Will Radius solve this issue?

Casey Weaver
Casey Weaver used Ask the Experts™
on
I've got a K-12 client that is using the Meru Wireless Network system with the MC3000 controller. The controllers have a 1000 mac address limit and they were told by support that they would have to use RADIUS to go beyond that limit. On the other side they want to also secure the physical ports themselves so students can't just plug in any device.

Every mac address is known, and getting them into a system usable by whatever is an acceptable thing, we won't frown away from entering 2500 MACs if we have to. We have all summer.

The idea is to use Windows Server 2008 R2's NAP role with DHCP callout. Right now this particular server is also a DHCP server, KMS server, and one of the backup DNS servers, so the server has plenty of load leftover. But if we need to provision another server, they have the licenses and the spare servers sitting around for it.

Right now the network is open using mac filtering from Meru. By GPO (and the base image) when the systems turn on they automatically bond to the SSID allowing domain login for the student. It would be preferable if it stayed that way. In other words, we'd like the system to be transparent so that there's no extra logging in, the wireless device is simply authenticated by its mac address. We'd also like the same for the ports, so that a device can be plugged in anywhere in the building as long as its mac address is allowed.

Current backend equipment is as follows:

2 Dell Poweredge servers as esx 4.1 hosts.
Multiple SANS
BackupExec server and its backup SAN

HP Procurve chassis and gigabit switch modules (some fiber)
Cisco ASA 5420 firewall

Right now all servers run under DHCP reservations along with the IPADS and IPODS for class instruction. All other things just take a DHCP address from their respective VLAN/scope.

Any ideas where to get started and if this will even work?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Take a look at this link for MAC address authentication and NPS, this should get you started. Do you have a test environment you can work in first? Some virtual servers maybe?

http://technet.microsoft.com/en-us/library/dd197535(v=WS.10).aspx
Casey WeaverManaged Services Windows Engineer III

Author

Commented:
That looks good, that certainly clarified some things. We will have a full test environment to work with with a secondary wireless controller, separate network switch and a test AD/DHCP system.

Commented:
How do clients authenticate to wireless network? Only by the predefined MAC address?

Are computers domain joined? User accounts as well?
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Casey WeaverManaged Services Windows Engineer III

Author

Commented:
Wired clients currently do not authenticate, anything can be plugged in and work, which is a problem. Wireless (netbooks/ipads/ipods/laptops) all have their MAC addresses authenticated by the Meru Wireless controller. Once authenticated, the windows server DHCP server gives either gives the device its reserved ip by mac, or just assigns it one if it doesn't have a reserved ip.

All computers are domain joined, ipads and ipods are not. All user accounts are domain login.

Netbook turns on, already instructed to connect to the SSID. When it connects Meru checks the mac against its allow list. If it is allowed meru then allows communication with the network where the netbook gets an IP from DHCP. The user can thing login into windows 7 with their domain credentials.

The problem is each meru controller only supports 1000 MAC addresses. Meru told us if we want more systems we'll have to use RADIUS so that MAC authentication doesn't lie with the controller.

Commented:
From a security perspective, MAC is not secure - and given the fact that your PCs at least are domain joined, then you can give access based on a security group they're members in. Then only domain joined computers, in the correct group is granted access, and also - they're authenticated and logged on to the network prior to user login.
You can add 2-factor login as well - by adding windows user group, then you would have full access to network only if you have a domain joined computer, and a valid user account.  

For netbooks you can give access based on domain user account
Casey WeaverManaged Services Windows Engineer III

Author

Commented:
We actually are using 2 factor authentication, the main point behind employing RADIUS is to prevent bandwidth scavenging by people outside of the building, as well as using phones and other personal devices on the wireless network where they could use them to cheat. It's certainly not our only wall of defense, it just gleans out the easier ones to keep off the network.
Casey WeaverManaged Services Windows Engineer III

Author

Commented:
I'm going to give this the award as it was great assistance getting us on our way. We'll be testing some more things out as we go and I'll open up a newer question later if I need to. Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial