Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




271 posts

Ultimate Geek
+1 received by user: 2


Topic # 146988 5-Jun-2014 09:29
Send private message

I need to setup a Radius server to filter Mac addresses on a windows 2008 server.

I have never done this before and its for a client that wants to filter MAC addresses.

If there is any one that knows how to do this or has done it and wants a job is is keen to talk me thought it let me know.

I'm happy to pay someone.

(I'm well out of my depth with this one)
By the way its for a school - I'm meant to be donating my time and its bitten me in the bum big time.




In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.

Create new topic
What does this tag do
850 posts

Ultimate Geek
+1 received by user: 157

Subscriber

  Reply # 1059579 5-Jun-2014 09:35
Send private message

Hi Cadmax,
What exactly is the reason they are wanting to do MAC filtering? Do you mean 802.1X authentication for authenticating users or computers to a wireless or wired network?
I've got a draft blog post guide I could send you once I know what you're trying to achieve.

Would highly recommend going down the certificate route instead of creating AD users for MAC addresses, which anyone who knows how it works could abuse
(i.e. authenticate to the network just by using username and password as the MAC address of a trusted PC).

Using Certificate based authentication, Group Policy can configure each domain joined computer to enroll a computer certificate.
This then allows an authenticating computer to be tied to the computer account in AD, and given permission to connect to the network if the computer meets the requirements you define in NPS.

2090 posts

Uber Geek
+1 received by user: 848


  Reply # 1059582 5-Jun-2014 09:36
Send private message

Hi,
I'm a tad confused as to what you want to achieve.

I assume there are switches or wireless APs that are doing the authenticating against a RADIUS backend, based on MAC address.

If that is the case, here you go:
https://kb.meraki.com/knowledge_base/creating-an-nps-policy-for-mac-based-authentication

You can skip step 10.

NPS is Windows 2008 built in RADIUS. heads up you will need to create ad accounts for all the mac addresses you want to use.

If this is beyond you - I'd let the place know that you are happy to give it a go. Never lie.

 
 
 
 




271 posts

Ultimate Geek
+1 received by user: 2


  Reply # 1059584 5-Jun-2014 09:44
Send private message

Hi. the network is a wireless network running UnFi AP back to the windows Box.

The School is running Ipads on the wireless system.




In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.

What does this tag do
850 posts

Ultimate Geek
+1 received by user: 157

Subscriber

  Reply # 1059612 5-Jun-2014 10:00
Send private message

Perfect. I just did this recently using UniFi, Network Policy Server on Windows Server 2008 R2, and a certificate authority.
To join a new iPad to the network we just install a computer certificate on the iPad, then connect to the wifi network- it uses the certificate to authenticate.
Do you know if they have Certificate Authority role setup on a server there?

For a use case like you have described (just for wifi access from non-domain devices) you could probably get away with using MAC authentication as described by wasabi2k though.

If you are interested in the certificate route I'll expedite my blog post titled '802.1X Certificate authentication for non-domain devices'

What does this tag do
850 posts

Ultimate Geek
+1 received by user: 157

Subscriber

  Reply # 1059621 5-Jun-2014 10:10
Send private message

Alternatively, an easier method than setting up a certificate authority would be to use Meraki Systems Manager, which is a free cloud based Mobile Device Management service.

You could setup RADIUS for Active Directory user based authentication, then use MDM to connect using a specified username and password (i.e. create a 'School iPad' user account with a secure password).
If that ever got compromised, you can just roll out a new one through MDM.

It also then lets you see where all the iPads are, remote wipe, change settings, passcode locks, etc. If they don't have something in place already.

1300 posts

Uber Geek
+1 received by user: 165


  Reply # 1059797 5-Jun-2014 13:30
Send private message

if you just want to set mac address filtering on wireless you can do that on the AP's without mucking around with radius





1909 posts

Uber Geek
+1 received by user: 120

Trusted

  Reply # 1060940 7-Jun-2014 16:06
Send private message

hamish225: if you just want to set mac address filtering on wireless you can do that on the AP's without mucking around with radius

No you don't want to do that in an educational environment where you likely have 100s of devices in regular use. Radius authentication is the way to go. I thought Windows Server had RADIUS as standard?




Qualified in business, certified in fibre, stuck in copper, have to keep going  ^_^

1300 posts

Uber Geek
+1 received by user: 165


  Reply # 1060953 7-Jun-2014 16:47
Send private message

webwat:
hamish225: if you just want to set mac address filtering on wireless you can do that on the AP's without mucking around with radius

No you don't want to do that in an educational environment where you likely have 100s of devices in regular use. Radius authentication is the way to go. I thought Windows Server had RADIUS as standard?


it does you set up a network policy server and connect it to your domain.





Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vocus New Zealand on the block as Aussies bail
Posted 23-Oct-2017 17:06


Vodafone TV — television in the cloud
Posted 17-Oct-2017 19:29


Nokia 8 review: Classy midrange pure Android phone
Posted 16-Oct-2017 07:27


Why carriers might want to embrace Commerce Commission study, MVNOs
Posted 13-Oct-2017 09:42


Fitbit launches Ionic, its health and fitness smartwatch
Posted 12-Oct-2017 15:52


Xero launches machine learning automation to improve coding accuracy for small businesses
Posted 12-Oct-2017 15:45


Bank of New Zealand uses Intel AI to detect financial crime
Posted 12-Oct-2017 15:39


Sony launches Xperia XZ1, a smartphone with real-time 3D capture
Posted 11-Oct-2017 10:26


Notes on Nokia’s phone comeback
Posted 10-Oct-2017 10:06


Air New Zealand begins Inflight Wi-Fi rollout
Posted 9-Oct-2017 20:16


The latest mobile phones in perspective
Posted 9-Oct-2017 18:34


Review: Acronis True Image 2018 — serious backup
Posted 8-Oct-2017 11:22


Lenovo launches ThinkPad Anniversary Edition 25
Posted 7-Oct-2017 23:16


Less fone, more tech as Vodafone gets brand make-over
Posted 6-Oct-2017 08:16


API Talent Achieves AWS MSP Partner Status
Posted 5-Oct-2017 21:20



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.