Using NPS server for MAC Based authentication. Wireshark capture does not show RADIUS Authentication request /response messages

Question

Dear Team

I am using Using NPS server for MAC Based authentication.

1. Device MAC is added as active directory user.
2. NAS identifier used as forwarding condition
3. under setting I am using filter id-100
4. framed protocol-PPP
5. Service Type- framed

Device is able to connect on concerned SSID but I am not getting any RADIUS Authentication request /response messages i wireshark capture

Please find here the snaps of configuration

There is nothing for RADIUS authentication request /response in pcap

Answer 1

Dear Avanindra Kumar Mishra

The user ID attribute does not exist by default. You can try to create it and then modify its key name and value.

Best regards

Zunhui

Answer 2

Hello,

The following is the authentication method of mac bypass for your reference. In this method, the client can use the MAC address as the username and password for verification;

The drawback of this method is that you need to know the MAC address of each device. Specific steps:

1. Create the accounts required for MAC Bypass in AD and put these accounts into a MAC Bypass group.

NOTE: The account password setting must comply with the requirements of the access device. For example, Cisco requires that the username and password are both mac addresses.

For example:

User: 001122334455

Pass: 001122334455

2. NPS sets some registry keys. We need to configure the registry key "User Identity Attribute"; this is to allow the NPS server to support MAC Bypass;

Registry path: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy

Registry key: User Identity Attribute

Registry value: 31 (dword:0000001f)

3. Create Network Policies on the NPS server:

Policy Name: Mac Bypass

Conditions: Add the local group MAC Bypass created in step 1 to User group.

Constrains: Authentication Methods Only need to select Unencrypted authentication (PAP, SPAP)

Settings: If you need to put the client accessed through MAC Bypass into a specific VLAN, you can configure the three attributes in the figure below. For example, in the figure below, the client will be assigned to VLAN 10

• Tunnel-Medium-Type:802

• Tunnel-Pvt-Group-ID: The VLAN ID you wish to use, in this case 10

• Tunnel-Type: Virtual LANs (VLAN)

•

•

The above are the settings for NPS server to support MAC Bypass. In fact, MAC Bypass also requires the support of the switch/AP. This function on some devices is called mac bypass or mac filtering. This is because this authentication occurs when the client cannot provide the username and password. The access device usually will not continue to request authentication from the background radius (because there is no username password). However, when this function is enabled, if the access device supports mac authorization, it will continue to use the mac address as the authentication credential.

Refer link：http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx

Best regards

Zunhui

Answer 3

Dear Zunhui

Thanks for the response

I have some confusion about altering registry entry

In my system the said path includes shows LM authentication only

kindly let me know, how to add user identity attribute

Regards

Avanindra

Answer 4

Thanks Zunhui

It worked;

Now I am getting complete flow captured in wireshark

Regards

Avanindra K Mishra

Answer 5

Dear Avanindra Kumar Mishra

You're welcome, thank you for your reply, we're glad to hear that your issue has been resolved, we really appreciate your feedback, please click "Yes" or "No" to help us improve the support experience and help others with similar issue.

If you have any other questions in the future, please contact the Microsoft Community again.

Best regards

Zunhui