Wireless Access

Hi,

We're using 802.1x AD Account lookup using NPS for Server 2008. I will be adding MAC Address authentication to it, which I already tested using the internal db on the controller.

My question is, what software can I use to input the MAC Addresses so they're not hosted not on the controller? We will probably go over the max. 500 MAC addresses that Aruba' recommends putting in the controller db.

Is there something in Server 2008 NPS or anything included in server 2008 that I can use for the MAC Address db?

Thanks

Hi,

you wanna use a database/server for MAC authentication other than local Controller db?

please look at the following useful chart:

https://dl.dropbox.com/u/694445/Role-Derivation.pdf

from this I can notice that dot1x authentication will happen first. In addition, you can only implement only one of them either MAC AuC or dot1x AuC. Did you try it before that both can work together ?

you can use a defined username/password on a machine that its MAC access is not available in the local db, if it does authenticate and the machine get access this mean that MAC AuC in this case has no value.

Also, you can notice from the same diagram, that you can use a Radius server for MAC Authentication. e.g. you can use Cisco ACS server.

:)

Hey Abi, yes you can use both. I have it testing and working right now. You can also enable L2 Passthrough on the AAA profile. I believe MAC auth actually happens first, if there is no MAC address in the DB, you can still authenticate clients w/ 802.1x. I don't think we'll use that feature but it might come in handy for example the 2008 AD server crahses.

Hi Matt,

to make this more clear to me, can you tell me the result of the following (by telling me if client granted access or not + the user-role assigned to him):

note: lets also assume you have different default user-role for each of the Auth methods (MAC & dot1x). 

MAC-address (available in db) & dot1x (correct username/pass) -

MAC-address (available in db) & dot1x (wrong username/pass) -

MAC-address (not available in db) & dot1x (correct username/pass) -

---

@mattdigi wrote:

Hi,

 

We're using 802.1x AD Account lookup using NPS for Server 2008. I will be adding MAC Address authentication to it, which I already tested using the internal db on the controller.

 

My question is, what software can I use to input the MAC Addresses so they're not hosted not on the controller? We will probably go over the max. 500 MAC addresses that Aruba' recommends putting in the controller db.

 

Is there something in Server 2008 NPS or anything included in server 2008 that I can use for the MAC Address db?

 

Thanks

---

Why are you adding mac address authentication to it?  MAC addresses can easily be spoofed, so it is definitely not a security mechanism.  

If you are using PEAP, just configure the machines to use machine-only credentials:  http://support.microsoft.com/kb/929847

Sorry, I should have been more specific in my original post. This is for iPad's and possibly Android's. We will use machine auth for our Windows Clients w/ 802.1x.

Think you're going a little far by saying MAC Auth isn't a security mechanism. It certainly is or why have the ability on Aruba controllers?

MAC spoofing is only as good as that person getting a valid MAC address from a wireless device that has access and #2, they would also need a username and password for 802.1x lookup. Hence, why I wanted to setup both 802.1x /w MAC auth.

Last Friday we setup 2008 AD using NPS for our MAC Auth db, works well so far.