Showing results for 
Search instead for 
Did you mean: 

Wlan and dual authentication problem using AD and MAC on SZ100

New Contributor III
We have a dual authentication that has worked for us until recently.
For our Corporate WLAN we have dual authentication (AD user account and MAC address of the device).  We have implement RADIUS server that authenticate users against active directory.  The other authentication is we are using the MAC of the wifi card to make sure the device is a corporate asset.
The problem we have run into is that the MAC white list on our Smart Zone 100 has a limitation of 128 Mac addresses.
Support says to work around the 128 limitation, we need to set up RADIUS server to do the MAC white listing.
The problem I have been told is we cannot have two RADIUS servers configured for both the AD and MAC authentication.
Has anybody else run into this and if so, what is the solution?  If there is another way to do what we are trying to accomplish let me know as well.

Contributor III
you probably need a radius server acting as radius proxy. On the first server you filter by mac and on the second one you do the actual AD lookup. The radius messages should contain the clients MAC in the "calling-station-id" field (the STA's MAC). Not sure if NPS (I guess you're using NPS for  AD authentication) allows you to proxy the requests, but freeradius should allow you to act as a proxy, filtering the known MACs and then letting the 802.1x request through.

see here for one such example

if you can tie the device to the user, its easier as you can put the MAC (or MACs) under the user's policy. Otherwise, a site-wide whitelist is a bit trickier and having a proxy server might be easier.

You can also configure NPS as a proxy.. never done it but take a look here:

in this case, the first proxy would do MAC authentication based on calling-station-id ..(not sure if possible on NPS) and then continue to the next server for 802.1x