I need help adding a central MAC address authentication server to our current WLAN.
I need to add a central MAC address authentication server to our current WLAN. We already do the basic security, 128bit WEP, special SSID, no broadcast and MAC filters but the MAC filtering is performed by each AP. I have my AP's sending requests for authentication to my IAS server but access is denied based on username not found. All I want to do is verify that the MAC address matches the one in the IAS access policy based on the "calling-station-id" field. My access policy is basic "calling-station-id = 9098655d35" but no luck.
Most IAS-based wireless LAN deployments use 802.1X with some type of user authentication (e.g., PEAP and username/password, EAP-TLS and client certificates). However, it is possible to use IAS for central MAC-based authorization. In IAS terms, this involves using "an unauthenticated access method" -- specifically, you must follow directions for setting up Automatic Number Identification/Calling Line Identification (ANI/CLI) authorization.
According to Microsoft documentation, "Media Access Control (MAC) address authorization functions in the same way as ANI authorization, but it is used for wireless clients and clients using an 802.1X authenticating switch ... Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt ... To support MAC address authorization, the Active Directory must have user accounts with MAC addresses as user names."
To set up IAS-based MAC address authorization, you will need to:
Enable MAC address authorization on your APs.
Enable unauthenticated access and PAP in the associated remote access policy.
Create a user account for each MAC address; the user account name must match the MAC address of the adapter, and the password must be set to the RADIUS shared secret.
Set your IAS server's User Identity Attribute registry value to 31, and optionally set the Override User-Name registry value to 1 to always use MAC address authorization.
Refer to IAS documentation for further information about ANI authorization, starting from the URL given above.
This was first published in May 2005