MAC-Based RADIUS 802.1x : How Username/Password is sent by the Workstation ?

SOLVED
KayouMT
Here to help

MAC-Based RADIUS 802.1x : How Username/Password is sent by the Workstation ?

Hi Community.

 

I just read the nice post below :

https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_...

 

The NPS (RADIUS) configuration is also supposed to work with CLI-configured switch, such as explained by the URL below.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-...

 

About the mac address 00c0f076aad7 ; Meraki's article says "the username and password should be the MAC address of the connecting device". My question is : How and when the username/password is typed (or extracted) and sent by the Workstation to the NPS (RADIUS) server ?

 

Note : So far ; I did working configuration (CLI-configured Switch + NPS), by using Telnet (instead of Ethernet Port).

 

 

1 ACCEPTED SOLUTION

Good news ! I did some tests. My issue is completely solved. The very good article sent by @MRCUR did help.

https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Wind...

 

Some improvements could be added to the article :

 

  • The good old XP (SP3) does work with what is explained for WIN7.
  • The tab "authentication" will not appear, if the service "Wired autoconfig" is not correctly working.
  • Not domain-joined workstations can authenticate with RADIUS. Just need to uncheck "Automatically use my Windows logon name and password (and domain if any)".
  • PEAP could not work if "Validate server certificate" is checked and Certification Authority is not reachable by workstation. For PEAP, the NPS server needs to have a certificate ; that certificate should be validated by the workstation (such as browser does for HTTPS).

Many thanks to community ! I will probably be back for BYOD, Bootstrap Profile, and other interesting subjects.

View solution in original post

23 REPLIES 23
Adam
Kind of a big deal

Hello @KayouMT, I'm a little confused.  If you are using Mac based authentication then don't you just have a whitelist of macs on your NPS server and when it authenticates using that mac it passes.  There shouldn't be any username/password unless you are doing user based authentication? 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MRCUR
Kind of a big deal

@Adam When using Windows NPS for MAC based auth, you actually create AD users for each MAC. The username & password are both set to the MAC address. It's a really odd setup, but it makes sense because NPS uses AD as its auth DB. 

MRCUR | CMNO #12
Adam
Kind of a big deal

@MRCUR That's right, it's all coming back to me now.  We did that for printers at one point for one of our sites.  Ultimately it was easier to just set port security on the switch ports with stick mac whitelist and whitelist size limit of 1.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Sorry, if I did not use the good word ("MAC-Based").

 

What I'm trying to make work is Port-Based authentication by 802.1x authentication standard. that authentication standard need RADIUS feature ; that feature is provided by NPS feature. NPS is using Active Directory database.

 

It seems I'm very closed to the final solution. The small missing part is how user username/password is sent to the NPS (RADIUS) server ? That user could be a MAC address or have any other username.

See below, similar example, with Switch and NPS,

https://integratingit.wordpress.com/2011/11/06/configuring-role-based-cli-interface-access-2/

Missing for me (for Port-Based authentication) is something equivalent to the two last Telnet printScreens.

MRCUR
Kind of a big deal

The example you posted is for switch admin auth with RADIUS, which isn't relevant to MS switches as there is no SSH function available to users. 

 

Are you trying to do MAC based authentication (where you are authorizing the computer's MAC address) or user authentication where you want to use the AD credentials of the user or computer? 

MRCUR | CMNO #12

I'm trying to do 802.1x Port-Based authentication.

 

That is. The computer is allowed to communicate by a given switch port, if a user (from or behind the computer) is authorized by NPS (RADIUS). That user must be known by the AD database.

MRCUR
Kind of a big deal
Uberseehandel
Kind of a big deal

You may find this helpful - 

 

http://technology.pitt.edu/help-desk/how-to-documents/pittnetwireless-configuring-windows-10-wireles...

 

Many US universities use 802.1X and they all publish instructions as to to how to configure client devices.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Thanks for that generous stuff.

 

@MRCUR. Your second link ("Wired AutoConfig") seems to be what exactly I was looking for. I'll try it and will let you know.

 

@Uberseehandel. The URL you sent is not working for me. It seems to be talking about "wireless". Even 802.1x is used for the access control to wireless routers (APs), I'm not sure port-based authentication does make sense in the wireless world ? the issue I'm facing seems tu be a purely "wired" issue.

 

 

Here are the University of Pittsburgh wired instructions

 

http://technology.pitt.edu/help-desk/how-to-documents/pittnetwired-configuring-windows-10-wired-publ...

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Thanks @Uberseehandel. You sent the good link. It explains on Win10 what @MRCUR's link is explaining on Win7.

 

I'll try them, two ; I will let you know.

