06-10-2011 05:14 AM - edited 03-09-2019 11:33 PM
Hi,
according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:
- Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"
- Created a new OU "ethers" in AD
- Created a simple objekt by means of an ldifde.exe import
dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com
changetype: add
objectClass: myieee802Device
cn: 001b21******
macAddress: 00:1b:21:**:**:**
When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.
Has anybody got this running so far?
Stefan
02-17-2015 09:42 PM
For those who come across this (4+ years old as of this post) thread and are looking for a way to integrate 802.1x MAC Authentication Bypass (MAB) with Windows Server 20xx without implementing fine-grained password policies, I'd like to offer this alternative:
Full disclosure: I am not the author of this white paper. I have, however, designed, configured and tested a proof-of-concept implementation using this paper as a guide. My particular lab solution utilized the following platforms/technologies:
Here's a quick summary of the steps I took to get this working:
The second and ninth steps were by far the most difficult to accomplish; it took me quite a few iterations and no small amount of trial-and-error to alter the schema properly and get the script working. But in the end, I was successful.
If this is useful to anyone or if there are any questions/comments, please let me know. I will try to reply as soon as humanly possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide