How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?

I have a Network Policy Server running on Server 2012 R2.  I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication and that works great.

Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the mac address.  I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute.

I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password.  I do not want to do that.  This is not an option.

I have also found several posts about using ieee802Device.  I can't find a way to get that to work.

I also found a suggestion to use msNPCallingStationID ad attribute.  I can easily set this for each user as their mac addresses but how do I configure the NPS server to use this attribute to authenticate this?

If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!

Thank you for your assistance!
LVL 1
gacusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskySD-WAN SimplifiedCommented:
Can you explain more on "roles based on MAC address"?
0
Craig BeckCommented:
You'd need one rule per MAC address if you were to do that.  I wouldn't want to administer that either - it would be worse than having an account in AD per MAC (which incidentally is the only way you can do MAC Authentication unless you put the accounts locally on the NPS).

I too am interested in what you actually want to achieve in the end.  It's unclear to me and maybe using the CallingStationID attribute isn't the best way to do things.  We won't know until you tell us what you actually want to get from this though.
0
Aaron TomoskySD-WAN SimplifiedCommented:
The Mac addresses have to go somewhere, ad users honestly seems the easiest as scripting those from a csv is super simple
http://gallery.technet.microsoft.com/scriptcenter/PowerShell-Create-Active-7e6a3978
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Craig BeckCommented:
I'm just thinking maybe MAC isn't the best way to skin the cat @Aaron... :-)

Let's see what the actual requirement is.

I do agree with you BTW - MAC addresses as users in AD is the way to go if MAC Auth is the actual requirement, and if gacus absolutely doesn't want to add users in AD for each MAC the policy route would be the next-best thing but would be a nightmare to administer.
0
gacusAuthor Commented:
In Aruba I can assign roles based on what the radius server returns, which allow me to assign vlans and firewall rules specific to that role.

I need to be able to assign a role so I can assign specific roles to a user if they are mac authenticated and if not I don't assign those roles.

I was just trying to avoid the creation of thousands of ad users with just a mac address as the username and password.  I have no issue scripting it.  It just seems like a lot of garbage in my AD infrastructure and potential security issue.  What methods do others use to lock down those users to ensure they can only be used for radius mac authentication?

All I really want is the radius server to look up a mac address and if it exists in the store wherever that is, returned a specific role or simply 1 would work too!  It seems simple and from what I am reading about freeradius, it can look in a mysql database and do just this.  It just seems odd to me that I have to create actual full user accounts in AD for MS NPS server to be able to do the same thing.  If it could just look in a MSSQL database or an ad attribute, that would make more sense to me.
0
Craig BeckCommented:
What methods do others use to lock down those users to ensure they can only be used for radius mac authentication?
Create a new security group just for MAC-Auth.  Add it to the MAC address user account, then set it as the primary group and delete Domain Users (and any others that may be added).  You just want the group you created to be there.

This article about MAC Authorization might help if you've not already seen it, although it might break PEAP...

http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx

It seems simple and from what I am reading about freeradius, it can look in a mysql database and do just this.
That's because FreeRADIUS uses SQL to store local accounts.  NPS uses its local SAM store or AD, so SQL isn't an option.  Ultimately they are the same thing though, just implemented differently.
0
gacusAuthor Commented:
I did see that but wasn't sure if that was required.  If it is then yes that will certainly break PEAP so maybe I can't do this anyway without a separate radius server.
0
Craig BeckCommented:
I'm not even sure you really need that either anyway... I've implemented MAC Auth with IAS and NPS hundreds of times and never needed that.

Put MAC addresses in specific security groups and assign roles based on that.
0
gacusAuthor Commented:
Create a new security group just for MAC-Auth.  Add it to the MAC address user account, then set it as the primary group and delete Domain Users (and any others that may be added).  You just want the group you created to be there.

If I do this, the user is still part of the "Authenticated users" group so by default they would be able to login to any computer that still has default settings would allow the user mac username/password to login.  I would also have to setup deny groups perhaps at the root domain level to stop those users from logging in.  Is that what you do when you set all these up or don't you care that they can login to any machine with that simple username/password?
0
Craig BeckCommented:
It won't do what you're thinking...

Try it and see.  Just create a user and remove it from Domain Users then try to log in.
0
Craig BeckCommented:
If that does allow you to log on I'd suggest you use a secondary RADIUS for MAC Authentication which isn't joined to your domain.  That's the only way you'll 100% ensure that people can't use their MAC address to log in.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.