Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX/WLC] MAC authentication with Windows Server 2003

0

0

Article ID: KB26996 KB Last Updated: 21 Feb 2020Version: 2.0
Summary:
This article provides information on how to configure Windows Server 2003 and a Wireless Juniper device (WLC/MX) to authenticate a MAC user.
Symptoms:
How to configure Windows Server 2003 and a Wireless Juniper device (WLC/MX) to authenticate a MAC user.
Solution:
Windows Server 2003 configuration:
 
  1. Make sure that AD (Active Directory Users and Computers) and IAS (Internet Authentication Service) are installed on Windows Server 2003.
  2. Configure a MAC user in Active Directory.
    1. Open AD and select the 'create user' icon.
    2. Enter a First name (i.e. user1)
    3. In the User logon name, enter the user MAC address into the left window (separated by hyphens i.e 00-00-00-00-46-94) and the domain name in the right window (i.e. @host1.example.com).
    4. Click Next
    5. Enter a password (default password on WLC/MX is trapeze)
    6. Click Next, and then Finish
  3. Right-click on the new user and select Properties > Dial-in; and then select Allow access:

IAS configuration:
  1. Start IAS:

  2. The RADIUS client is the WLC or MX device. Right click Radius Clients and select New RADIUS Client:

  3. Enter a device name and set the IP address of the access device; and then click Next.
  4. Select Radius Standard from the Client-Vendor drop-down menu, type the Radius secret (it must be the same password that was configured on the WLC device), and then click Finish

  5.  
Add  the remote access policies:

Now, create a remote access policy to authenticate and authorize the users:
  1. Right-click Remote Access Policies and click New Remote Access Policy
  2. Click Next and enter a name for the policy.  Click Next
  3. Select Wireless and then click Next
  4. Grant access for either the required User or Group (i.e. in this example, select Group; the user configured earlier is a member of a domain). Click Next:
  5. For the Authentication Methods type, select Protected EAP (PEAP) authentication.  Click Configure, if you want to select a different certificate or change the EAP type. Click Next and then Finish
  6. After the remote access policy is created, click it and select Properties, and then click Edit Profile to proceed.


  7. Click the Authentication tab and select the Unencrypted authentication (PAP, SPAP) check box:



Configuration on  the WLC or MX device:

Via the CLI:

For example:
MX# set service-profile router ssid-name USER-MAC
MX# set service-profile router ssid-type clear
MX# set service-profile router wpa-ie auth-dot1x disable
MX# set service-profile router rsn-ie auth-dot1x disable
MX# set service-profile router attr vlan-name vlanname

MX# set radius mac-addr-format hyphens
MX# set radius server radiusserver address 172.31.203.104 deadtime key secret
MX# set server group radiusserver-group members radiusserver
MX# set authentication mac ssid USER-MAC * radiusserver-group
Modification History:
2020-02-21: minor non-technical edits
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search