cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36647
Views
0
Helpful
15
Replies

802.1x MAB with Microsoft NPS ieee802Device object group

stefan-moser
Level 1
Level 1

Hi,

according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:

- Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"

- Created a new OU "ethers" in AD

- Created a simple objekt by means of an ldifde.exe import

dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com

changetype: add

objectClass: myieee802Device

cn: 001b21******

macAddress: 00:1b:21:**:**:**

When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.

Has anybody got this running so far?

Stefan

15 Replies 15

michagar
Cisco Employee
Cisco Employee

Stefan,

Thats actually interesting that its not working, however.. Have you tried contacting Microsofts support to ask about setting up the NPS with the new structural class myieee802Device ??  I suspect that from the Cisco side of the house nothing changes and MAB is MAB, but the problem would more then likely reside on the MSFT side ?

michagar,

>> but the problem would more then likely reside on the MSFT side ?

well, of course, you´re right, but ... :-)

As a Cisco client, it would be very helpful to me if my switch vendor gave me some help to deal with a *scenario* that is very, very common with SMB companies that consider to add 802.1x in their existing infrastructure. These customers usually

  • have Cisco switches and Microsoft AD (Windows Server 2003 or 2008)
  • are not willing to pay the extra cost for buying Cisco ACS
  • do not want to use any additional free software as, e.g., FreeRADIUS
  • expect us to “do it” with Microsoft built-in tools

Stefan

Update:

I opened an official case with Microsoft Support. They worked out that the ieee802Device class can NOT be used with NPS/IAS, because the class does not contain a username attribute. The existence of the username attribute is required by NPS/IAS.

This means: The Cisco document leads to the wrong direction!

Proposed solution for the problem: Use fine grained password policies (unfortunately, this is only possible if the domain is Windows 2008 level), and lower password policy for accounts that represent devices (MAC adresses).

Stefan

Update:

I got it running in my lab with Active Directory fine-grained password policies.

Steps required:

1.) Raise functional domain level to Windows 2008

2.) Follow the step-by-step guide http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx to create a PSO which does NOT have complex password settings

3.) Create an OU, e.g. "myMABDevices", so that 802.1X devices do not appear in the regular list of domain user accounts (some administrators may do not like to see hundreds of MAC addresses among their domain user accounts)

4.) Create a regular group, e.g. "allMABDevices", and link the PSO to this group. This is described in the step-by-step guide, Microsoft calls it a "shaddow group". It is necessary because PSOs can't be bound to OUs directly.

5.) Create user accounts (not computer accounts) for every 802.1X device (username = MAC address, password = MAC address). I had to do an intermediate step and had to assign a temporary, complex password because when you create the user account, it is not yet in the corresponding regular group "allMABDevices", so the default domain policy is applied at this moment. There may be ways to circumvent this, but this is out of my scope (I'm a network engineer, not an AD specialist).

If you are not able to raise to Windows 2008 functional domain level, you may consider the use of password filters (passfilt.dll). There are commercial password filters (e.g. nFront, ANIXIS PPE) that might work. You will probably have to shift all domain user accounts under their control, that will probably lead to heavy discussions with your Active Directory colleagues. As this is out of my current scope of work, I'm not going to have a closer look to it at the moment.

Stefan

Hi Stefan,

Follow by your guide, I can setup the account with MAC address as user name and passwrod, but I have no idea how to setup the access and network policy in NPS.

Would you please advise on this?

Thanks!

Scott

Scott, I’m going to email some examples within the next few days.

Stefan

Von: scottlian

Gesendet: Donnerstag, 29. September 2011 10:02

An: Moser, Stefan (SIDB)

Betreff: - Re: 802.1x MAB with Microsoft NPS ieee802Device object group

Cisco Support Community <>

Re: 802.1x MAB with Microsoft NPS ieee802Device object group

created by Scott Li <> in Other Security Subjects - View the full discussion <>

Stefan,

Many thanks for your reply. in my test environment, what I have encountered is:

1. I created the user account and used the mac address as account and password, which can access into the AD.

2. I enabled the function of  MD5-Challenge  in Windows 2008 R2 NPS server. pls refer the link:

http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927

3. Created the network policy, which use the  MD5 as the EAP type, and select PAP as the authentication method.

4. Enable the 802.1x and MAB function in the port of cisco 3750.

by test, 802.1x works fine, but when  I try to let it authenticate with MAB, got the below error in NPS event log:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

