NPS settings for Mac Authentication Bypass (MAB) using 802.1x


Devices that don’t support 802.1x can be authenticated using mac authentication bypass or MAB.

There are two ways to achieve this:

  1. Mac authentication on NPS
  2. Radius based authentication

In order to achieve this, the switch port must be configured with the right configuration to attempt MAB authentication either as priority or after the failure of authentication based on 802.1x using EAP.

When the authentication order is set to attempt MAB first, the switch upon registering a mac address on the correctly configured port sends the mac address to the NPS to authenticate it. If the NPS is configured to authorise the mac address itself, it will simply look for the mac address inside it’s conditional statement and upon finding it, will return the vlan configured on the NPS policy which the switch would then proceed to apply on the port. However, if the NPS is configured to attempt an active directory check for mac address authentication, the active directory group referred by the NPS policy must contain the mac address as the username and password without any hyphens in between. In other words, the mac address should be registered on the active directory as userid: aabbccddeeff and password : aabbcceeff instead of AA-BB-CC-EE-FF.

There are many problems that you can face when trying to attempt authentication of mac addresses via active directory mainly because when littered with many mac addresses on the active directory, management can become difficult. Moreover, sometimes, the active directory is not configured properly and has an access policy for all authenticated users which can result in users logging in on their host machines by just using a mac address off the back of a phone which can amount to a significant security risk.

Due to these reasons, it’s preferable to authenticate mac addresses on the NPS itself.

NPS policy for mac based authentication:

The following screenshots depict the configuration settings of a pre-configured policy that will authenticate printers based on mac addresses listed on the NPS itself and return a vlan for the switch to configure on the switch port.
In the absence of an existing policy, you can right-click on Connection Request Policies and click new to proceed to create a new policy. Whilst creating a new policy, ensure the settings mimic that of the screenshots below:

nps-microsoft-802.1x-cisco

Configure mac address authentication by adding either the full mac address or the OUI digits along with a wildcard ‘any’ mask using an asterick (*) to ensure all printers from the same manufacturer authenticate using this policy. In case you define the full mac address such as 64-16-7F-6A-22-B1, only the end device that uses this mac address will get authenticated and every other device will get it’s authentication attempt refused.

In the settings tab, ensure to accept users without validating credentials.

nps-microsoft-802.1x-cisco

Finally define settings for the end device in the ‘standard’ option by including the vlan and other settings in the settings tab before proceeding to apply the policy as shown below.

nps-microsoft-802.1x-cisco

Once configured, test if the connection works by attempting authentication using MAB on the switch port. You should then be able to see the switch configure the vlan defined in the NPS policy above.

Got questions? Leave a comment! Let’s chat.

Rafay Rasool is a Network Specialist with over 8 years of experience designing, configuring and implementing core network solutions based predominantly but not limited to Juniper Routers, Switches and Firewalls along with other vendors such as Cisco, Huawei, Siemens, Aerohive, Ringmaster, Pulse etc for Internet Service Provider and Enterprise Networks.

Rafay is an avid supporter of network automation and likes to code and automate networking solutions.