Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11112
Views
1
Helpful
7
Replies

Wireless MAC authentication with AD Complex password requirements

Go to solution
JordanCNolan
Level 1
Level 1

‎05-20-2021 06:56 PM

In Active Directory we have Complex Password requirements enabled. We want to setup an SSID for our Printers use MAC authentication with Radius using NPS. We can use the MAC addresses to create the users, but we are unable to set the Password to the MAC and instructed.

How can we use the MAC authentication if we cannot set the user account passwords to the MAC address?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
BRUCE NEWTON
Level 11
Level 11

‎05-21-2021 03:10 AM

I remember doing this a couple of years ago. You have to use user objects and use fine grain password control that you apply to a group which contains all the users (MACs). This allows you to use the same username and password - downside is you then have a bunch of users with the same name and password, so you need to be doubly sure they can’t perform an actual login to a computer.

What about doing it another way? There are a couple of options. What about using a different RADIUS server for that SSID, I’m sure you could find a free one that does what you need. Or, use iPSK (identity PSK), either with the Meraki authentication (if you’ve APs that support it, and not too many devices), or again with a RADIUS server (NPS doesn’t work well here either). Worst case resort to a plain PSK on the SSID.

View solution in original post

7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎05-20-2021 10:33 PM

Are you using "normal" user objects for this? Then it can not work. There is a dedicated object type in Active Directory for MAC addresses: "ieee802Device". This object does not have these password restrictions.

EDIT: Just remembered that in the past there were problems in combination with NPS and this object-type and the solution was to have the MACs added as users with different password-requirements for different areas in AD. But I am not sure if this is still the case with actual AD-versions.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
BRUCE NEWTON
Level 11
Level 11

‎05-21-2021 03:10 AM

I remember doing this a couple of years ago. You have to use user objects and use fine grain password control that you apply to a group which contains all the users (MACs). This allows you to use the same username and password - downside is you then have a bunch of users with the same name and password, so you need to be doubly sure they can’t perform an actual login to a computer.

What about doing it another way? There are a couple of options. What about using a different RADIUS server for that SSID, I’m sure you could find a free one that does what you need. Or, use iPSK (identity PSK), either with the Meraki authentication (if you’ve APs that support it, and not too many devices), or again with a RADIUS server (NPS doesn’t work well here either). Worst case resort to a plain PSK on the SSID.

Go to solution
JordanCNolan
Level 1
Level 1
In response to BRUCE NEWTON

‎05-21-2021 05:20 AM

Hi Bruce,

Thanks for the tip on the Fine Grain Password control. That did the trick. I saw a bunch articles using ADSI Edit and I wanted to pull my hair out, but I found this one which made it a piece of cake:

https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/

After getting that working I setup some traffic shaping and other rules to ensure these devices (wireless printers and barcode scanners) are locked down tight and also made sure the user accounts for these MACs were locked down pretty tight so they can just be used to authenticate the RADIUS request.

0 Helpful

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎05-21-2021 05:31 PM

The last customer that asked me something like this - I said why don't you use WPA2-Enterprise mode on the printer and you won't have to use MAC bypass.

Problem solved.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Philip D'Ath

‎05-22-2021 01:00 AM

@Philip D'Ath wrote:

The last customer that asked me something like this - I said why don't you use WPA2-Enterprise mode on the printer and you won't have to use MAC bypass.

Problem solved.

Do you remember the customers where every user had their own printer on his desk? I still have one of these. The Admins don't want to go around and configure each of them for dot1x. I think MAB will stay for a very long time (at least for the cabled devices).

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
CMR
Meraki Community All-Star
Meraki Community All-Star
In response to Karsten Iwen

‎05-22-2021 01:24 AM

@Karsten Iwen remember you will need a Windows server device CAL for each printer when doing this unless all of your users have a user CAL.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to CMR

‎05-22-2021 01:28 AM

Licensing ... I am so happy that I don't have to deal with Windows licenses as that is always done by the customer or other companies. It's enough to have to deal with all the Cisco licensing stuff! But for this specific customer, the MAB devices were managed in ISE.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card