 

 

BrothersTM
Getting noticed

I have MAC based port authentication using RADIUS working well.  I used a few Meraki articles as well as MS technets.  I have mine working as a wired policy on the RADIUS servers saying...if you're wired and a member of "this" AD group, then you can connect in full.  If not, no connection whatsoever.  Initially I had all ports open and exported out the bulk of our wired devices while viewing clients filtered by my wired vlan.  I stripped out all but the MACs and then removed colons and made everything lowercase using Excel tools.  Then using my AD management software (pitch for Dovestones Active Directory Bulk Users....buy the toolkit...you'll be glad you did!!!) I then uploaded via csv all our clients with the MAC as the username and password.  I also filled in some other AD fields just for identification.  I add new gear in the same manner.  All my wired ports have the MAC based policy applied to them and once a client is a member of the AD group...bam...connects.  I'll try to list the articles below.  If you need screenshots of the RADIUS setup, just let me know and I can provide that too.

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd...)

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc...)

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc...)

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc...)

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_an_NPS_Policy_for_MAC-bas...

 

https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Access_Policies_on_MS_Switches...

I should add too that I have two NPS proxies (one is for failover) for load balancing RADIUS requests.  The proxy sends over the requests to my AD servers with the RADIUS role added at a 34%, 33%, 33% rate.  So in theory, each server gets 1 out of every 3 RADIUS requests to process.  Seemed like a good idea to try and also plan for future growth.  I also just wanted to see if I could do it.  Seems to work well.

Why go to so much trouble when MAC addresses are inherently insecure? Even kids can change MAC values. Far better to use certificates.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

It's no trouble at all.  It's far better than left wide open and then also, not all devices will support certs.  Take for example HVAC monitoring equipment.  For the most part, it is pretty tight security for most users and simply prevents most unauthorized access in an education environment.  Do you manage an education environment and its users?  If not, it's quite different than managing a corporate environment.  It's proven to be very effective for this environment.


@BrothersTMwrote:

 Do you manage an education environment and its users?  It's proven to be very effective for this environment.


The kids tell me otherwise.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Like I said, it solves most edu issues and is easy to manage.  It isn't for everyone, but it works here and works well.  Thanks for the comments though.

Thank you for the generous stuff @BrothersTM.

 

For RADIUS, I will be correct. I played a lot with NPS, when I was working on my MCSA 2008R2.

 

By the way ; I'm not sure AD is aware of MAC addresses. So far ; my understanding of AD is, it does authentication by username and/or computer ID. The username/password is manually provided by a user. The computer account (with automatic password) is automatically generated when the Workstation is added to the domain. When the station is added to the domain, it is said that a "trust" relationship is established between the Domain Controller and the Workstation ; that's a security level, which is not based on MAC address.

 

My understanding of 802.1x Port-based authentication is ; basically, it asks to RADIUS if a switch port can be opened (or not), by verifying of the credentials of the computer (or the user using it). That process does not necessarily need to take into account of MAC-Adresses.

 

In conclusion. MAC-Based Access Control and Port-Based Access Control could be two different issues.

 

One next subject I will need to investigate. How a workstation not belonging to AD could authenticate (Port-Based) with a RADIUS server (using AD) ?

MRCUR
Kind of a big deal

@KayouMT Your understanding of 802.1x is correct here. The confusion in this thread is from your original title - "MAC-Based" - as you are not actually trying to do MAC based auth here. 

 

You could use MAC based auth for non-AD devices however, or use AD user auth (instead of computer auth as you mentioned). We typically implement AD user based auth for WiFi so BYOD can be supported and devices can be joined that are not bound to our domain. 

MRCUR | CMNO #12

When using the AD user auth with RADIUS for BYOD purposes (which is what I do), you can add further RADIUS attributes and tie those to Meraki Group Polices for advanced functionality (multiple vlans, firewall rules, bandwidth shaping, etc.) all behind a single SSID.  Just make your filter-id match the name of a Meraki group policy.

 

 

BYOD ; that's a nice concept. But ; I think it does work only for "Wireless" (by using something called "bootstrap profile") and not for "wired"  ?

 

Back to my last issue : port-based authentication of a workstation never joined to a domain. That seems not be possible, since workstation has to automatically send username/password to RADIUS ?

Good news ! I did some tests. My issue is completely solved. The very good article sent by @MRCUR did help.

https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Wind...

 

Some improvements could be added to the article :

 

  • The good old XP (SP3) does work with what is explained for WIN7.
  • The tab "authentication" will not appear, if the service "Wired autoconfig" is not correctly working.
  • Not domain-joined workstations can authenticate with RADIUS. Just need to uncheck "Automatically use my Windows logon name and password (and domain if any)".
  • PEAP could not work if "Validate server certificate" is checked and Certification Authority is not reachable by workstation. For PEAP, the NPS server needs to have a certificate ; that certificate should be validated by the workstation (such as browser does for HTTPS).

Many thanks to community ! I will probably be back for BYOD, Bootstrap Profile, and other interesting subjects.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels