Hello,
we have dot1x and MAB implementation between Juniper Cisco Switches and Microsoft NAP and all dot1x accounts are working well.
Non-dot1x devices like Phones will use mac authentication bypass , i have read a lot of documents to create AD account for each mac-address using the username/password to be the device mac.
of course we don't need to do that for 500 account !! we just need NAP to authorize them without referring to AD , can it be done ??
i tried making a network policy with setting the calling-station-ID to ^001b4f which is the OUI of the devices mac-address but still can't authenticate as below " we need to bypass this authentication step ".
User:
Security ID: NULL SID
Account Name: 001b4f4921fd
Account Domain: Domain
Fully Qualified Account Name: Domain\001b4f4921fd
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: b0-c6-9a-d4-0d-80
Calling Station Identifier: 00-1b-4f-49-21-fd
NAS:
NAS IPv4 Address: 10.10.10.10
NAS IPv6 Address: -
NAS Identifier: Switch3
NAS Port-Type: Ethernet
NAS Port: 78
RADIUS Client:
Client Friendly Name: SW3
Client IP Address: 10.10.10.10
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NAP.DOMAIN.LOCAL
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 384F322E317838313133306132323030303364313030
Logging Results: Accounting information was written to the local log file.
Reason Code: 8
Reason: The specified user account does not exist.