Hi,
when you enable 802.1x on Cisco LAN switches, there is a feature called "MAC Authentication Bypass" that allows non-802.1x-devices to get authenticated by a RADIUS-Server. For this feature to work, you would create user accounts in AD that have the client´s
MAC-Address as the username and also as the password. Unfortunately, you cannot do so if your domain has strict password enforcement policies, because passwords are not allowed to match usernames then. According to a Cisco whitepaper (http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf),
one should use the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:
- Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"
- Created a new OU "ethers" in AD
- Created a simple objekt by means of an ldifde.exe import
dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com
changetype: add
objectClass: myieee802Device
cn: 001b21******
macAddress: 00:1b:21:**:**:**
When I trigger 802.1x authentication at my supplicant (Windows XP), NPS does not find the device (MAC-Address) in AD.
Has anybody got this running so far? Anybody seen a step-by-step guide?
steffchen