    Security ID:            QBBB\002622c997ff

    Account Name:            002622c997ff

    Account Domain:            QBBB

    Fully Qualified Account Name:    qbbb.net/Sales/002622c997ff

Client Machine:

    Security ID:            NULL SID

    Account Name:            -

    Fully Qualified Account Name:    -

    OS-Version:            -

    Called Station Identifier:        3C-DF-1E-C6-48-13

    Calling Station Identifier:        00-26-22-C9-97-FF

NAS:

    NAS IPv4 Address:        10.197.40.2

    NAS IPv6 Address:        -

    NAS Identifier:            -

    NAS Port-Type:            Ethernet

    NAS Port:            50219

RADIUS Client:

    Client Friendly Name:        Wired

    Client IP Address:            10.197.40.2

Authentication Details:

    Connection Request Policy Name:    Secure Wired (Ethernet) Connections

    Network Policy Name:        Connections to other access servers

    Authentication Provider:        Windows

    Authentication Server:        QINGXXX1.QBBB.net

    Authentication Type:        PAP

    EAP Type:            -

    Account Session Identifier:        -

    Logging Results:            Accounting information was written to the local log file.

    Reason Code:            65

    Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Just for you reference and hope can get you help, thanks a lot!

--Scott

Scott,

I’ve attached screenshots of my NPS configuration. It’s quite simple, and doesn’t use MD5 (when I was trying to get it running, I read some articles on the web that said that MD5 is not necessary (supported?) because it does not offer additional security because the username always equals the password which is, of course, always the MAC address, and the username is transferred in clear on the wire). Accordingly, in the 3750 config, I enabled MAB without MD5.

I can’t see the eventlog from your email, probably because you sent a screenshot. Can you mail plain text or wrap the screenshot into a Microsoft word document or PDF?

Stefan

Von: scottlian

Gesendet: Sonntag, 9. Oktober 2011 03:32

An: Moser, Stefan (SIDB)

Betreff: - Re: 802.1x MAB with Microsoft NPS ieee802Device object group

Cisco Support Community <>

Re: 802.1x MAB with Microsoft NPS ieee802Device object group

created by Scott Li <> in Other Security Subjects - View the full discussion <>

Hi Stefan,

Thanks a lot for your email to me. I am sorry, after I followed your settings within NPS, still got the same error as my last post. which I copied them from event view.

I will spend more time on NPS, see if i can get it done.

Anyway, thanks again!

--Scott.

Scott,

I just found your eventlog on the Cisco site.

It says

Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

In Active Directory, please go into the settings of the user object (the user whose name and password are the MAC address), and check if the settings are set to ‘Control access through NPS Network Policy’ (see PDF that I attached to this mail) and make sure that if you use security groups in your NPS network policy, the correct permissions for the security group that this user object belongs to are set correctly).

Stefan

Von: scottlian

Gesendet: Dienstag, 11. Oktober 2011 10:54

An: Moser, Stefan (SIDB)

Betreff: - Re: 802.1x MAB with Microsoft NPS ieee802Device object group

Cisco Support Community <>

Re: 802.1x MAB with Microsoft NPS ieee802Device object group

created by Scott Li <> in Other Security Subjects - View the full discussion <>

Hi Stefan,

Thank you very much!!!

I've managed to it.

---Scott

Hi all,

According to cisco MAB design guide, there's third method to deploy MAB using NPS:

"Another option that avoids the password complexity requirements is to load your MAC addresses

as text (TXT) records in a Domain Name System (DNS) zone that is stored inside Active Directory"

Have you tried to make it work? As I know user objects in AD needs licenses 

I couldn't find any example for this scenario, how about you? I'm thinking a registry modification needs to take place so that AD sends a DNS query to validate an account not present in its database. Sounds ridiculously insecure but I can't think of anything else off the top of my head.

I had to also set up the MAB accounts with the option "Store password using reversible encryption", otherwise they kept failing to authenticate.  Here's the event log that led me to this:

Authentication Details:

Connection Request Policy Name: 802.1X

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: xxxx.xxxx.xxx

Authentication Type: EAP

EAP Type: MD5-Challenge

Account Session Identifier: 3035303030373738

Logging Results: Accounting information was written to the local log file.

Reason Code: 19

Reason: The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.