NPS + MAC authentication

G F 96 Reputation points


Since 2 weeks, I set up 2 SSID. One for visitors open for internet, and one for employees, with authentification group based on radius + NPS.

Unfortunalety, we have equipements who are using wireless to work.

And now, we can't using them because the employee wireless is secure by user authentication.
For these kind of equipement, I want to set up a third wireless based on mac authentication.

For example, my equipement have this mac AA:BB:CC:DD:EE:FF, and when I connect to this third wifi, the adress mac is know and allowed to access the wireless

Do you know what are the rules I need to use for this ?

In NPS here is what I configured :

In Conditions :

  • NAS port type : Wireles - IEEE 802.11
  • NAS identifier : EXAMPLE
  • Calling station ID : AA:BB:CC:DD:EE:FF

In constraints :

Authentication methods : Unencrypted authentication (PAP,SPAP)

In settings :

Filter ID : 100

Framed protocol : PPP

Service type : Framed

it is going to work ?

Thank you

Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
503 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Candy Luo 12,646 Reputation points Microsoft Vendor

    Hi ,

    Thanks for your posting here.

    Due to our limited test environment, we have no such AP device to test in our lab. Please check if the following article is helpful with you:

    MAC-Based Access Control Using Microsoft NPS - MR Access Points

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    For Conditions:

    If you are putting your MAC address users into a particular group, then you will want to specify windows group here.

    If you define the full mac address such as AA:BB:CC:DD:EE:FF, only the end device that uses this mac address will get authenticated and every other device will get it’s authentication attempt refused.

    From the configuration you posted, there seems to be no problem.

    Best Regards,



    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. G F 96 Reputation points


    I've already saw this article.
    The problem is that it's a big security issue. We just have to know the adress MAC to have access to the domain.

    I want add the MAC address on the NPS server (or elsewhere) and when this specific MAC try to authenticate on the network, it's allow.


  3. Stefano Colombo 221 Reputation points

    I'm trying to do the same with Aruba AP .
    As per the NPS configuration I found docs that you need to create AD users with username and password set to the device'MAC and in the NPS polixy reference the group that contain them

    However in my experience I'm still be prompted for user/password on Iphone , which I'm not wanting

    0 comments No comments