Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




271 posts

Ultimate Geek
+1 received by user: 2


Topic # 146988 5-Jun-2014 09:29
Send private message

I need to setup a Radius server to filter Mac addresses on a windows 2008 server.

I have never done this before and its for a client that wants to filter MAC addresses.

If there is any one that knows how to do this or has done it and wants a job is is keen to talk me thought it let me know.

I'm happy to pay someone.

(I'm well out of my depth with this one)
By the way its for a school - I'm meant to be donating my time and its bitten me in the bum big time.




In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.

Create new topic
What does this tag do
864 posts

Ultimate Geek
+1 received by user: 163

Subscriber

  Reply # 1059579 5-Jun-2014 09:35
Send private message

Hi Cadmax,
What exactly is the reason they are wanting to do MAC filtering? Do you mean 802.1X authentication for authenticating users or computers to a wireless or wired network?
I've got a draft blog post guide I could send you once I know what you're trying to achieve.

Would highly recommend going down the certificate route instead of creating AD users for MAC addresses, which anyone who knows how it works could abuse
(i.e. authenticate to the network just by using username and password as the MAC address of a trusted PC).

Using Certificate based authentication, Group Policy can configure each domain joined computer to enroll a computer certificate.
This then allows an authenticating computer to be tied to the computer account in AD, and given permission to connect to the network if the computer meets the requirements you define in NPS.

2090 posts

Uber Geek
+1 received by user: 848


  Reply # 1059582 5-Jun-2014 09:36
Send private message

Hi,
I'm a tad confused as to what you want to achieve.

I assume there are switches or wireless APs that are doing the authenticating against a RADIUS backend, based on MAC address.

If that is the case, here you go:
https://kb.meraki.com/knowledge_base/creating-an-nps-policy-for-mac-based-authentication

You can skip step 10.

NPS is Windows 2008 built in RADIUS. heads up you will need to create ad accounts for all the mac addresses you want to use.

If this is beyond you - I'd let the place know that you are happy to give it a go. Never lie.

 
 
 
 




271 posts

Ultimate Geek
+1 received by user: 2


  Reply # 1059584 5-Jun-2014 09:44
Send private message

Hi. the network is a wireless network running UnFi AP back to the windows Box.

The School is running Ipads on the wireless system.




In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.

What does this tag do
864 posts

Ultimate Geek
+1 received by user: 163

Subscriber

  Reply # 1059612 5-Jun-2014 10:00
Send private message

Perfect. I just did this recently using UniFi, Network Policy Server on Windows Server 2008 R2, and a certificate authority.
To join a new iPad to the network we just install a computer certificate on the iPad, then connect to the wifi network- it uses the certificate to authenticate.
Do you know if they have Certificate Authority role setup on a server there?

For a use case like you have described (just for wifi access from non-domain devices) you could probably get away with using MAC authentication as described by wasabi2k though.

If you are interested in the certificate route I'll expedite my blog post titled '802.1X Certificate authentication for non-domain devices'

What does this tag do
864 posts

Ultimate Geek
+1 received by user: 163

Subscriber

  Reply # 1059621 5-Jun-2014 10:10
Send private message

Alternatively, an easier method than setting up a certificate authority would be to use Meraki Systems Manager, which is a free cloud based Mobile Device Management service.

You could setup RADIUS for Active Directory user based authentication, then use MDM to connect using a specified username and password (i.e. create a 'School iPad' user account with a secure password).
If that ever got compromised, you can just roll out a new one through MDM.

It also then lets you see where all the iPads are, remote wipe, change settings, passcode locks, etc. If they don't have something in place already.

1307 posts

Uber Geek
+1 received by user: 169


  Reply # 1059797 5-Jun-2014 13:30
Send private message

if you just want to set mac address filtering on wireless you can do that on the AP's without mucking around with radius





1943 posts

Uber Geek
+1 received by user: 127

Trusted

  Reply # 1060940 7-Jun-2014 16:06
Send private message

hamish225: if you just want to set mac address filtering on wireless you can do that on the AP's without mucking around with radius

No you don't want to do that in an educational environment where you likely have 100s of devices in regular use. Radius authentication is the way to go. I thought Windows Server had RADIUS as standard?




Qualified in business, certified in fibre, stuck in copper, have to keep going  ^_^

1307 posts

Uber Geek
+1 received by user: 169


  Reply # 1060953 7-Jun-2014 16:47
Send private message

webwat:
hamish225: if you just want to set mac address filtering on wireless you can do that on the AP's without mucking around with radius

No you don't want to do that in an educational environment where you likely have 100s of devices in regular use. Radius authentication is the way to go. I thought Windows Server had RADIUS as standard?


it does you set up a network policy server and connect it to your domain.





Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16


Cyber security not being taken seriously enough
Posted 5-Dec-2017 20:13


Sony commences Android 8.0 Oreo rollout in New Zealand
Posted 5-Dec-2017 20:08



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.