Wireless MAC authentication with AD Complex password requirements

Solved
JordanCNolan
Here to help

Wireless MAC authentication with AD Complex password requirements

In Active Directory we have Complex Password requirements enabled.  We want to setup an SSID for our Printers use MAC authentication with Radius using NPS.  We can use the MAC addresses to create the users, but we are unable to set the Password to the MAC and instructed.

 

How can we use the MAC authentication if we cannot set the user account passwords to the MAC address?

1 Accepted Solution
Bruce
Kind of a big deal

I remember  doing this a couple of years ago. You have to use user objects and use fine grain password control that you apply to a group which contains all the users (MACs). This allows you to use the same username and password - downside is you then have a bunch of users with the same name and password, so you need to be doubly sure they can’t perform an actual login to a computer.

 

What about doing it another way? There are a couple of options. What about using a different RADIUS server for that SSID, I’m sure you could find a free one that does what you need. Or, use iPSK (identity PSK), either with the Meraki authentication (if you’ve APs that support it, and not too many devices), or again with a RADIUS server (NPS doesn’t work well here either). Worst case resort to a plain PSK on the SSID.

View solution in original post

7 Replies 7
KarstenI
Kind of a big deal
Kind of a big deal

Are you using "normal" user objects for this? Then it can not work. There is a dedicated object type in Active Directory for MAC addresses: "ieee802Device". This object does not have these password restrictions.

EDIT: Just remembered that in the past there were problems in combination with NPS and this object-type and the solution was to have the MACs added as users with different password-requirements for different areas in AD. But I am not sure if this is still the case with actual AD-versions. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Bruce
Kind of a big deal

I remember  doing this a couple of years ago. You have to use user objects and use fine grain password control that you apply to a group which contains all the users (MACs). This allows you to use the same username and password - downside is you then have a bunch of users with the same name and password, so you need to be doubly sure they can’t perform an actual login to a computer.

 

What about doing it another way? There are a couple of options. What about using a different RADIUS server for that SSID, I’m sure you could find a free one that does what you need. Or, use iPSK (identity PSK), either with the Meraki authentication (if you’ve APs that support it, and not too many devices), or again with a RADIUS server (NPS doesn’t work well here either). Worst case resort to a plain PSK on the SSID.

JordanCNolan
Here to help

Hi Bruce,

Thanks for the tip on the Fine Grain Password control.  That did the trick. I saw a bunch articles using ADSI Edit and I wanted to pull my hair out, but I found this one which made it a piece of cake:

 

https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/

 

After getting that working I setup some traffic shaping and other rules to ensure these devices (wireless printers and barcode scanners) are locked down tight and also made sure the user accounts for these MACs were locked down pretty tight so they can just be used to authenticate the RADIUS request.

PhilipDAth
Kind of a big deal
Kind of a big deal

The last customer that asked me something like this - I said why don't you use WPA2-Enterprise mode on the printer and you won't have to use MAC bypass.

 

Problem solved.

KarstenI
Kind of a big deal
Kind of a big deal


@PhilipDAth wrote:

The last customer that asked me something like this - I said why don't you use WPA2-Enterprise mode on the printer and you won't have to use MAC bypass.

 

Problem solved.


Do you remember the customers where every user had their own printer on his desk? I still have one of these. The Admins don't want to go around and configure each of them for dot1x. I think MAB will stay for a very long time (at least for the cabled devices).

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal

@KarstenI remember you will need a Windows server device CAL for each printer when doing this unless all of your users have a user CAL.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
KarstenI
Kind of a big deal
Kind of a big deal

Licensing ... I am so happy that I don't have to deal with Windows licenses as that is always done by the customer or other companies. It's enough to have to deal with all the Cisco licensing stuff! But for this specific customer, the MAB devices were managed in ISE.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels