Recent changes to Configuration example

Discussion for Configuration example page

yanqian — Thu, 24 Jan 2019 12:17:38 -0000

Thank you for sharing this plugin.
It would be better if the image link could be fixed, although it does not affect reading.

Configuration example modified by Mikhail Monko

Mikhail Monko — Sat, 11 Jun 2016 08:30:25 -0000

--- v1
+++ v2
@@ -3,7 +3,8 @@
 You can create a new rule using NPS regex to match requests where there is a mac-address in the username. It looks like following:
 ^(([0-9]|[a-f]|[A-F]){12})$
 Below is a screenshot of such a policy. It's recommended to put it at the bottom of your policy list.
- 
+ 
+If you work only with Cisco equipment you can replace regex with following condition: Service Type = Call-Check.
 You can also add one more condition - NAS Port type =  Ethernet.
 It's not needed to update your Network Policies because authorization will be done by the MAB plugin.
  
@@ -17,12 +18,12 @@
  
 Step 3 - MAB plugin installation and configuration
 Final step is installing the plugin on the NPS server and filling in mac-address database.
-Please note that before installing the plugin you have to install Microsoft .Net framework 4.5.2 x64 and Microsoft Visual C++ Redistributable 2015 x64. Send a request to customers@infosys-solutions.com in order to get a setup package for an extended version or download a free version from here.
-One the packages and the plugin are installed open the editor.
+Please note that before installing the plugin you have to install Microsoft .Net framework 4.5.2 x64 and Microsoft Visual C++ Redistributable 2015 x64. They are included in the installation package.
+Once the packages and the plugin are installed open the editor.
 First of all you should add/update your authorization profiles that can be found in Settings menu.
-
+
 There are 3 types of authorization profiles: permit access only, permit access and put device to a voice vlan (for ip phones), permit access and put device to a specified data vlan.
 When necessary profiles are configured go back to the main window and add mac-addresses of your devices that are going to be authenticated with help of MAB.
-
+
 When done press Save config button. As the plugin hasn't been running yet you have to restart NPS service to load it.
 Refer to Windows Application Event log to see if plugin's initialization was successful. You can enable debugging to a text file if you experience problems (go to Settings menu of the editor and press Enable Debug button). It will take effect after NPS restart or within 30 minutes after auto-reload of the plugin.

Configuration example modified by Mikhail Monko

Mikhail Monko — Sat, 11 Jun 2016 08:23:53 -0000

Step 1 - NPS policy update

First of all you have to adapt your NPS Connection Request Policy if existing policy doesn't match mac-address authentication requests.

You can create a new rule using NPS regex to match requests where there is a mac-address in the username. It looks like following:

^(([0-9]|[a-f]|[A-F]){12})$

Below is a screenshot of such a policy. It's recommended to put it at the bottom of your policy list.

You can also add one more condition - NAS Port type = Ethernet.

It's not needed to update your Network Policies because authorization will be done by the MAB plugin.

Step 2 - Cisco switch configuration

Next step is configuring your network devices for MAB. It's assumed that you work with Cisco Catalyst switches. If you are using 802.1x already you need to add just one command on all access-ports: mab

Full configuration is present below:

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
radius-server host <IP> key <key> (you can use server group in the new software versions)

interface range <your access ports>
switchport mode access
switchport voice vlan <id> (if present)
authentication port-control auto
authentication host-mode multi-domain
dot1x pae authenticator

You can tune dot1x timers if necessary.

By default, switches try to authenticate device with dot1x but if there is no reply they start MAB after a timeout.

Enable "debug radius" to check what info is sent to NPS in requests and what is received in replies.

Step 3 - MAB plugin installation and configuration

Final step is installing the plugin on the NPS server and filling in mac-address database.

Please note that before installing the plugin you have to install Microsoft .Net framework 4.5.2 x64 and Microsoft Visual C++ Redistributable 2015 x64. Send a request to customers@infosys-solutions.com in order to get a setup package for an extended version or download a free version from here.

One the packages and the plugin are installed open the editor.

First of all you should add/update your authorization profiles that can be found in Settings menu.

There are 3 types of authorization profiles: permit access only, permit access and put device to a voice vlan (for ip phones), permit access and put device to a specified data vlan.

When necessary profiles are configured go back to the main window and add mac-addresses of your devices that are going to be authenticated with help of MAB.

When done press Save config button. As the plugin hasn't been running yet you have to restart NPS service to load it.

Refer to Windows Application Event log to see if plugin's initialization was successful. You can enable debugging to a text file if you experience problems (go to Settings menu of the editor and press Enable Debug button). It will take effect after NPS restart or within 30 minutes after auto-reload of the plugin.