Wireless Access

We have ClearPass on the roadmap down the road but I would like to implement just simple Mac authentication for our wireless network.  I found an article, though it's for Meraki, that details the steps on setting up NPS for Mac Authentication, but I am running into trouble with it working in our environment.

 

What I would like to do is have our SSID password protected, and then once the password is correctly entered it will check for the Mac Address against the NPS server.  running 

#aaa test-server mschapv2 SERVER MACADDR MACADDR 

from the cli returns Authentication Successful, but I am still not able to authenticate the machine when connecting.

 

Is what I am trying to accomplish possible?

Do you have encryption on the SSID?  Are you layering mac authentication on top of another type of authentication?

 

If you think you have everything configured right, you should look at the logs on the NPS server to see what is failing to see what is being sent to the NPS server.

I have WPA2-PSK for Network Authentication and AES for Encryption.  I removed those two and set it to Open, but still failing.  Checking the NPS logs gives 

The user attempted to use an authentication method that is not enabled on the matching network policy

It says the 'Authentication Type' is PAP, is there a way to get the controller to send it as MSCHAPv2? 

Mac authentication is only sent as "pap". Typically authentication with an actual client supplicant can use mschapv2.

What would I lose by only doing Mac authentication on the SSID?  If I leave it Open with no password, is all traffic then unencrypted?

Yes. Anyone could capture, manipulate and impersonate any legitimately connected device.

Sorry to just to clarify, if it is left as Open is it ALL network traffic?  Or will just the initial negotiation between the AP and the client be unencrypted?  

If you are not using encryption, everything is in the open.

All traffic? So if I go to log into my Google account that will go across as plain text?

If you are using https for a page, all they will see is encrypted traffic. Everything else, unless you are using a VPN could potentially be exposed.

So I have the Mac Authentication working now.  But when trying to add the WPA2-PSK clients are unable to connect.  

 

Dec 14 12:29:32  station-up             *  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  -    wpa2 psk aes
Dec 14 12:29:32  wpa2-key1             <-  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  117
Dec 14 12:29:32  wpa2-key2             ->  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  117  mic failure
Dec 14 12:29:33  wpa2-key1             <-  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  117
Dec 14 12:29:33  wpa2-key2             ->  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  117  mic failure
Dec 14 12:29:34  wpa2-key1             <-  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  117
Dec 14 12:29:34  wpa2-key2             ->  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  117  mic failure
Dec 14 12:29:35  wpa2-key1             <-  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  117
Dec 14 12:29:35  wpa2-key2             ->  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  117  mic failure
Dec 14 12:29:36  wpa2-key1             <-  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  117
Dec 14 12:29:36  station-down           *  ac:37:43:51:97:66  34:fc:b9:94:19:10  -  -
Dec 14 12:29:39  station-up             *  ac:37:43:51:97:66  70:3a:0e:d1:b1:f3  -  -    wpa2 psk aes
Dec 14 12:29:39  wpa2-key1             <-  ac:37:43:51:97:66  70:3a:0e:d1:b1:f3  -  117
Dec 14 12:29:39  wpa2-key2             ->  ac:37:43:51:97:66  70:3a:0e:d1:b1:f3  -  117
Dec 14 12:29:39  wpa2-key3             <-  ac:37:43:51:97:66  70:3a:0e:d1:b1:f3  -  151
Dec 14 12:29:39  wpa2-key4             ->  ac:37:43:51:97:66  70:3a:0e:d1:b1:f3  -  95

Same thing happening on Dell Win10 Laptop and Android Phone.

Hm rebooting the AP seemed to resolve the mic error.