Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

MAC authentication With Radius server 2008 R2

Posted on 2014-03-11
7
Medium Priority
?
2,615 Views
Last Modified: 2014-03-19
I am trying to configure MAC authentication using NPS to authenticate our printers. I have created a connection policy with MD5 challenge and checked off Unencrypted authentication (PAP,SPAP). I also try without MD5
I created a network policy to grant access to a specific security group. I created a user in AD based on the MAC address of the device using the hypens (ie 93-12-14...) i set the password to the MAC address, checked off "Store password using reversible encryption", added user to security group.

I have set the Registry key on the NPS server as per http://technet.microsoft.com/en-us/library/dd197523(v=ws.10).aspx 

I am getting the following error: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect
I have tried the password with hypens without hypens, uppercase, lowercase, shared secret password. I am not sure where to go from here.
Any help would be appreciated.

Thanks
0
Comment
Question by:leungvpoco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39925165
0
 

Author Comment

by:leungvpoco
ID: 39934568
Thanks for the information however this does not seem to work. I am still getting the following error:

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Also we are using Enterasys Swithes and Router.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39934658
You can't whitelist the device so that it's not subject to 802.1x? Typically you put the whitelist or ignore list on the switches themselves, so that they don't even try to authenticate the printer, they just see the mac address you have in the list and they are allowed. That's how cisco works.

http://tech.extremenetworks.com/libraries/appnotes/ANNPSandEXOS_1714.pdf outlines how to have Phones use their own MAC address as the password, but nothing about printers...

Here are some additional troubleshooting documents.
http://www.microsoft.com/en-us/download/details.aspx?id=733
http://technet.microsoft.com/en-us/library/dd348461%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd197570.aspx
-rich
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 

Author Comment

by:leungvpoco
ID: 39940395
Thanks I will take a look at the switches to see if I can whitelist. Our voip phones use 802.1x and am able to use radius to authenticate them. We are having problems with MAC Auth.

It would be nice to be able to use NPS to authenticate MAC instead of the switches but it looks like that may not be possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39940568
"Dumb" devices can't run a supplicant, so that's most printers even modern ones, some switches don't run 802.1x either. It's nice to see some VOIP phones do, but they are also rare to find ones that have a supplicant on them or that understand 802.1x.
-rich
0
 

Author Comment

by:leungvpoco
ID: 39940584
I was able to get this working using NPS.
I needed to set a MAC password on the swith. Most documents state to use MAC address as username and password without the : however this depends on your switch configuration. Our switch stated to use - in the MAC address also there we no default password set. Once I set the password and changed the AD account to reflect that password and used - in the username  it worked.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1500 total points
ID: 39940601
Nice, request attention for your Q and have your points refunded. Leave the question open so that others can see it!
-rich
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question