MS Switches - MAC Auth Bypass - Azure AD

PrestonL
Conversationalist

MS Switches - MAC Auth Bypass - Azure AD

I am following the guide for configuring Mac Auth Bypass found here:https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_...

Problem is that I do not have on-prem Active Directory and I am unable to create a user account in Azure AD following these instructions.

I cannot create an account for the print device using its MAC Address for both its user name and password because of the built-in password policy in Azure AD. It will not allow me to use the MAC Address because it does not meet the complexity requirements.

 

Anyone else experience this? Any work arounds?

4 Replies 4
PrestonL
Conversationalist

As of today, Meraki support could not provide me with a solution to this scenario. I think I may have figured out a way to make this work in Azure AD.

 

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/password-policy

 

I will share my findings when completed.

AmyReyes
Community Manager
Community Manager

Hi @PrestonL, welcome to the Meraki Community! Thank you for taking the time to follow up with a potential workaround to your problem and for offering to share the solution with us as well! I'm sure that answer will be helpful to others in the future. Look forward to seeing you around the forums 😊

PrestonL
Conversationalist

Thanks @AmyReyes 

PrestonL
Conversationalist

The only potential solution I have found thus far is to have a local Domain Controller and sync it with your Azure AD as Azure AD will follow the password policies of your local domain controller.

 

On the local DC:

  • Create a new password policy to meet your complexity requirements (or should I say lack thereof) 
  • Configure the new password policy with a precedence lower (< 200) than the precedence of the default Azure AD Password policy (= 200) so it takes priority.
  • Assign the new password policy to the Security group where the MAC Auth Bypass user accounts will reside.
  • Place your IoT user accounts in this Security group and change their passwords accordingly.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels