MAC-Based Access Control Using Microsoft NPS - MR Access Points
MAC-Based Access Control is one method for preventing unauthorized access to the Wireless LAN. This article discusses how MAC-Based Access Control works and provides step-by-step configuration instructions for Microsoft NPS and Dashboard.
MAC-Based Access Control
It is critical to control which devices can access the wireless LAN. MAC-Based Access Control can be used to provide port based network access control on MR series access points. With MAC-Based Access Control, devices must be authenticated by a RADIUS server before network access is granted on an SSID. The AP (RADIUS client) sends a RADIUS Access-Request to the RADIUS server containing the username and password of the connecting wireless device. The username and password combination is always the MAC address of the connecting device, lower case without delimiting characters. If a RADIUS policy exists on the server that specifies the device should be granted access and the credentials are correct, the RADIUS server will respond with an Access-Accept message. Upon receiving this message, the AP will grant network access to the device on the SSID. If the RADIUS server replies with an Access-Reject because the device does not match a policy, the AP will not grant network access. Below is a diagram showing a successful authentication.
MAC-Based Access Control has some security implications which must be considered. One is that it is not an association method that supports wireless encryption. Therefore clients will need to rely on upper layer protocols for encrypting traffic such as SSL or IPsec once a device has gained network access. The second being the credentials used. Because the MAC address of the device is used as the credentials, an attacker can easily gain network access by spoofing the MAC address of previously authenticated clients. Below are the steps necessary in order, to deploy MAC-Based Access Control using Microsoft NPS.
- RADIUS: Adding a gateway AP as a RADIUS client in NPS
- Creating User Accounts in Active Directory for MAC-based Authentication
- Creating a Windows Group For MAC Based Authentication
- Enabling MAC based access control on an SSID