MAC authentication with Windows Server 2003

SUMMARY:

This article provides information on how to configure Windows Server 2003 and a Wireless Juniper device (WLC/MX) to authenticate a MAC user.

 

PROBLEM OR GOAL:

How to configure Windows Server 2003 and a Wireless Juniper device (WLC/MX) to authenticate a MAC user.

CAUSE:

SOLUTION:

Windows Server 2003 configuration:

    1. Make sure that AD (Active Directory Users and Computers) and IAS (Internet Authentication Service) are installed on Windows Server 2003.
    1. Configure a MAC user in Active Directory. Open AD, create a new user, type the First name field and for User logon name, use the user MAC address separated by hyphens. Click Next, type the password (default password on WLC/MX is trapeze), click Next, and then Finish:

  1. Right-click the new user, go to Properties > Dial-in, and select the Allow access radio button:

IAS configuration:

    1. Start IAS:

    1. The RADIUS client is the WLC or MX device. Right click Radius Clients and select New RADIUS Client:

    1. Type the device name and set the IP address of the access device:

  1. Click Next, select Radius Standard from the Client-Vendor drop-down menu, type the Radius secret (it must be the same password that was configured on the WLC device), and then click Finish:

Add  the remote access policies:

Now, you have to create a remote access policy to authenticate and authorize the users:

    1. Right-click Remote Access Policies and click New Remote Access Policy:

    1. Click Next, type a name for the policy, and click Next:

    1. Select the Wireless radio button and click Next:

    1. Grant access for either the required user or group (select either the User or Group radio button; for example, that was configured earlier is a member of Domain User ), and click Next:

    1. Select Protected EAP (PEAP) authentication from the Type drop-down menu (click Configure, if you want to select a different certificate or change the EAP type), click Next, and then Finish:

    1. After the remote access policy is created, click it and select Properties, and then click Edit Profile to proceed:

  1. Click the Authentication tab and select the Unencrypted authentication (PAP, SPAP) check box:

Configuration on  the WLC or MX device:

Via the CLI
:

For example:

MX# set service-profile test-mac ssid-name USER-MAC
MX# set service-profile test-mac ssid-type clear
MX# set service-profile test-mac wpa-ie auth-dot1x disable
MX# set service-profile test-mac rsn-ie auth-dot1x disable
MX# set service-profile test-mac attr vlan-name MD424

MX# set radius mac-addr-format hyphens
MX# set radius server 2k3vm address 172.31.203.104 deadtime key secret
MX# set server group 2k3-VM-group members 2k3vm
MX# set authentication mac ssid USER-MAC * 2k3-VM-group

PURPOSE:

Configuration
Implementation
Installation
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: