Home > Wireless LAN > Encryption and Authentication > MAC-Based Access Control Using Microsoft NPS - MR Access Points

MAC-Based Access Control Using Microsoft NPS - MR Access Points

Table of contents
No headers

MAC-Based Access Control is one method for preventing unauthorized access to the Wireless LAN. This article discusses how MAC-Based Access Control works and provides step-by-step configuration instructions for Microsoft NPS and Dashboard.

 

MAC-Based Access Control

 It is critical to control which devices can access the wireless LAN. MAC-Based Access Control can be used to provide port based network access control on MR series access points. With MAC-Based Access Control, devices must be authenticated by a RADIUS server before network access is granted on an SSID. The AP (RADIUS client) sends a RADIUS Access-Request to the RADIUS server containing the username and password of the connecting wireless device. The username and password combination is always the MAC address of the connecting device, lower case without delimiting characters. If a RADIUS policy exists on the server that specifies the device should be granted access and the credentials are correct, the RADIUS server will respond with an Access-Accept message. Upon receiving this message, the AP will grant network access to the device on the SSID. If the RADIUS server replies with an Access-Reject because the device does not match a policy, the AP will not grant network access. Below is a diagram showing a successful authentication.

cffe0633-b513-4469-a69c-d41799cfffa0

MAC-Based Access Control has some security implications which must be considered. One is that it is not an association method that supports wireless encryption. Therefore clients will need to rely on upper layer protocols for encrypting traffic such as SSL or IPsec once a device has gained network access. The second being the credentials used. Because the MAC address of the device is used as the credentials, an attacker can easily gain network access by spoofing the MAC address of previously authenticated clients. Below are the steps necessary in order, to deploy MAC-Based Access Control using Microsoft NPS.

 

  1. RADIUS: Adding a gateway AP as a RADIUS client in NPS
  2. Creating User Accounts in Active Directory for MAC-based Authentication
  3. Creating a Windows Group For MAC Based Authentication
  4. Creating an NPS policy for MAC-based authentication
  5. Enabling MAC based access control on an SSID
You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 2082

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community