Most of companies want to protect their internal wired and wireless networks and authenticate all connected devices including user laptops, ip phones, printers and so on and so far.
Companies of different sizes from small firms to large enterprises use Microsoft Network Policy Servers (NPS) for connections authentication and authorization.
Unfortunately it has one big disadvantage - no explicit support for mac-address-based authentication if connected device (like a printer or an ip phone) doesn't support 802.1x authentication.
We developed an extension for the Microsoft NPS that adds support of MAC-address authentication bypass. From now on you can authenticate any all devices in your network and what is more important - put them into any vlan you like depending on a device type.
You don't need much effort to integrate MAB plugin to NPS. Just simply install it on servers with NPS and create a list of authorized mac-addresses. If an end device supports 802.1x standard it will be authenticated by your NPS policy. If mac-address authentication bypass is used then the connection request will be handled by the extension plugin.
MAB plugin can perform one of the following actions for a host:
1) permit access for a certain mac-address to the network;
2) permit access and put a host to a voice vlan which is configured on a network switch or is specified in a profile (this option is for ip phones);
3) permit access and put a host to a specified data vlan.
The plugin was made to support switches of Cisco Systems. But we are planning to adapt it to equipment of other vendors.
Below is a link to configuration example:
[Configuration example]
[Troubleshooting]
Wiki: Configuration example
Wiki: Troubleshooting
Please post any remarks or suggestions regarding my plugin.
Hi Mikhail
I have NPS installed onto a Server 2012R2 VM. Unfortunately after installing the NPS MAB plugin, I am unable to start the NetWork Policy Server service.
The service immediately terminates after stating with the following error: The server threw an exception.
This is shown as a event ID 7023 in the sytem event log.
I am not sure how to view the actual exception. Do you have any troubleshooting advice?
Hi Adam,
Do you have UAC enabled? If so I suggest to grant full access for everyone
(as a test measure) to files in the plugin's directory (C:\Program
Files\NPS.MAB.Extension).
The main files there are log.txt (need to grant full access for everyone),
rules.txt (need to grant read access to everyone) and mab.txt (read access
to everyone).
Try also to execute test_plugin_init.bat (in the scripts subfolder) on
behalf of administrator. Usually it helps.
Let me know if it doesn't help.
Regards,
Mikhail
2017-11-17 20:51 GMT+04:00 Adam Reid rakim71@users.sf.net:
Hi Mikhail,
Probably a low possibility you see this, but i thought i would try anyway.
I was wondering if the source code is available anywhere?
Im looking to make something similar to this for my next project.
Have not really done anything like this before, and sorta new to this whole NPS thing.
So I would love to be able to take inspiration from how you made this, if possible.
Hi Oliver,
I don't have access to my computer now where sources of the plugin are
stored (I'm in another country and don't plan to return in the near
future). But I suggest you take a look at the following project on github.
I used it as an example for my plugin so perhaps it will be useful for you
too:
https://github.com/ibauersachs/OpenCymd.Nps
Regards,
Mikhail
ср, 20 дек. 2023 г. в 16:56, Oliver oliver-educant@users.sourceforge.net: