@Adam When using Windows NPS for MAC based auth, you actually create AD users for each MAC. The username & password are both set to the MAC address. It's a really odd setup, but it makes sense because NPS uses AD as its auth DB. 

@MRCUR That's right, it's all coming back to me now.  We did that for printers at one point for one of our sites.  Ultimately it was easier to just set port security on the switch ports with stick mac whitelist and whitelist size limit of 1.  

Sorry, if I did not use the good word ("MAC-Based").

What I'm trying to make work is Port-Based authentication by 802.1x authentication standard. that authentication standard need RADIUS feature ; that feature is provided by NPS feature. NPS is using Active Directory database.

It seems I'm very closed to the final solution. The small missing part is how user username/password is sent to the NPS (RADIUS) server ? That user could be a MAC address or have any other username.

See below, similar example, with Switch and NPS,

https://integratingit.wordpress.com/2011/11/06/configuring-role-based-cli-interface-access-2/

Missing for me (for Port-Based authentication) is something equivalent to the two last Telnet printScreens.

The example you posted is for switch admin auth with RADIUS, which isn't relevant to MS switches as there is no SSH function available to users. 

Are you trying to do MAC based authentication (where you are authorizing the computer's MAC address) or user authentication where you want to use the AD credentials of the user or computer? 

I'm trying to do 802.1x Port-Based authentication.

That is. The computer is allowed to communicate by a given switch port, if a user (from or behind the computer) is authorized by NPS (RADIUS). That user must be known by the AD database.

This should be the guide you're looking for: https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Access_Policies_on_MS_Switches...

This may also help for the user side config: https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Wind...

You may find this helpful - 

http://technology.pitt.edu/help-desk/how-to-documents/pittnetwireless-configuring-windows-10-wireles...

Many US universities use 802.1X and they all publish instructions as to to how to configure client devices.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Thanks for that generous stuff.

@MRCUR. Your second link ("Wired AutoConfig") seems to be what exactly I was looking for. I'll try it and will let you know.

@Uberseehandel. The URL you sent is not working for me. It seems to be talking about "wireless". Even 802.1x is used for the access control to wireless routers (APs), I'm not sure port-based authentication does make sense in the wireless world ? the issue I'm facing seems tu be a purely "wired" issue.

Here are the University of Pittsburgh wired instructions

http://technology.pitt.edu/help-desk/how-to-documents/pittnetwired-configuring-windows-10-wired-publ...

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Thanks @Uberseehandel. You sent the good link. It explains on Win10 what @MRCUR's link is explaining on Win7.

I'll try them, two ; I will let you know.

I should add too that I have two NPS proxies (one is for failover) for load balancing RADIUS requests.  The proxy sends over the requests to my AD servers with the RADIUS role added at a 34%, 33%, 33% rate.  So in theory, each server gets 1 out of every 3 RADIUS requests to process.  Seemed like a good idea to try and also plan for future growth.  I also just wanted to see if I could do it.  Seems to work well.

Why go to so much trouble when MAC addresses are inherently insecure? Even kids can change MAC values. Far better to use certificates.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

It's no trouble at all.  It's far better than left wide open and then also, not all devices will support certs.  Take for example HVAC monitoring equipment.  For the most part, it is pretty tight security for most users and simply prevents most unauthorized access in an education environment.  Do you manage an education environment and its users?  If not, it's quite different than managing a corporate environment.  It's proven to be very effective for this environment.

---

@BrothersTMwrote:

 Do you manage an education environment and its users?  It's proven to be very effective for this environment.

---

The kids tell me otherwise.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Like I said, it solves most edu issues and is easy to manage.  It isn't for everyone, but it works here and works well.  Thanks for the comments though.

Thank you for the generous stuff @BrothersTM.

For RADIUS, I will be correct. I played a lot with NPS, when I was working on my MCSA 2008R2.

By the way ; I'm not sure AD is aware of MAC addresses. So far ; my understanding of AD is, it does authentication by username and/or computer ID. The username/password is manually provided by a user. The computer account (with automatic password) is automatically generated when the Workstation is added to the domain. When the station is added to the domain, it is said that a "trust" relationship is established between the Domain Controller and the Workstation ; that's a security level, which is not based on MAC address.

My understanding of 802.1x Port-based authentication is ; basically, it asks to RADIUS if a switch port can be opened (or not), by verifying of the credentials of the computer (or the user using it). That process does not necessarily need to take into account of MAC-Adresses.

In conclusion. MAC-Based Access Control and Port-Based Access Control could be two different issues.

One next subject I will need to investigate. How a workstation not belonging to AD could authenticate (Port-Based) with a RADIUS server (using AD) ?

@KayouMT Your understanding of 802.1x is correct here. The confusion in this thread is from your original title - "MAC-Based" - as you are not actually trying to do MAC based auth here. 

You could use MAC based auth for non-AD devices however, or use AD user auth (instead of computer auth as you mentioned). We typically implement AD user based auth for WiFi so BYOD can be supported and devices can be joined that are not bound to our domain. 

When using the AD user auth with RADIUS for BYOD purposes (which is what I do), you can add further RADIUS attributes and tie those to Meraki Group Polices for advanced functionality (multiple vlans, firewall rules, bandwidth shaping, etc.) all behind a single SSID.  Just make your filter-id match the name of a Meraki group policy.

BYOD ; that's a nice concept. But ; I think it does work only for "Wireless" (by using something called "bootstrap profile") and not for "wired"  ?

Back to my last issue : port-based authentication of a workstation never joined to a domain. That seems not be possible, since workstation has to automatically send username/password to RADIUS ?