Re: MAC authorization

anonymous_at_discussions.microsoft.com
Date: 09/02/04

Next message: Aidan Barnwell via AdminLife: "Windows 2000 802.1x stability"
Previous message: James McIllece [MS]: "Re: Issues with IAS and Verisign Cert"
In reply to: James McIllece [MS]: "Re: MAC authorization"
Next in thread: James McIllece [MS]: "Re: MAC authorization"
Reply: James McIllece [MS]: "Re: MAC authorization"
Messages sorted by: [ date ] [ thread ]

Date: Thu, 2 Sep 2004 00:01:00 -0700

Hello,

>MAC address authorization is performed when the user does
not type in any
>user name or password, and refuses to use any valid
authentication method.

Which protocoll shoul be enabled in the Win2k-Client? (MD5-
EAP/Certificate/PEAP)?

>In this case, IAS receives Calling-Station-ID, and no
user name and
>password. To support MAC address authorization, the
Active Directory must
>have user accounts with MAC addresses as user names.

I dont´t have Actice Directory, only local User Accounts.
Is this a problem? Where to create the Accounts? On the
computer running IAS or on the default domain controller?

>
>MAC address authorization is enabled when you do the
following:
>
>-- Enable MAC address authorization on access servers
(such as wireless
>APs).
>-- Enable unauthenticated access on the appropriate
remote access policy
>for MAC address-based authentication, and enable PAP.
>-- Create a user account for each MAC address for which
you want to provide
>MAC address authorization. The name of the user account
must match the MAC
>address of the network adapter installed in the computer
that the user is
>connecting from. The user account password must be set to
the RADIUS shared
>secret used between the RADIUS client (such as an AP) and
the IAS server.
>-- Set the User Identity Attribute registry value to 31
on the
>authenticating server.
>-- To always use the MAC address as the user identity,
set the Override
>User-Name registry value to 1 on the IAS server

Done, but not working. I can see in the EAPOL trace that
my computer sends EAP packages with a null-Identity. It
don´t authenticate and then asks me for username/password
(MD5-EAP is activated). By typing in the shared secret for
password I can log in, but I don´t want to type in
something.

Hope you can help me.

Greetings,
Thommy

Next message: Aidan Barnwell via AdminLife: "Windows 2000 802.1x stability"
Previous message: James McIllece [MS]: "Re: Issues with IAS and Verisign Cert"
In reply to: James McIllece [MS]: "Re: MAC authorization"
Next in thread: James McIllece [MS]: "Re: MAC authorization"
Reply: James McIllece [MS]: "Re: MAC authorization"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: MAC authorization
... To support MAC address authorization, ... > I dont´t have Actice Directory, only local User Accounts. ... > the IAS server. ...
(microsoft.public.internet.radius)
Re: Multiple Domains
... "Brian Jackson" wrote in ... You need to add the IAS server to the RAS and IAS Servers group in the ... To read the dial-in properties for user accounts, ... Datacenter Edition also provide authentication across forests. ...
(microsoft.public.internet.radius)
Re: CBC questions
... >> point was that a MAC usually cannot be safely omitted. ... Even if we assume that authentication normally is ... Simply messing up the first block with random ... and nothing you do to the IV will fix it. ...
(sci.crypt)
Re: CBC questions
... authentication, and not a very tricky one. ... either they're a fancy way of gluing an encryption scheme and a MAC ... Since CBC mode is weak without authentication, ... cipher E_Kand use hXOR E_Kinstead of the above construction. ...
(sci.crypt)
Re: AD Limits
... Single domain, single OU. ... > limitations to the number of objects, specifically user accounts, that ... > theoretical limitations but they are probably far beyond of what we'd ... need to be available for lookups, logon authentication because Universal ...
(microsoft.public.windows.server.active_directory)