Home > Wireless LAN > Encryption and Authentication > Creating an NPS Policy for MAC-based Authentication

Creating an NPS Policy for MAC-based Authentication

Windows 2008 Network Policy Server can be used to authenticate and grant access to wireless domain member computers in a Windows Active Directory domain using MAC based authentication.

In this example, access is granted to members of the Domain Security Group MAC_Auth placing them on VLAN 500. For more information, please refer to our documentation on enabling MAC-based access control

Add the Gateway AP as a RADIUS client

Please refer to our documentation on how to add an AP as a RADIUS client.

Configure Users in AD

  1. Users need to be configured in Active Directory to match the MAC Address of the computers connecting over 802.1x.
  2. User name must match the MAC of the client exactly and must be all lowercase letters.
  3. Set the password for the user to the MAC address, again in all lowercase.

Configuring a Connection Request Policy

  1. From the Network Policy Server console navigate to NPS -> Policies -> Connection Request Policies.
  2. Right click  Connection Request Policies  and select New.
  3. On the Specify Connection Request Policy Name and Connection Type page create a Policy name and verify Unspecified is selected in the "Type of network access server:" drop down.
  4. Click Next.
  5. On the Specify Conditions page click Add the following condition:
    • NAS Port Type: Select Wireless - IEEE 802.11 and Wireless -Other

 

  1. Click OK and review the conditions then Click Next.
  2. Click Next on the Specify Connection Request Forwarding page.
  3. On the Specify Authentication Methods page click Next.
  4. Click Next on the Configure Settings page.
  5. Review the Policy and click Finish. The Connection request policy should appear similar to the image below:

 

  1. Right-click the policy created and select Move up, placing the policy above any existing deny policies.

Configuring a Network Policy

  1. From the Network Policy Server console navigate to NPS -> Policies -> Network Policies.
  2. Right click Network Policies and select New.
  3. On the Specify Network Policy Name and Connection Type create a Policy name and verify Unspecified is selected in the "Type of network access server:" drop down.
  4. Click Next.
  5. On Specify Conditions click Add and set the following conditions:
    • Windows Group: Choose Domain Users group from the Windows Active Directory domain.
    • NAS Port Type: Select Wireless - IEEE 802.11 and Wireless -Other.

 

  1. Click OK. 
  2. On the Specify Access Permission page select Access granted and click Next.
  3. On the Configure Authentication Methods page make sure Unencrypted authentication (PAP,SPA) is the only method checked and click Next
  4. Click Next on the Configure Constraints page.
  5. (optional to specify vlans) For Configure Settings in the Settings pane, choose RADIUS Attributes Standard. Click Add to select the following attributes used to assign VLAN information via a RADIUS Accept message.
    • Tunnel-Medium-Type: Choose 802 (Includes all 802 media plus Ethernet canonical format) for the Attribute value Commonly used for 802.1X. 
    • Tunnel-Pvt-Group-ID: Choose String and enter 500. This string will specify the VLAN ID 500.
    • Tunnel-Type: Choose  Attribute value Commonly used for 802.1X and select Virtual LANs (VLANs).
  6. Once the correct RADIUS attributes are selected click Next.
  7. Review the policy settings and click Finish.

Disable NAP Enforcement

  1. Open the Properties of the Policy created.
  2. Click the Settings tab.
  3. Choose NAP Enforcement from the Settings pane. 
  4. For Auto Remediation un-check the box Enable auto remediation on client computers and click OK.
    The network policy should look similar to the image below:

 

  1. Right-click the policy created and select Move up, placing the policy above any existing deny policies.

 

Test From the Dashboard

  1. Set up your SSID as shown in the image at the bottom of this page. Fill in your server's IP address.
  2. Use the test button to test your MAC address. 

Now clients with that MAC address can connect to your SSID using MAC-based RADIUS Authentication.

You must to post a comment.
Last modified
15:14, 18 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1503

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case