Avatar of Casey Weaver
Casey Weaver
Flag for United States of America asked on

Will Radius solve this issue?

I've got a K-12 client that is using the Meru Wireless Network system with the MC3000 controller. The controllers have a 1000 mac address limit and they were told by support that they would have to use RADIUS to go beyond that limit. On the other side they want to also secure the physical ports themselves so students can't just plug in any device.

Every mac address is known, and getting them into a system usable by whatever is an acceptable thing, we won't frown away from entering 2500 MACs if we have to. We have all summer.

The idea is to use Windows Server 2008 R2's NAP role with DHCP callout. Right now this particular server is also a DHCP server, KMS server, and one of the backup DNS servers, so the server has plenty of load leftover. But if we need to provision another server, they have the licenses and the spare servers sitting around for it.

Right now the network is open using mac filtering from Meru. By GPO (and the base image) when the systems turn on they automatically bond to the SSID allowing domain login for the student. It would be preferable if it stayed that way. In other words, we'd like the system to be transparent so that there's no extra logging in, the wireless device is simply authenticated by its mac address. We'd also like the same for the ports, so that a device can be plugged in anywhere in the building as long as its mac address is allowed.

Current backend equipment is as follows:

2 Dell Poweredge servers as esx 4.1 hosts.
Multiple SANS
BackupExec server and its backup SAN

HP Procurve chassis and gigabit switch modules (some fiber)
Cisco ASA 5420 firewall

Right now all servers run under DHCP reservations along with the IPADS and IPODS for class instruction. All other things just take a DHCP address from their respective VLAN/scope.

Any ideas where to get started and if this will even work?
Windows Server 2008Wireless NetworkingNetwork SecurityDell

Avatar of undefined
Last Comment
Casey Weaver

8/22/2022 - Mon

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Casey Weaver

That looks good, that certainly clarified some things. We will have a full test environment to work with with a secondary wireless controller, separate network switch and a test AD/DHCP system.
Jakob Digranes

How do clients authenticate to wireless network? Only by the predefined MAC address?

Are computers domain joined? User accounts as well?
Casey Weaver

Wired clients currently do not authenticate, anything can be plugged in and work, which is a problem. Wireless (netbooks/ipads/ipods/laptops) all have their MAC addresses authenticated by the Meru Wireless controller. Once authenticated, the windows server DHCP server gives either gives the device its reserved ip by mac, or just assigns it one if it doesn't have a reserved ip.

All computers are domain joined, ipads and ipods are not. All user accounts are domain login.

Netbook turns on, already instructed to connect to the SSID. When it connects Meru checks the mac against its allow list. If it is allowed meru then allows communication with the network where the netbook gets an IP from DHCP. The user can thing login into windows 7 with their domain credentials.

The problem is each meru controller only supports 1000 MAC addresses. Meru told us if we want more systems we'll have to use RADIUS so that MAC authentication doesn't lie with the controller.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Jakob Digranes

From a security perspective, MAC is not secure - and given the fact that your PCs at least are domain joined, then you can give access based on a security group they're members in. Then only domain joined computers, in the correct group is granted access, and also - they're authenticated and logged on to the network prior to user login.
You can add 2-factor login as well - by adding windows user group, then you would have full access to network only if you have a domain joined computer, and a valid user account.  

For netbooks you can give access based on domain user account
Casey Weaver

We actually are using 2 factor authentication, the main point behind employing RADIUS is to prevent bandwidth scavenging by people outside of the building, as well as using phones and other personal devices on the wireless network where they could use them to cheat. It's certainly not our only wall of defense, it just gleans out the easier ones to keep off the network.
Casey Weaver

I'm going to give this the award as it was great assistance getting us on our way. We'll be testing some more things out as we go and I'll open up a newer question later if I need to. Thanks!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.