Thursday, March 8, 2018

What are you using for Radius authentication for wired 802.1x that isn't NPS or ISE?

We are looking to turn on 802.1x authentication on network switch ports. For ports with domain PCs attached this is simple - computer certificates (automatically pushed via group policy) and Radius to NPS servers.

The problem is how to accommodate things that aren't domain PCs like printers and phones. MAC address bypass (MAB) seems like the answer, but with NPS as the authentication agent, that would require creating a user object in AD for every MAC address and setting the password to the MAC address. Not exactly an appealing option.

ISE is an option, but seems to be very much overkill for such a simple task.

So, what are you folks using for 802.1x other than ISE or NPS?

I'm thinking I'd point my switches to a local NPS server. The NPS servers would have a proxy policy such that authentication requests that consisted of MAC addresses would be forwarded off to another Radius server which would contain the MAC address of all our phones and printers.

But what Radius server? Bonus points if it runs under windows.



No comments:

Post a Comment