Wlan and dual authentication problem using AD and MAC on SZ100

  • 1
  • Question
  • Updated 1 week ago
  • (Edited)
We have a dual authentication that has worked for us until recently.
For our Corporate WLAN we have dual authentication (AD user account and MAC address of the device).  We have implement RADIUS server that authenticate users against active directory.  The other authentication is we are using the MAC of the wifi card to make sure the device is a corporate asset.
The problem we have run into is that the MAC white list on our Smart Zone 100 has a limitation of 128 Mac addresses.
Support says to work around the 128 limitation, we need to set up RADIUS server to do the MAC white listing.
The problem I have been told is we cannot have two RADIUS servers configured for both the AD and MAC authentication.
Has anybody else run into this and if so, what is the solution?  If there is another way to do what we are trying to accomplish let me know as well.
-b
Photo of brian koomen

brian koomen

  • 12 Posts
  • 0 Reply Likes

Posted 1 week ago

  • 1
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 80 Posts
  • 31 Reply Likes
you probably need a radius server acting as radius proxy. On the first server you filter by mac and on the second one you do the actual AD lookup. The radius messages should contain the clients MAC in the "calling-station-id" field (the STA's MAC). Not sure if NPS (I guess you're using NPS for  AD authentication) allows you to proxy the requests, but freeradius should allow you to act as a proxy, filtering the known MACs and then letting the 802.1x request through.

see here for one such example
https://blogs.technet.microsoft.com/nap/2006/09/08/enhance-your-802-1x-deployment-security-with-mac-filtering/

if you can tie the device to the user, its easier as you can put the MAC (or MACs) under the user's policy. Otherwise, a site-wide whitelist is a bit trickier and having a proxy server might be easier.


Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 80 Posts
  • 31 Reply Likes
You can also configure NPS as a proxy.. never done it but take a look here:

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-proxy

in this case, the first proxy would do MAC authentication based on calling-station-id ..(not sure if possible on NPS) and then continue to the next server for 802.1x