B
Bjoern Wolfgardt
Hi,
I found this in IAS Technical Reference:
MAC address authorization
Media Access Control (MAC) address authorization functions in the same way
as ANI authorization, but it is used for wireless clients and clients
connecting to your network by using an 802.1X authenticating switch.
MAC address authorization is based on the MAC address of the network adapter
installed in the user's client computer. Like ANI authorization, MAC address
authorization uses the Calling-Station-ID attribute instead of user name and
password or certificate-based credentials to identify the user during the
connection attempt.
MAC address authorization is performed when the user does not type in any
user name or password, and refuses to use any valid authentication method.
In this case, IAS receives Calling-Station-ID, and no user name and
password. To support MAC address authorization, the Active Directory must
have user accounts with MAC addresses as user names.
MAC address authorization is enabled when you do the following:
1. Enable MAC address authorization on access servers (such as wireless
APs).
2. Enable unauthenticated access on the appropriate remote access policy for
MAC address-based authentication, and enable PAP.
3. Create a user account for each MAC address for which you want to provide
MAC address authorization. The name of the user account must match the MAC
address of the network adapter installed in the computer that the user is
connecting from. The user account password must be set to the RADIUS shared
secret used between the RADIUS client (such as an AP) and the IAS server.
4. Set the User Identity Attribute registry value to 31 on the
authenticating server.
To always use the MAC address as the user identity, set the Override
User-Name registry value to 1 on the IAS server.
Now I have a problem. I enabled unauthenticated access on the connection
policy (step 2, where is PAP). I created a user account (step 3) and checked
'grant access' (translated from german) on the RAS page of the user. The
notebook is able to access the WLAN Access Point. If I now deny the access
for the user, the notebook is still able to communicate (I reset the AP).
Maybe this is because I enabled unauthenticated access (step 2). If I don't
enable unauthenticated access I get a warning in the event log (user
domain\0022002200 access denied because of wrong username or password). I
checked username/password. I also added a RAS policy where I ask for a group
(mymobile group where the mac account is member) and enabled PAP on the RAS
plicy.
I enabled unauthenticated on the connection policy not on the ras policy.
Maybe there is the problem. I don't know where to enable the unauthenticated
access on the RAS policy.
I do this on Windows 2003 with cisco AP 350.
Maybe someone can point me where I am wrong.
cu
Bjoern
I found this in IAS Technical Reference:
MAC address authorization
Media Access Control (MAC) address authorization functions in the same way
as ANI authorization, but it is used for wireless clients and clients
connecting to your network by using an 802.1X authenticating switch.
MAC address authorization is based on the MAC address of the network adapter
installed in the user's client computer. Like ANI authorization, MAC address
authorization uses the Calling-Station-ID attribute instead of user name and
password or certificate-based credentials to identify the user during the
connection attempt.
MAC address authorization is performed when the user does not type in any
user name or password, and refuses to use any valid authentication method.
In this case, IAS receives Calling-Station-ID, and no user name and
password. To support MAC address authorization, the Active Directory must
have user accounts with MAC addresses as user names.
MAC address authorization is enabled when you do the following:
1. Enable MAC address authorization on access servers (such as wireless
APs).
2. Enable unauthenticated access on the appropriate remote access policy for
MAC address-based authentication, and enable PAP.
3. Create a user account for each MAC address for which you want to provide
MAC address authorization. The name of the user account must match the MAC
address of the network adapter installed in the computer that the user is
connecting from. The user account password must be set to the RADIUS shared
secret used between the RADIUS client (such as an AP) and the IAS server.
4. Set the User Identity Attribute registry value to 31 on the
authenticating server.
To always use the MAC address as the user identity, set the Override
User-Name registry value to 1 on the IAS server.
Now I have a problem. I enabled unauthenticated access on the connection
policy (step 2, where is PAP). I created a user account (step 3) and checked
'grant access' (translated from german) on the RAS page of the user. The
notebook is able to access the WLAN Access Point. If I now deny the access
for the user, the notebook is still able to communicate (I reset the AP).
Maybe this is because I enabled unauthenticated access (step 2). If I don't
enable unauthenticated access I get a warning in the event log (user
domain\0022002200 access denied because of wrong username or password). I
checked username/password. I also added a RAS policy where I ask for a group
(mymobile group where the mac account is member) and enabled PAP on the RAS
plicy.
I enabled unauthenticated on the connection policy not on the ras policy.
Maybe there is the problem. I don't know where to enable the unauthenticated
access on the RAS policy.
I do this on Windows 2003 with cisco AP 350.
Maybe someone can point me where I am wrong.
cu
Bjoern