Hello,
I am the network administrator for a school district and we are currently using RADIUS to control access to our wireless networks. Right now we have two different ways of authenticating - by User or by Machine as part of a Windows Group. As we get more and more non-microsoft wireless devices (tablets, phones, etc), we are looking at how to control access to only our district owned devices. To clarify, if somebody has an iPad issued to them by our district, they currently authenticate by using their Windows login credentials. However, they could also authenticate this way using their personal smartphone, or any number of wi-fi enabled devices that are NOT district owned. We want to prevent this for security reasons.
So what I was thinking was to change our NAS to allow authentication by either Machine or by MAC address, and get rid of User authentication at this level. This way all of our laptops that exist in AD would still be authenticated by the Windows group they are in, and only our district owned iPads and other authorized devices would be authenticated based on MAC address that we allow. I have seen a few posts and support pages that give steps on how to set up MAC Authentication by creating a user account in Active Directory with the username being the MAC address of the device... but have been unsuccessful so far on getting this to work. Is there anybody out there that has done this successfully? If so, could you maybe help me by listing the steps you took to make it work?
Any help would be greatly appreciated!