If your SSID is 802.1x, your client must support that layer 2 method (WPA2/3 enterprise) at minimum and the EAP type supported by the radius server. You cannot mix/match PSK with EAP-PEAP/TLS for example.
EDIT: If the devices all support WPA2 Enterprise, the customer can configure the verify caller-id property (the mac address with no delimeters) in the AD properties of that user and that will restrict that device to only the mac address in the verify caller-id box. I haven't used that setting in many years, so your mileage may vary. It is useful for binding a single (or a few) AD user accounts to single mac addresses when NPS is being used for authentication, but on a large scale, it is not practical:
Original Message:
Sent: Sep 17, 2023 02:59 PM
From: dpjw36
Subject: Can we run MAC authentication first, then 802.1x for the same SSID?
Hi Guys,
Thanks for comments and feedbacks. There is no any CPPM in place, just an MM with 2 MC and 802.1x authentication is just using Microsoft NPS. Customer would like to have some users authenticate using mac addresses and the remaining users authenticate using 802.1x in the same SSID. Is it possible to do that without CPPM?
Original Message:
Sent: Sep 08, 2023 10:59 AM
From: bd_87
Subject: Can we run MAC authentication first, then 802.1x for the same SSID?
Maybe some more info from the OP would be nice before we start telling customers what they want to do is useless?
It's not clear on whether they are asking if this one specific device can do MAC-auth only on their 802.1X SSID, or whether they simply need a policy that says:
if user eq joeshcmoe AND MAC noteq xx:xx then deny
If it is the latter, it wouldn't be MAC auth at all.
@dpjw36 can you clarify?
------------------------------
ACNSP | ACCP | ACMP | ACEP
Original Message:
Sent: Sep 08, 2023 10:37 AM
From: chulcher
Subject: Can we run MAC authentication first, then 802.1x for the same SSID?
802.1X authentication REJECT will result in no WLAN connection. Which is why having MAC and 802.1X on the same WLAN is useless, you have to pass both to gain access and a separate MAC auth doesn't do anything productive.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Sep 08, 2023 10:31 AM
From: bd_87
Subject: Can we run MAC authentication first, then 802.1x for the same SSID?
On a single SSID you can have MAC AND 802.1X - but not MAC-auth or 802.1X (trust me, I've been down he rabbit hole)
You could possibly try a derivation rule to match the MAC address and set a role, but I am not sure how that works with authentication in the event 802.1X fails... still might apply the user role.
What is your RADIUS server?
------------------------------
ACNSP | ACCP | ACMP | ACEP
Original Message:
Sent: Sep 06, 2023 06:57 AM
From: dpjw36
Subject: Can we run MAC authentication first, then 802.1x for the same SSID?
Hi,
I was wondering can we run MAC authentication first, then 802.1x for the same SSID? My customer have this odd request where only 1 ID can only use 1 device.
I was thinking of using MAC address authentication as a workaround solution, provided we can configure MAC authentication + 802.1x authentication in the same SSID