|
Home > Archive > Radius Server > March 2004 > IAS and MAC authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IAS and MAC authentication
|
|
| Alar Pandis 2004-03-12, 7:35 am |
| Hi!
I'm using IAS on W2K and 3Com Access Point 8750 and try to
set MAC authentication. (I know 802.x is better, but ...)
I see in event-log that W2K does get user name from AP
corresponding to MAC, but error in log is "Unknown user
name or bad password". Probably last one. I do have also
corresponding to MAC user created. Please tell me what to
do, if possible step by step, configuring IAS for
accepting MAC's as user's? More thanks, Alar.
| |
| MacManMike 2004-03-12, 3:35 pm |
| It was a real challenge but once we got it working it was very easy
for us IF you already know the MAC address of the individual trying to
authenticate.
Basically, you have to have an account created that has the same name
as the MAC address. The password also should be the same as the MAC
address.
Under IAS 2000, you would be using remote access policies. You setup
a policy that looks at a group that the accounts (with MAC address
names) belong to and setup the following:
Tunnel-Type (ID #64)= VLAN
Tunnel-Medium-Type (ID #65)= 802
Tunnel-Private-Group-ID (ID #81) = VLAN ID (where the VLAN ID is the
ID number of the VLAN you want the user to belong to)
In addition, you will want to setup a client for IAS that is the
access point you are using and setup a shared secret for the
connection.
On the access point, you will want to point the AP to the IAS server.
You will also want to setup any SSIDs and VLANs you are going to be
using on the AP as well. Then, setup the SSID to point to the RADIUS
server for MAC authentication. (We only tested this with cisco APs
but other enterprise class APs appear to work similar.)
If you have any further questions, contact me directly or let me know
how I can contact you and I will be happy to help.
Hope this helps,
Michael Martin
University of Montevallo
>"Alar Pandis" <Alar.Pandis@mtk.ut.ee> wrote in message
>news:<bee001c4082d$89df4d80$a101280a@phx.gbl>...
> Hi!
> I'm using IAS on W2K and 3Com Access Point 8750 and try to
> set MAC authentication. (I know 802.x is better, but ...)
> I see in event-log that W2K does get user name from AP
> corresponding to MAC, but error in log is "Unknown user
> name or bad password". Probably last one. I do have also
> corresponding to MAC user created. Please tell me what to
> do, if possible step by step, configuring IAS for
> accepting MAC's as user's? More thanks, Alar.
| |
| Alar Pandis 2004-03-16, 3:35 am |
| Hi!
I'd send also private e-mail.
Sorry, I don't have any experiences in this area, but I
try to set it up for our students. With MAC restriction. I
know, this isn't good in security area, but I hope we
don't have good students. ;)
Thanks, password same as MAC, I didn't know this either.
Now I get this error:
====================================
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 13.03.2004
Time: 13:14:25
User: N/A
Computer: AKNT4_S
Description:
User 000c54a993cb was denied access.
Fully-Qualified-User-Name =
infutik_nt.mtk.ut.ee/Users/000c54a993cb
NAS-IP-Address = <not present>
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = 3Com Access Point 8000 Mtk2
Client-IP-Address = 10.0.3.2
NAS-Port-Type = <not present>
NAS-Port = <not present>
Policy-Name = Allow access if dial-in permission is
enabled
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an unauthorized
authentication method.
====================================
I tried every auth method from IAS side. In AP8750 I don't
see I can set this kind of options. As I said - I'm new in
this area.
More thanks,
Alar.
>-----Original Message-----
>It was a real challenge but once we got it working it was
very easy
>for us IF you already know the MAC address of the
individual trying to
>authenticate.
>
>Basically, you have to have an account created that has
the same name
>as the MAC address. The password also should be the same
as the MAC
>address.
>
>Under IAS 2000, you would be using remote access
policies. You setup
>a policy that looks at a group that the accounts (with
MAC address
>names) belong to and setup the following:
>
>Tunnel-Type (ID #64)= VLAN
>Tunnel-Medium-Type (ID #65)= 802
>Tunnel-Private-Group-ID (ID #81) = VLAN ID (where the
VLAN ID is the
>ID number of the VLAN you want the user to belong to)
>
>In addition, you will want to setup a client for IAS that
is the
>access point you are using and setup a shared secret for
the
>connection.
>
>On the access point, you will want to point the AP to the
IAS server.
>You will also want to setup any SSIDs and VLANs you are
going to be
>using on the AP as well. Then, setup the SSID to point
to the RADIUS
>server for MAC authentication. (We only tested this with
Cisco APs
>but other enterprise class APs appear to work similar.)
>
>If you have any further questions, contact me directly or
let me know
>how I can contact you and I will be happy to help.
>
>Hope this helps,
>
>Michael Martin
>University of Montevallo
>
>
to[color=darkred]
but ...)[color=darkred]
also[color=darkred]
to[color=darkred]
>.
>
| |
| Alar Pandis 2004-03-19, 9:43 am |
| Hi!
Could anyone help on this subject? Please.
More thanks,
Alar.
>-----Original Message-----
>Hi!
>I'd send also private e-mail.
>Sorry, I don't have any experiences in this area, but I
>try to set it up for our students. With MAC restriction.
I
>know, this isn't good in security area, but I hope we
>don't have good students. ;)
>Thanks, password same as MAC, I didn't know this either.
>Now I get this error:
>====================================
>Event Type: Warning
>Event Source: IAS
>Event Category: None
>Event ID: 2
>Date: 13.03.2004
>Time: 13:14:25
>User: N/A
>Computer: AKNT4_S
>Description:
>User 000c54a993cb was denied access.
> Fully-Qualified-User-Name =
>infutik_nt.mtk.ut.ee/Users/000c54a993cb
> NAS-IP-Address = <not present>
> NAS-Identifier = <not present>
> Called-Station-Identifier = <not present>
> Calling-Station-Identifier = <not present>
> Client-Friendly-Name = 3Com Access Point 8000 Mtk2
> Client-IP-Address = 10.0.3.2
> NAS-Port-Type = <not present>
> NAS-Port = <not present>
> Policy-Name = Allow access if dial-in permission is
>enabled
> Authentication-Type = PAP
> EAP-Type = <undetermined>
> Reason-Code = 66
> Reason = The user attempted to use an unauthorized
>authentication method.
>====================================
>I tried every auth method from IAS side. In AP8750 I
don't
>see I can set this kind of options. As I said - I'm new
in
>this area.
>More thanks,
>Alar.
>
was[color=darkred]
>very easy
>individual trying to
>the same name
same[color=darkred]
>as the MAC
>policies. You setup
>MAC address
>VLAN ID is the
that[color=darkred]
>is the
>the
the[color=darkred]
>IAS server.
>going to be
>to the RADIUS
with[color=darkred]
>Cisco APs
or[color=darkred]
>let me know
try[color=darkred]
>to
>but ...)
user[color=darkred]
>also
>to
>.
>
|
|
|
|
|