Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
36288
Views
0
Helpful
15
Replies

802.1x MAB with Microsoft NPS ieee802Device object group

stefan-moser
Level 1
Level 1

‎06-10-2011 05:14 AM - edited ‎03-09-2019 11:33 PM

Hi,

according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:

- Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"

- Created a new OU "ethers" in AD

- Created a simple objekt by means of an ldifde.exe import

dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com

changetype: add

objectClass: myieee802Device

cn: 001b21******

macAddress: 00:1b:21:**:**:**

When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.

Has anybody got this running so far?

Stefan

Labels:
0 Helpful
15 Replies 15

Gregory Corbin
Cisco Employee
Cisco Employee
In response to stefan-moser

‎02-17-2015 09:42 PM

For those who come across this (4+ years old as of this post) thread and are looking for a way to integrate 802.1x MAC Authentication Bypass (MAB) with Windows Server 20xx without implementing fine-grained password policies, I'd like to offer this alternative:

Configuring MAB with LDAP User Device Binding

Full disclosure: I am not the author of this white paper.  I have, however, designed, configured and tested a proof-of-concept implementation using this paper as a guide.  My particular lab solution utilized the following platforms/technologies:

  • Cisco Secure Access Control Server (ACS) 5.5
  • Cisco Identity Services Engine (ISE) 1.3 (alternate)
  • Microsoft Windows Server 2012 R2
    • Active Directory Lightweight Directory Services (AD LDS)
  • VMWare ESXi 5.5
  • Cisco Catalyst 3560 switch

Here's a quick summary of the steps I took to get this working:

  1. Created a new standalone LDS instance
  2. Wrote an LDAP Data Interchange Format (LDIF) file to add the (ieee802)Device class & prerequisite sub-classes & attributes (e.g. macAddress) to the LDS schema
  3. Configured the LDS LDAP directory heirarchy following the example in the white paper
  4. Manually added test devices & groups to LDS database
  5. Configured ACS (and later ISE) according to the white paper
  6. Configured the switch for 802.1x/MAB authentication
  7. Tested MAB authentication with a sample endpoint
  8. Created a Comma-Separated Values (CSV) spreadsheet with more sample devices
  9. Wrote a PERL script to parse the spreadsheet data into a new LDIF file
  10. Imported the resulting LDIF file output into the LDS database

The second and ninth steps were by far the most difficult to accomplish; it took me quite a few iterations and no small amount of trial-and-error to alter the schema properly and get the script working.  But in the end, I was successful.

If this is useful to anyone or if there are any questions/comments, please let me know.  I will try to reply as soon as humanly possible.

Disclaimer: This information is offered as-is with no warranty of any kind, stated or implied.  I and/or Cisco accept no responsibility or liability for data loss, monetary loss or downtime caused by following the recommendations or suggestions in this post.  All products, logos, tradmarks mentioned are the property of their respective owners. 
0 Helpful
Customers Also Viewed These Support Documents