Hi all,
I'm currently setting up a WIN SRV 2012 with Microsoft NPS and want to use mac-authentication for vlan assignment.
Everything is working fine so far as I can authenticate internal devices in the default vlan but when it comes to "authenticating" guest devices (which means I don't know the mac-address) and assigning them the guest vlan network it does
not work.
If I add a device to the network, the RADIUS Client (switch) sends the request to the NPS Server. The NPS Server then goes trough it's Connection Requests and checks if the Request (received from the switch) matches a Connection Request Policy's conditions.
If it does the server authenticates the device locally (in the SAM). If the device can be found in the SAM (defined as a normal user) the server goes through the Network Policies and assigns the matching policy giving back the vlan.
The Problem is that I don't know the mac-address of the guest devices but when it comes to the Connection Request I only have the following options:
1 Authenticate Locally
2 Authenticate on a remote nps server
3 do not authenticate and allow access.
I do not have another NPS server so I cannot use Option 2.
If I select Option 3 all devices automatically get assigned to the default vlan. The NPS does then ignore the Network Policies.
So I have to take Option 1. But Option 1 checks the Request (including mac-address as username and mac-address as password) against it's local SAM users. Guest devices will fail this test and will get declined by the Connection Request Policy.
Now my thought was that I create two Connection Request Policies:
One of them with Option 1 (for Internal devices) and one would be with Option 3 (for guest devices / giving back the guest vlan instead of default vlan)
The problem here is that MS NPS does not provide me with a condition to keep the both types appart as (from the view of the NPS server) they look the same when the packet arrives.
(Request: Username:MACADDRESS Password:MACADDRESS)
My thought was to keep both appart by adding a condition to the First Connection Request Policy saying "if the user is in the local sam, take this policy". If it's not in there it would fail over to the other Connection Request Policy allowing access witout authenticating and giving back the guest vlan. But as already said: NPS does not provide this option.
Does someone else have experience with this and maybe made it work?
Thank you very much,
rpfister