Tuesday, November 12, 2013

802.1x with MAC based authentication

For end devices that are 802.1x compliant, RADIUS authentication on them would be performed using either username/password or certificate. What about devices that aren't 802.1x compliant, such as network printers? The next best authentication on them would be MAC based.

MAC based authentication aren't as secure, as MAC addresses can be easily spoofed. Cisco called this "MAC Authentication Bypass" (MAB) while Microsoft called this "MAC Address Authorization".

How can we make Cisco MAB works with Microsoft NPS server?

Step 1: Enable "mab" on every switch port
On Cisco switches, assuming that the usual dot1x configuration are already in-place, you'll just need to add the command "mab" on every 802.1x enabled switch port connecting to end-devices.

Step 2: Add new MAC-based connection request policy
On Microsoft NAP server, add another new connection request policy and enable PAP authentication. This new PAP policy should be placed after the main 802.1x policy, so that the 802.1x compliant devices can get authenticated in a more secure way first. As Cisco switches uniquely identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access-Request message, add this condition to the MAC connection request policy.

Step 3: Tell the authenticating server to use Calling-Station-ID as MAC-based user name
Set the User Identity Attribute registry value to 31 on the NPS server. This registry value location is: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy. If it doesn't exist, create a new DWORD value.

Step 4: Add a new AD user account for each MAC device
The new user account must be named (all lower case with no space or dash) exactly as the connecting MAC address for each non-802.1x device e.g. aa00bb11ccddeeff format. Its password must also be set as the same as MAC address. Hence, creating such accounts might fail due to domain-based complex password policy. The good news is we can use Fine-grained Password Policy to overcome it.

Step 5: Test it
Connect a non-802.1x device and test. Observe the outcome on the event viewer of the NPS server. Take note of any errors and troubleshoot accordingly.
Posted by samyee at 3:10 PM
Labels:

4 comments:

  1. AnonymousDecember 8, 2013 at 12:51 AM

    Hi.
    thanks for sharing. Can share printscrens of the step 2 and 3?

    ReplyDelete
  2. UnknownDecember 8, 2013 at 1:24 AM

    Hi.
    thanks for sharing. Can share printscrens of the step 2 and 3?
    Ricardo

    ReplyDelete
  3. AnonymousMarch 31, 2014 at 10:37 PM

    Hi,

    I have found this blog very useful but I am trying to get multiple devices e.g. HP printers to authenticate using MAB. Is it possible to use for e.g the HP OUI as a wildcard and use a singe user object in AD to authenticate multiple HP printers using the NPS server

    ReplyDelete
    Replies
    1. samyeeJune 4, 2014 at 3:36 PM

      I don't think you can create user objects using wild card. I would advise using some scripting to create multiple objects if you do keep track of all MAC addresses using Excel or CSV.

      Delete

Subscribe to: Post Comments (Atom)