I have been playing with NPS now for a few days and I get the basics.. but it's not going like planned.
What I wanted to achieve is that this NPS server is used as a radius authentication server in our Aerohive (wired & wireless) solution. I want to prevent access to our network for all unauthorized devices. Therefor we whipped up a basic VLAN category.
VLAN 1: Servers
Every server is wired on a fixed location. These switchports would be defined on VLAN 1.
VLAN 2: Trusted Devices
Devices that need network access like the printers, access control devices, MFC's, etc. Verified by MAC address
VLAN 5: Domain Computers
The computer account has to be a member of Domain Computers. These would be verified by there computer object name.
VLAN 6: Trusted Alien Computers
Other computer devices that are not a member of our domain but that need access to our network. Verified by MAC address.
VLAN 10: IP Phones
Hardware phones that need to access the PABX. Could be by MAC or by switchport. If possible, i'd prefer MAC because then people could use the patch port at the back of the phone to get a wired connection.
VLAN 20: Guest
Every other request should be placed in VLAN 20. Kind of like a fall back. These have access to 'the internet'.
So every device that requests access to our network, if it's wired or wireless should pass by the NPS server. It's this server that should return it's VLAN.
The list of trusted devices could get long. We currently have roughly 100 network printers & MFC's and about 30 - 50 people working with a non domain laptop. This should be manageable.
In my Aerohive router / access point I have the option for MAC Authentication and if it should first authenticate by MAC or SSID. Currently I have MAC first.
I've tested a lot of different set-ups but I have no idea if what I would like is even possible in NPS? When trying to allow an alien computer by it's MAC address it still asks me for a username and password?!
First I see this in the NPS Log:
Network Policy Server granted access to a user.
User:
Security ID:
WGIT\B8-86-87-E3-55-58
Account Name:
b88687e35558
Account Domain:WGIT
Fully Qualified Account Name:WGIT\B8-86-87-E3-55-58
Client Machine:
Security ID:
NULL SID
Account Name:
-
Fully Qualified Account Name:-
OS-Version:
-
Called Station Identifier:08-EA-44-0B-13-4C:Willemen Groep
Calling Station Identifier:B8-86-87-E3-55-58
NAS:
NAS IPv4 Address:172.18.120.1
NAS IPv6 Address:-
NAS Identifier:HOME-TDC-1
NAS Port-Type:Wireless - IEEE 802.11
NAS Port:
0
RADIUS Client:
Client Friendly Name:Aerohive Branch Routing
Client IP Address:172.18.120.1
Authentication Details:
Connection Request Policy Name:Trusted Devices
Network Policy Name:Trusted Devices
Authentication Provider:Windows
Authentication Server:dc-sccm.WGIT.local
Authentication Type:MS-CHAPv2
EAP Type:
-
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Quarantine Information:
Result:
Full Access
Session Identifier:-
If I have entered 'ok' as username I would get this:
Network Policy Server denied access to a user.Contact the Network Policy Server administrator for more information.
User:
Security ID: WGIT\B8-86-87-E3-55-58
Account Name: ok
Account Domain:WGIT
Fully Qualified Account Name:WGIT.local/BE/Vlaanderen/Willemen Groep/Resources/B8-86-87-E3-55-58
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name:-
OS-Version: -
Called Station Identifier:08-EA-44-0B-13-4C:Willemen Groep
Calling Station Identifier:B8-86-87-E3-55-58
NAS:
NAS IPv4 Address:172.18.120.1
NAS IPv6 Address:-
NAS Identifier:HOME-TDC-1
NAS Port-Type:Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name:Aerohive Branch Routing
Client IP Address:172.18.120.1
Authentication Details:
Connection Request Policy Name:Accept All
Network Policy Name:Guest
Authentication Provider:Windows
Authentication Server:dc-sccm.WGIT.local
Authentication Type:EAP
EAP Type: -
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
WHY?!
Why is it asking for a username while it already gained access?