On My Tech Journey

Microsoft NPS – MAB and Cisco Switch Configuration – Super Helpful Link

This guide is spot-on. Step by step and super helpful.

NPS (Radius) with MAB on Cisco Switch

Specifically:

“hey dude!

a couple things that hopefully will be helpful for you:
you should not create a user account for anything MAB related; NPS has this covered – delete that user

Youll need to create a CRP for every VLAN that you’re dumping MACs into.

Here we go!

Create a Connection request policy:

Name the policy – hit next

select NAS port type on the “Specify Conditions Screen” – select “Add”

On the NAS port type popup screen, check “Ethernet” under “Common 802.1x connection tunnel types” – then hit OK – then hit next

On the “Specify Connection Request Forwarding” screen select the bubble for “Accept Users without validating credentials” – then hit next

On the “Configure settings” screen, leave defaults and hit next

You will now be on the defualt NPS screen, right click on the newly created CRP policy and select “Properties”

Select the “Conditions” tab on the Properties window, click “add”

Select “Calling station ID” ( do not select “called station id”) and then click “add”

This is where you add the mac addresses of machines that you want to MAB; Start off every MAC with ^ and end every MAC with $ and add a | after every one.

i.e. ^12-34-56-ab-cd-ef$|^67-89-10-gt-hy-jy$|

click apply/ok once you have finished adding mac addresses.

Now click on the “Settings” tab of the Properties window

Under “Radius Attributes” on the left hand side click “Standard”

Select “802.1x” under the Access Types of the pop up window

Highlight “Tunnel-Type-Medium” and click Add

Click “Add” again on the Attribute Information popup window

Select the bubble for “Commonly used for 802.1x” and then ensure the “802 (includes all 802 media plus….) is in the drop down window – hit ok, hit ok again

Select “Tunnel-PVT-Group-ID” from the attributes drop down (you should still be in the “Add Standard RADIUS Attributes” popup window)

select Add, and Add again, select the “String” bubble, type the VLAN name that you want these MAC addresses to be dumped in (EXACTLY AS IT APPEARS ON THE SWITCH) – hit ok, hit ok again

Then Select “Tunnel-type” (Still in attribute popup) click add, click add again

Select “Commonly used for 802.1x” bubble – select “Virtual LANs (VLANS)” from the drop down

Now click – ok, ok, close, apply

And now you have a MAB policy!!!!

Get rid of the Network request policy – you dont need it for MAB (yes, seriously, delete it)

Youll need to create the above CRP for every VLAN

Let me know if you have issues – Good luck!!!”

Michael

Leave a Reply

Your email address will not be published. Required fields are marked *