Hey everyone. Need some advice on how to make MD5 MAB work with NPS. Here's the setup:
- My switches (Aerohive SR23xx, Broadcom FastPath based) only support MD5-Challenge for MAB. PAP, CHAP, etc.. is not an option.
- I have a NAC (FortiNAC formally Bradford Networks) that handles all of the MAC address registrations and fingerprinting. It forwards anything EAP (for example EAP-TLS/certificates) to an external server (NPS in my case) for authentication and handles PAP/CHAP MAB messages locally.
The flow for all things EAP (including the MD5 MAB messages) goes like this: switch <-> NAC <-> NPS
The flow for PAP/CHAP MAB goes like this: switch <-> NAC
Since my NAC is the database for all of the MAB devices, but can't directly process MD5 requests, I'm trying to get NPS to send an Access-Accept message for any request that's a MAC address. Easy enough I thought. I'll write a Connection Request Policy using "Accept users without validating credentials" whenever the username is a MAC address.
The Access-Accept message fires as expected, but it does not include the "EAP-Message" field. My switch then complains that the response was not of the correct EAP type and authentication fails.
The only way I can get NPS to send an Access-Accept that includes EAP-Message, is to create an account in AD.
Username = MAC address
Password = MAC address
Password uses reversible encryption
Obviously, this isn't a workable solution for several thousand MAC addresses.
How do I handle this? Am I missing something in NPS? Do I need to process these messages with something like FreeRadius? I'm open to all suggestions.
No comments:
Post a Comment