Wireless Access

Reply
Occasional Contributor I

Mac Authentication using NPS

We have ClearPass on the roadmap down the road but I would like to implement just simple Mac authentication for our wireless network.  I found an article, though it's for Meraki, that details the steps on setting up NPS for Mac Authentication, but I am running into trouble with it working in our environment.

 

What I would like to do is have our SSID password protected, and then once the password is correctly entered it will check for the Mac Address against the NPS server.  running 

#aaa test-server mschapv2 SERVER MACADDR MACADDR 

from the cli returns Authentication Successful, but I am still not able to authenticate the machine when connecting.

 

Is what I am trying to accomplish possible?

Guru Elite

Re: Mac Authentication using NPS

Do you have encryption on the SSID?  Are you layering mac authentication on top of another type of authentication?

 

If you think you have everything configured right, you should look at the logs on the NPS server to see what is failing to see what is being sent to the NPS server.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Mac Authentication using NPS

I have WPA2-PSK for Network Authentication and AES for Encryption.  I removed those two and set it to Open, but still failing.  Checking the NPS logs gives 

The user attempted to use an authentication method that is not enabled on the matching network policy

It says the 'Authentication Type' is PAP, is there a way to get the controller to send it as MSCHAPv2? 

Guru Elite

Re: Mac Authentication using NPS

Mac authentication is only sent as "pap". Typically authentication with an actual client supplicant can use mschapv2.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Mac Authentication using NPS

What would I lose by only doing Mac authentication on the SSID?  If I leave it Open with no password, is all traffic then unencrypted?

Guru Elite

Re: Mac Authentication using NPS

Yes. Anyone could capture, manipulate and impersonate any legitimately connected device.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Mac Authentication using NPS

Sorry to just to clarify, if it is left as Open is it ALL network traffic?  Or will just the initial negotiation between the AP and the client be unencrypted?  

Guru Elite

Re: Mac Authentication using NPS

If you are not using encryption, everything is in the open.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Mac Authentication using NPS

All traffic? So if I go to log into my Google account that will go across as plain text?
Guru Elite

Re: Mac Authentication using NPS

If you are using https for a page, all they will see is encrypted traffic. Everything else, unless you are using a VPN could potentially be exposed.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: