Solved

MAC authentication With Radius server 2008 R2

Posted on 2014-03-11
7
2,299 Views
Last Modified: 2014-03-19
I am trying to configure MAC authentication using NPS to authenticate our printers. I have created a connection policy with MD5 challenge and checked off Unencrypted authentication (PAP,SPAP). I also try without MD5
I created a network policy to grant access to a specific security group. I created a user in AD based on the MAC address of the device using the hypens (ie 93-12-14...) i set the password to the MAC address, checked off "Store password using reversible encryption", added user to security group.

I have set the Registry key on the NPS server as per http://technet.microsoft.com/en-us/library/dd197523(v=ws.10).aspx

I am getting the following error: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect
I have tried the password with hypens without hypens, uppercase, lowercase, shared secret password. I am not sure where to go from here.
Any help would be appreciated.

Thanks
0
Comment
Question by:leungvpoco
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39925165
0
 

Author Comment

by:leungvpoco
ID: 39934568
Thanks for the information however this does not seem to work. I am still getting the following error:

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Also we are using Enterasys Swithes and Router.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39934658
You can't whitelist the device so that it's not subject to 802.1x? Typically you put the whitelist or ignore list on the switches themselves, so that they don't even try to authenticate the printer, they just see the mac address you have in the list and they are allowed. That's how cisco works.

http://tech.extremenetworks.com/libraries/appnotes/ANNPSandEXOS_1714.pdf outlines how to have Phones use their own MAC address as the password, but nothing about printers...

Here are some additional troubleshooting documents.
http://www.microsoft.com/en-us/download/details.aspx?id=733
http://technet.microsoft.com/en-us/library/dd348461%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd197570.aspx
-rich
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:leungvpoco
ID: 39940395
Thanks I will take a look at the switches to see if I can whitelist. Our voip phones use 802.1x and am able to use radius to authenticate them. We are having problems with MAC Auth.

It would be nice to be able to use NPS to authenticate MAC instead of the switches but it looks like that may not be possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39940568
"Dumb" devices can't run a supplicant, so that's most printers even modern ones, some switches don't run 802.1x either. It's nice to see some VOIP phones do, but they are also rare to find ones that have a supplicant on them or that understand 802.1x.
-rich
0
 

Author Comment

by:leungvpoco
ID: 39940584
I was able to get this working using NPS.
I needed to set a MAC password on the swith. Most documents state to use MAC address as username and password without the : however this depends on your switch configuration. Our switch stated to use - in the MAC address also there we no default password set. Once I set the password and changed the AD account to reflect that password and used - in the username  it worked.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39940601
Nice, request attention for your Q and have your points refunded. Leave the question open so that others can see it!
-rich
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now