Enhance your 802.1x deployment security with MAC filtering

Ever wanted to tighten the security to the point that only some machines are allowed access on 802.1x/Wireless network? Well here’s the solution, combine MAC filtering, with EAP Authentication and you get, User AND machine authentication all in one.

Here’s how you would go about doing this:

1. Create your users, (or if you prefer to do Machine authentication, join the machine to the domain)
2. Decide on the authentication Method (EAP-TLS, PEAP-EAP-MSCHAPv2 or PEAP-EAP-TLS)
3. Collect the MAC addresses of your machines
4. Add the MAC Address of each machine in the “Calling-Station-ID” field in the Dial-In tab of the user/computer properties in “Active Directory users and computers” MMC snap-in
5. Alternatively, you may use any LDAP client, ADSIEdit SDK Utility, or ADSI script to do/automate this
6. Authenticate with your client

Be aware that “MAC Authentication” alone is NOT secure, since MAC addresses can be easily forged, and there is no guaranteed universal uniqueness for the address.

Tip: The Calling-station-ID field is a regular expression, so you can have entries like A1B2C3D4E5F6|A2B3C4D5E6F7 in that field, if you prefer to filter multiple addresses, for the same account (say a user has more than one Laptop, multiple NICs).

Enjoy!

Sam.Salhi@online.microsoft.com

IAS/EAP/NPS team