Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?

Posted on 2014-07-14
11
Medium Priority
?
6,009 Views
Last Modified: 2014-08-06
I have a Network Policy Server running on Server 2012 R2.  I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication and that works great.

Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the mac address.  I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute.

I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password.  I do not want to do that.  This is not an option.

I have also found several posts about using ieee802Device.  I can't find a way to get that to work.

I also found a suggestion to use msNPCallingStationID ad attribute.  I can easily set this for each user as their mac addresses but how do I configure the NPS server to use this attribute to authenticate this?

If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!

Thank you for your assistance!
0
Comment
Question by:gacus
  • 6
  • 3
  • 2
11 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40197337
Can you explain more on "roles based on MAC address"?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40197458
You'd need one rule per MAC address if you were to do that.  I wouldn't want to administer that either - it would be worse than having an account in AD per MAC (which incidentally is the only way you can do MAC Authentication unless you put the accounts locally on the NPS).

I too am interested in what you actually want to achieve in the end.  It's unclear to me and maybe using the CallingStationID attribute isn't the best way to do things.  We won't know until you tell us what you actually want to get from this though.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40197490
The Mac addresses have to go somewhere, ad users honestly seems the easiest as scripting those from a csv is super simple
http://gallery.technet.microsoft.com/scriptcenter/PowerShell-Create-Active-7e6a3978
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 47

Expert Comment

by:Craig Beck
ID: 40197515
I'm just thinking maybe MAC isn't the best way to skin the cat @Aaron... :-)

Let's see what the actual requirement is.

I do agree with you BTW - MAC addresses as users in AD is the way to go if MAC Auth is the actual requirement, and if gacus absolutely doesn't want to add users in AD for each MAC the policy route would be the next-best thing but would be a nightmare to administer.
0
 
LVL 1

Author Comment

by:gacus
ID: 40197603
In Aruba I can assign roles based on what the radius server returns, which allow me to assign vlans and firewall rules specific to that role.

I need to be able to assign a role so I can assign specific roles to a user if they are mac authenticated and if not I don't assign those roles.

I was just trying to avoid the creation of thousands of ad users with just a mac address as the username and password.  I have no issue scripting it.  It just seems like a lot of garbage in my AD infrastructure and potential security issue.  What methods do others use to lock down those users to ensure they can only be used for radius mac authentication?

All I really want is the radius server to look up a mac address and if it exists in the store wherever that is, returned a specific role or simply 1 would work too!  It seems simple and from what I am reading about freeradius, it can look in a mysql database and do just this.  It just seems odd to me that I have to create actual full user accounts in AD for MS NPS server to be able to do the same thing.  If it could just look in a MSSQL database or an ad attribute, that would make more sense to me.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40197645
What methods do others use to lock down those users to ensure they can only be used for radius mac authentication?
Create a new security group just for MAC-Auth.  Add it to the MAC address user account, then set it as the primary group and delete Domain Users (and any others that may be added).  You just want the group you created to be there.

This article about MAC Authorization might help if you've not already seen it, although it might break PEAP...

http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx

It seems simple and from what I am reading about freeradius, it can look in a mysql database and do just this.
That's because FreeRADIUS uses SQL to store local accounts.  NPS uses its local SAM store or AD, so SQL isn't an option.  Ultimately they are the same thing though, just implemented differently.
0
 
LVL 1

Author Comment

by:gacus
ID: 40197667
I did see that but wasn't sure if that was required.  If it is then yes that will certainly break PEAP so maybe I can't do this anyway without a separate radius server.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40197812
I'm not even sure you really need that either anyway... I've implemented MAC Auth with IAS and NPS hundreds of times and never needed that.

Put MAC addresses in specific security groups and assign roles based on that.
0
 
LVL 1

Author Comment

by:gacus
ID: 40197844
Create a new security group just for MAC-Auth.  Add it to the MAC address user account, then set it as the primary group and delete Domain Users (and any others that may be added).  You just want the group you created to be there.

If I do this, the user is still part of the "Authenticated users" group so by default they would be able to login to any computer that still has default settings would allow the user mac username/password to login.  I would also have to setup deny groups perhaps at the root domain level to stop those users from logging in.  Is that what you do when you set all these up or don't you care that they can login to any machine with that simple username/password?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40198019
It won't do what you're thinking...

Try it and see.  Just create a user and remove it from Domain Users then try to log in.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 40198137
If that does allow you to log on I'd suggest you use a secondary RADIUS for MAC Authentication which isn't joined to your domain.  That's the only way you'll 100% ensure that people can't use their MAC address to log in.
1

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question