MAC authentication With Radius server 2008 R2

I am trying to configure MAC authentication using NPS to authenticate our printers. I have created a connection policy with MD5 challenge and checked off Unencrypted authentication (PAP,SPAP). I also try without MD5
I created a network policy to grant access to a specific security group. I created a user in AD based on the MAC address of the device using the hypens (ie 93-12-14...) i set the password to the MAC address, checked off "Store password using reversible encryption", added user to security group.

I have set the Registry key on the NPS server as per http://technet.microsoft.com/en-us/library/dd197523(v=ws.10).aspx 

I am getting the following error: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect
I have tried the password with hypens without hypens, uppercase, lowercase, shared secret password. I am not sure where to go from here.
Any help would be appreciated.

Thanks
leungvpocoAsked:
Who is Participating?
 
Rich RumbleSecurity SamuraiCommented:
Nice, request attention for your Q and have your points refunded. Leave the question open so that others can see it!
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
0
 
leungvpocoAuthor Commented:
Thanks for the information however this does not seem to work. I am still getting the following error:

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Also we are using Enterasys Swithes and Router.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
Rich RumbleSecurity SamuraiCommented:
You can't whitelist the device so that it's not subject to 802.1x? Typically you put the whitelist or ignore list on the switches themselves, so that they don't even try to authenticate the printer, they just see the mac address you have in the list and they are allowed. That's how cisco works.

http://tech.extremenetworks.com/libraries/appnotes/ANNPSandEXOS_1714.pdf outlines how to have Phones use their own MAC address as the password, but nothing about printers...

Here are some additional troubleshooting documents.
http://www.microsoft.com/en-us/download/details.aspx?id=733
http://technet.microsoft.com/en-us/library/dd348461%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd197570.aspx
-rich
0
 
leungvpocoAuthor Commented:
Thanks I will take a look at the switches to see if I can whitelist. Our voip phones use 802.1x and am able to use radius to authenticate them. We are having problems with MAC Auth.

It would be nice to be able to use NPS to authenticate MAC instead of the switches but it looks like that may not be possible.
0
 
Rich RumbleSecurity SamuraiCommented:
"Dumb" devices can't run a supplicant, so that's most printers even modern ones, some switches don't run 802.1x either. It's nice to see some VOIP phones do, but they are also rare to find ones that have a supplicant on them or that understand 802.1x.
-rich
0
 
leungvpocoAuthor Commented:
I was able to get this working using NPS.
I needed to set a MAC password on the swith. Most documents state to use MAC address as username and password without the : however this depends on your switch configuration. Our switch stated to use - in the MAC address also there we no default password set. Once I set the password and changed the AD account to reflect that password and used - in the username  it worked.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.