Wireless Device MAC Authentication using Microsoft NPS

RichardCorn
Just browsing

Wireless Device MAC Authentication using Microsoft NPS

Anyone successfully configured Meraki Wireless MAC Address Authentication using Microsoft’s NPS server as struggling to get it to work, getting failures to connect to radius server.

 

If any of you have a config you could share much be greatly appreciated

 

Regards

 

Richard

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Its a bit dangerous with NPS.  You have to create a username and password in AD which are both the same as the MAC address.  Make sure you don't give these users any special rights (from being a member of Domain Users).

 

Check out this article:

https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_... 

NPS sucks big time. At least it doesn‘t cost a dime...apart from giving your staff headache all the time.

 

Every time a customer has tried implementing it they came to us afterwards and asked us how to do it „the right way“...

so what is the "right way"?

cmr
Kind of a big deal
Kind of a big deal

@AmyLee the right way to do mac authentication would be to use a solution like Freeradius or Cisco ISE (amongst others) depending on the budget you have, as they all cost something, either in terms of money or time.  I'd say that it is better still to use certificates if your devices and infrastructure support it, though for us that is often not the case.

cmr
Kind of a big deal
Kind of a big deal

@CptnCrnch it does cost, each device needs a device CAL unless the user has a user CAL already.  We did start out that way and then realised it was a bit poor in terms of security and a big cost!

CptnCrnch
Kind of a big deal
Kind of a big deal

Great point @cmr! I was just quoting those who’re searching for reasons to use this crap. 😉 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels