3

I am currently working on a Microsoft NPS solution to provide 802.1x MAC authentication for wired and wireless clients along with providing a VLAN for the clients to be moved to.

It currently works perfect with our Wireless APs and switches, however we would like the NPS/RADIUS server to response with an Access-Accept even if the MAC address fails to authenticate which in turn would place the client in a guest/registration VLAN.

Is it possible to create a policy or rule on the NPS server that would have the effect of authorising MAC addresses that are not in the database and providing a relevant VLAN tag?

We already use the vlan/tunnel-id field to vlan tagging for the authorised users and its great.

Thanks

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
dave
  • 31
  • 2

1 Answers1

1

Sometimes the authenticator (depending on vendor) can act on an access-reject by design to place the end device in a holding VLAN. It might be called authentication failure vlan by some but each vendor who implements a feature like this has a slightly different naming.

I have yet to find anything within NPS that can provide the same result.

Juniper calls it the server-reject-vlan - http://www.juniper.net/techpubs/en_US/junos9.3/topics/reference/configuration-statement/server-reject-vlan-edit-protocols-dot1x-authenticator-interface-802-1x.html

Matt
  • 11
  • 1