This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Wlan and dual authentication problem using AD and MAC on SZ100

brian_koomen
New Contributor III

‎09-11-2019 06:01 AM

We have a dual authentication that has worked for us until recently.
For our Corporate WLAN we have dual authentication (AD user account and MAC address of the device).  We have implement RADIUS server that authenticate users against active directory.  The other authentication is we are using the MAC of the wifi card to make sure the device is a corporate asset.
The problem we have run into is that the MAC white list on our Smart Zone 100 has a limitation of 128 Mac addresses.
Support says to work around the 128 limitation, we need to set up RADIUS server to do the MAC white listing.
The problem I have been told is we cannot have two RADIUS servers configured for both the AD and MAC authentication.
Has anybody else run into this and if so, what is the solution?  If there is another way to do what we are trying to accomplish let me know as well.
-b
2 REPLIES 2

diego_garcia_de
Contributor III

‎09-11-2019 06:29 AM

you probably need a radius server acting as radius proxy. On the first server you filter by mac and on the second one you do the actual AD lookup. The radius messages should contain the clients MAC in the "calling-station-id" field (the STA's MAC). Not sure if NPS (I guess you're using NPS for  AD authentication) allows you to proxy the requests, but freeradius should allow you to act as a proxy, filtering the known MACs and then letting the 802.1x request through.

see here for one such example
https://blogs.technet.microsoft.com/nap/2006/09/08/enhance-your-802-1x-deployment-security-with-mac-...

if you can tie the device to the user, its easier as you can put the MAC (or MACs) under the user's policy. Otherwise, a site-wide whitelist is a bit trickier and having a proxy server might be easier.


0 Kudos

diego_garcia_de
Contributor III
In response to diego_garcia_de

‎09-11-2019 06:32 AM

You can also configure NPS as a proxy.. never done it but take a look here:

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-proxy

in this case, the first proxy would do MAC authentication based on calling-station-id ..(not sure if possible on NPS) and then continue to the next server for 802.1x
0 Kudos
Copyright © 2024 Khoros, LLC