?
Solved

MAC authentication With Radius server 2008 R2

Posted on 2014-03-11
7
Medium Priority
?
2,533 Views
Last Modified: 2014-03-19
I am trying to configure MAC authentication using NPS to authenticate our printers. I have created a connection policy with MD5 challenge and checked off Unencrypted authentication (PAP,SPAP). I also try without MD5
I created a network policy to grant access to a specific security group. I created a user in AD based on the MAC address of the device using the hypens (ie 93-12-14...) i set the password to the MAC address, checked off "Store password using reversible encryption", added user to security group.

I have set the Registry key on the NPS server as per http://technet.microsoft.com/en-us/library/dd197523(v=ws.10).aspx 

I am getting the following error: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect
I have tried the password with hypens without hypens, uppercase, lowercase, shared secret password. I am not sure where to go from here.
Any help would be appreciated.

Thanks
0
Comment
Question by:leungvpoco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39925165
0
 

Author Comment

by:leungvpoco
ID: 39934568
Thanks for the information however this does not seem to work. I am still getting the following error:

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Also we are using Enterasys Swithes and Router.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39934658
You can't whitelist the device so that it's not subject to 802.1x? Typically you put the whitelist or ignore list on the switches themselves, so that they don't even try to authenticate the printer, they just see the mac address you have in the list and they are allowed. That's how cisco works.

http://tech.extremenetworks.com/libraries/appnotes/ANNPSandEXOS_1714.pdf outlines how to have Phones use their own MAC address as the password, but nothing about printers...

Here are some additional troubleshooting documents.
http://www.microsoft.com/en-us/download/details.aspx?id=733
http://technet.microsoft.com/en-us/library/dd348461%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd197570.aspx
-rich
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 

Author Comment

by:leungvpoco
ID: 39940395
Thanks I will take a look at the switches to see if I can whitelist. Our voip phones use 802.1x and am able to use radius to authenticate them. We are having problems with MAC Auth.

It would be nice to be able to use NPS to authenticate MAC instead of the switches but it looks like that may not be possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39940568
"Dumb" devices can't run a supplicant, so that's most printers even modern ones, some switches don't run 802.1x either. It's nice to see some VOIP phones do, but they are also rare to find ones that have a supplicant on them or that understand 802.1x.
-rich
0
 

Author Comment

by:leungvpoco
ID: 39940584
I was able to get this working using NPS.
I needed to set a MAC password on the swith. Most documents state to use MAC address as username and password without the : however this depends on your switch configuration. Our switch stated to use - in the MAC address also there we no default password set. Once I set the password and changed the AD account to reflect that password and used - in the username  it worked.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1500 total points
ID: 39940601
Nice, request attention for your Q and have your points refunded. Leave the question open so that others can see it!
-rich
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question