Hi there,
We are currently working on the deployment of 802.1x enterprise-wide. Since we have some old devices that don't support 802.1x natively, and have a Cisco infrastructure, we decided to go the MAC Authentication Bypass route.
When we tested it prior, we were running Windows 2003 + IAS. The test was flawless, however, it required us to enable Reversable Encryption and relax our password complexity requirements, which was unacceptable. We then decided to upgrade to Windows 2008 to leverage the seperate password/complexity policy requirements based on a user or a group of users.
I've just finished setting that up, and it works perfect. We decided to go with NPS, as it had a bunch of features that were lacking from Windows 2003's IAS (namelly exporting the configuration and being able to import it to our other IAS/NPS servers). We currently run the NPS service on our DC's (two of them for redundancy), however, we can't seem to make the MAC Authentication Bypass work. After some digging, it seems that Microsoft has removed support for EAP-MD5 from Vista/2008. They mention that there are third party EAPHost compliant vendors that 'may' have EAP-MD5 support, but I've been unable to find any.
My question is, has anyone else ran into this problem? If so, how did you go about fixing it. Unfortunately, Cisco only seems to support EAP-MD5 for the MAC Authentication Bypass, we're currently running this on 3560 Catalyst switches. I'd much rather get it working again on our NPS servers, as I don't want to revert back to IAS, as it's a pain to replicate the configurations between more than 1 box.
Thanks!
Warren
We are currently working on the deployment of 802.1x enterprise-wide. Since we have some old devices that don't support 802.1x natively, and have a Cisco infrastructure, we decided to go the MAC Authentication Bypass route.
When we tested it prior, we were running Windows 2003 + IAS. The test was flawless, however, it required us to enable Reversable Encryption and relax our password complexity requirements, which was unacceptable. We then decided to upgrade to Windows 2008 to leverage the seperate password/complexity policy requirements based on a user or a group of users.
I've just finished setting that up, and it works perfect. We decided to go with NPS, as it had a bunch of features that were lacking from Windows 2003's IAS (namelly exporting the configuration and being able to import it to our other IAS/NPS servers). We currently run the NPS service on our DC's (two of them for redundancy), however, we can't seem to make the MAC Authentication Bypass work. After some digging, it seems that Microsoft has removed support for EAP-MD5 from Vista/2008. They mention that there are third party EAPHost compliant vendors that 'may' have EAP-MD5 support, but I've been unable to find any.
My question is, has anyone else ran into this problem? If so, how did you go about fixing it. Unfortunately, Cisco only seems to support EAP-MD5 for the MAC Authentication Bypass, we're currently running this on 3560 Catalyst switches. I'd much rather get it working again on our NPS servers, as I don't want to revert back to IAS, as it's a pain to replicate the configurations between more than 1 box.
Thanks!
Warren