MAC Authentication

  • 2
  • Question
  • Updated 2 years ago
  • Answered
Want simple profile where MAC address is used to authenticate a device. What is needed and where would I create/enter MAC addresses allowed on the SSID? New user...

Thanks,
Photo of jharper@capis.com

jharper@capis.com

  • 2 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 2
Photo of Giuseppe

Giuseppe

  • 16 Posts
  • 1 Reply Like
I'm struggling with the same question.
In the help file i can find;

When you enable MAC authentication, several new options appear. A RADIUS server drop-down list appears in the SSID Access Security section. In the User Profiles for Traffic Management section, two new settings appear: a list of available user profiles to apply to RADIUS-authenticated users identified by attributes that the RADIUS server returns, and settings determining the behavior of the AP when users are denied authentication.

The drop down in Access Security appears but the other 2 settings doesn't shown up.
Photo of jharper@capis.com

jharper@capis.com

  • 2 Posts
  • 0 Reply Likes
I solved this with MAC Filter in the SSID, probably not the long term solution but it did effectively lock down access based on MAC to the SSID. Set the default action to deny and then add MACs that are authorized.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I am curious what has made you decide to authenticate based on a MAC address, which is not secure in the slightest?

Normally, I would advocate, rather strongly, for controlling access in a way that is secure and more flexible by using 802.1X or PPSKs...
Photo of Red

Red

  • 12 Posts
  • 0 Reply Likes
Hi Giuseppe, did you manage to configure MAC Authentication? Anyone here tried to make this work ? I have had this work with different vendors but having trouble with Aerohive, may be I am doing something wrong with the settings.

It works from the Server test option but fails when trying with a client ( iPhone ) 

Please help !
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
First, under the SSID, enable the checkbox "Enable MAC Authentication" 

Then you will need to make an AP a radius server.

For your database, use a local DB, and enter the MAC addresses as usernames. 
Photo of Red

Red

  • 12 Posts
  • 0 Reply Likes
Hi Sam, Thank you for your response, this only only work if I set AP as a RADIUS server? I have a 2008 Server running as RADIUS and AD.

I checked the MAC Authentication box, which protocol to use -  PAP, CHAP , MSCHAPv2 ? I have tried all the 3 but it fails when I try from my iPhone :(

I have changed the NPS policy to make it work with all the above protocols, still no luck. 
My iPhone always ask me for username and password , so I type in a wrong one ( Assuming that when it fails it goes back to MAC authentication) . But, I  get different errors under          Event -logs in NPS when I use different protocols, only in CHAP it takes the username as the mac address of the device in the other methods it takes in the wrong login and discard.


If I have to make use of AP as RADIUS server it will not serve my purpose sadly.
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Ensure to push your config changes to the AP after enabling MAC auth on the SSID.

If you are using NPS for Mac Authentication, you will want to use MSCHAPv2.

I would refer to the microsoft tech articles for how to configure NPS to handle MAC auth:
http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx


Photo of Red

Red

  • 12 Posts
  • 0 Reply Likes
Hi Sam,

I am using NPS for Mac Authentication; and I have pushed the configuration as well. It works when I use the mac address as username and password  to do a Server test from HMOL. 

But when trying from client the mac address is not being taken as the username and password, I am not sure if it is breaking down on the AP side or NPS side. Because the NPS logs says that the username and password is wrong

When we use mac authentication my understanding is that when the username is wrong the NPS will look for the mac address?

Any ideas?
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Looks like some registry settings may need to be changed:

http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx

Can you paste 1 of the full event viewer authentication failure logs?

Can you confirm the username is "old 2000" logon username is the MAC address as well as the password, and that they are not upper case characters? 

Sam
(Edited)
Photo of Red

Red

  • 12 Posts
  • 0 Reply Likes
I've changed the User Identity Attribute registry value to 31 on the NPS server.

the username is specific to the device, but logon and password is the mac address in the right format!  The authentication logs just is typicall log which fails for a wrong username and password and shows me the wrong username and password which I typed in! I do not have access to the NPS right now, but if I can show you if you would like.

What is the authentication protocol which we typically use in Aerohive for MAC auth? PAP or CHAP or MSCHAPv2 ?
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
MSCHAPv2 would be the ideal setting... PAP or CHAP would require you store passwords with reversible encryption.

Please post some screenshots of your configuration of the AD user and NPS.
Photo of Red

Red

  • 12 Posts
  • 0 Reply Likes
I do not have access to the NPS right now. But just to make sure you understand my requirement :

Is it possible to enable 802.1x and mac authentication in the same SSID, while satisfying only one condition for authentication?  eg : if username fails and macaddress matches the client get authenticated?

Cheers
Photo of Red

Red

  • 12 Posts
  • 0 Reply Likes
Hi Nick, I need to confirm this. My  understanding was this is a fail-over option, I have tested it long back.  Thank you for clarifying, I will test it and will get back to you . Cheers.
Photo of mag007

mag007

  • 24 Posts
  • 1 Reply Like
I am using 802.1x+mac-authentication on one of my SSIDs.  I create a MAC username and password in AD and use MSCHAPv2 to successfully authenticate the MAC address in Microsoft IAS.  However, on my mac-book the wireless  detects that the network is a WPA2 Enterprise network and automatically asks for username and password.  Here, no matter if I use the mac-address for username/password combination or actually use my AD username and password, I get an invalid username and password.  My mac-book does not connect to the network, even though the mac-based authentication is successful (from the logs on IAS).  

Now I would expect that 802.1x+mac-authentication to function so that both authentications to be successful to allow network access but I am slightly unsure why the username and password combination is failing when I can use the same combination to log on to my corporate said which also uses wpa2 enterprise and I have policies configured on the IAS to allow AD users to logon to the wireless.

Nick, does 802.1x+mac-authentication require that both credentials be authenticated in a single RADIUS exchange? I ask this because I have different policies on the IAS for authenticating mac-based usernames and regular AD users.

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
No, it is separate RADIUS exchanges. Otherwise there would be nothing for the AP to actually implement by way of a feature; you can already additionally filter based on the Calling-Station-Id when 802.1X authentication takes place at a RADIUS server if you want to.
(Edited)
Photo of mag007

mag007

  • 24 Posts
  • 1 Reply Like
Thanks Nick for the clarity.  It does work.
Photo of Nguyen Binh

Nguyen Binh

  • 1 Post
  • 0 Reply Likes
Hi Nick, 
I have 2 SSID, 1 of them need to be authenticated by AD, and another is authenticated by AD + MAC. Could I user both of this authentication with only one RADIUS Server ?