I need to add a central MAC address authentication server to our current WLAN. We already do the basic security,...
128bit WEP, special SSID, no broadcast and MAC filters but the MAC filtering is performed by each AP. I have my AP's sending requests for authentication to my IAS server but access is denied based on username not found. All I want to do is verify that the MAC address matches the one in the IAS access policy based on the "calling-station-id" field. My access policy is basic "calling-station-id = 9098655d35" but no luck.
Most IAS-based wireless LAN deployments use 802.1X with some type of user authentication (e.g., PEAP and username/password, EAP-TLS and client certificates). However, it is possible to use IAS for central MAC-based authorization. In IAS terms, this involves using "an unauthenticated access method" -- specifically, you must follow directions for setting up Automatic Number Identification/Calling Line Identification (ANI/CLI) authorization.
According to Microsoft documentation, "Media Access Control (MAC) address authorization functions in the same way as ANI authorization, but it is used for wireless clients and clients using an 802.1X authenticating switch ... Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt ... To support MAC address authorization, the Active Directory must have user accounts with MAC addresses as user names."
To set up IAS-based MAC address authorization, you will need to:
- Enable MAC address authorization on your APs.
- Enable unauthenticated access and PAP in the associated remote access policy.
- Create a user account for each MAC address; the user account name must match the MAC address of the adapter, and the password must be set to the RADIUS shared secret.
Set your IAS server's User Identity Attribute registry value to 31, and optionally set the Override User-Name registry value to 1 to always use MAC address authorization.
Refer to IAS documentation for further information about ANI authorization, starting from the URL given above.
Dig Deeper on Working With Servers and Desktops
Related Q&A from Lisa Phifer
Understanding the functions of a wireless access point vs. wireless router will help you deploy the right device for the right circumstance. Continue Reading
Learn the difference between a site-to-site VPN and a remote-access VPN, as well as the protocols used for each one. Continue Reading
Need to send an email, check your flight's status or get ready for a presentation? You can do it all on your smartwatch, thanks to a slew of Apple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.