We have a dual authentication that has worked for us until recently. For our Corporate WLAN we have dual authentication (AD user account and MAC address of the device). We have implement RADIUS server that authenticate users against active directory. The other authentication is we are using the MAC of the wifi card to make sure the device is a corporate asset. The problem we have run into is that the MAC white list on our Smart Zone 100 has a limitation of 128 Mac addresses. Support says to work around the 128 limitation, we need to set up RADIUS server to do the MAC white listing. The problem I have been told is we cannot have two RADIUS servers configured for both the AD and MAC authentication. Has anybody else run into this and if so, what is the solution? If there is another way to do what we are trying to accomplish let me know as well. -b
you probably need a radius server acting as radius proxy. On the first server you filter by mac and on the second one you do the actual AD lookup. The radius messages should contain the clients MAC in the "calling-station-id" field (the STA's MAC). Not sure if NPS (I guess you're using NPS for AD authentication) allows you to proxy the requests, but freeradius should allow you to act as a proxy, filtering the known MACs and then letting the 802.1x request through.
if you can tie the device to the user, its easier as you can put the MAC (or MACs) under the user's policy. Otherwise, a site-wide whitelist is a bit trickier and having a proxy server might be easier.