its backup SAN

HP Procurve chassis and gigabit switch modules (some fiber)
Cisco ASA 5420 firewall

Right now all servers run under DHCP reservations along with the IPADS and IPODS for class instruction. All other things just take a DHCP address from their respective VLAN/scope.

Any ideas where to get started and if this will even work?
Avatar of PSCanada
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Casey Weaver


That looks good, that certainly clarified some things. We will have a full test environment to work with with a secondary wireless controller, separate network switch and a test AD/DHCP system.
How do clients authenticate to wireless network? Only by the predefined MAC address?

Are computers domain joined? User accounts as well?
Wired clients currently do not authenticate, anything can be plugged in and work, which is a problem. Wireless (netbooks/ipads/ipods/laptops) all have their MAC addresses authenticated by the Meru Wireless controller. Once authenticated, the windows server DHCP server gives either gives the device its reserved ip by mac, or just assigns it one if it doesn't have a reserved ip.

All computers are domain joined, ipads and ipods are not. All user accounts are domain login.

Netbook turns on, already instructed to connect to the SSID. When it connects Meru checks the mac against its allow list. If it is allowed meru then allows communication with the network where the netbook gets an IP from DHCP. The user can thing login into windows 7 with their domain credentials.

The problem is each meru controller only supports 1000 MAC addresses. Meru told us if we want more systems we'll have to use RADIUS so that MAC authentication doesn't lie with the controller.
From a security perspective, MAC is not secure - and given the fact that your PCs at least are domain joined, then you can give access based on a security group they're members in. Then only domain joined computers, in the correct group is granted access, and also - they're authenticated and logged on to the network prior to user login.
You can add 2-factor login as well - by adding windows user group, then you would have full access to network only if you have a domain joined computer, and a valid user account.  

For netbooks you can give access based on domain user account
We actually are using 2 factor authentication, the main point behind employing RADIUS is to prevent bandwidth scavenging by people outside of the building, as well as using phones and other personal devices on the wireless network where they could use them to cheat. It's certainly not our only wall of defense, it just gleans out the easier ones to keep off the network.
I'm going to give this the award as it was great assistance getting us on our way. We'll be testing some more things out as we go and I'll open up a newer question later if I need to. Thanks!