Solved

MAC authentication With Radius server 2008 R2

Posted on 2014-03-11
7
2,437 Views
Last Modified: 2014-03-19
I am trying to configure MAC authentication using NPS to authenticate our printers. I have created a connection policy with MD5 challenge and checked off Unencrypted authentication (PAP,SPAP). I also try without MD5
I created a network policy to grant access to a specific security group. I created a user in AD based on the MAC address of the device using the hypens (ie 93-12-14...) i set the password to the MAC address, checked off "Store password using reversible encryption", added user to security group.

I have set the Registry key on the NPS server as per http://technet.microsoft.com/en-us/library/dd197523(v=ws.10).aspx 

I am getting the following error: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect
I have tried the password with hypens without hypens, uppercase, lowercase, shared secret password. I am not sure where to go from here.
Any help would be appreciated.

Thanks
0
Comment
Question by:leungvpoco
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39925165
0
 

Author Comment

by:leungvpoco
ID: 39934568
Thanks for the information however this does not seem to work. I am still getting the following error:

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Also we are using Enterasys Swithes and Router.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39934658
You can't whitelist the device so that it's not subject to 802.1x? Typically you put the whitelist or ignore list on the switches themselves, so that they don't even try to authenticate the printer, they just see the mac address you have in the list and they are allowed. That's how cisco works.

http://tech.extremenetworks.com/libraries/appnotes/ANNPSandEXOS_1714.pdf outlines how to have Phones use their own MAC address as the password, but nothing about printers...

Here are some additional troubleshooting documents.
http://www.microsoft.com/en-us/download/details.aspx?id=733
http://technet.microsoft.com/en-us/library/dd348461%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd197570.aspx
-rich
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 

Author Comment

by:leungvpoco
ID: 39940395
Thanks I will take a look at the switches to see if I can whitelist. Our voip phones use 802.1x and am able to use radius to authenticate them. We are having problems with MAC Auth.

It would be nice to be able to use NPS to authenticate MAC instead of the switches but it looks like that may not be possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39940568
"Dumb" devices can't run a supplicant, so that's most printers even modern ones, some switches don't run 802.1x either. It's nice to see some VOIP phones do, but they are also rare to find ones that have a supplicant on them or that understand 802.1x.
-rich
0
 

Author Comment

by:leungvpoco
ID: 39940584
I was able to get this working using NPS.
I needed to set a MAC password on the swith. Most documents state to use MAC address as username and password without the : however this depends on your switch configuration. Our switch stated to use - in the MAC address also there we no default password set. Once I set the password and changed the AD account to reflect that password and used - in the username  it worked.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39940601
Nice, request attention for your Q and have your points refunded. Leave the question open so that others can see it!
-rich
0

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question