NPS Configuration



“Wired Authentication and How to Bypass Cisco IP phone from NPS without creating AD Account“

After spending thousands tries and errors we have figured a way to how bypass Cisco IP phones  
And authenticate PC connected to it without any AD account.

Configuration is separated into two parts:
a.      Switch Configuration
1-      Enabling IEEE 802.1X Authentication and Authorization
-          Global configuration:
aaa new-model
aaa authentication login console enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server host  <your NPS ip>  key < your preshared key>  

2-      Enabling the IEEE 802.1X Host Mode :
-          Port configuration :
authentication event fail action next-method
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 mab
 dot1x pae authentication
                for more information check below links :
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html
b.      NPS Configuration :
1-      And this is the master key “Create two Connection requests”, one for accepting traffic from IP phones and one for accepting traffic from Computers.

2-      To accept traffic from IP phone create connection request with below properties
-          Conditions tab : select “Calling station ID” condition

-           Create regex to match your environment IP Phones MAC addresses.
Ex: ^(70-d|b0-f)
It matches any MAC starts with 70-d or b0-f

You can find how to create regex for NPS in below link
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-reg-expressions
-          Settings tab : choose this option in Authentication section :
Accept users without validating credentials


-          Settings tab: add following settings to standard section
Framed protocol: PPP
Tunnel-Medium-Type: 802 (Include all 802 media plus ……)
Tunnel-pvt-Group-ID: <Voice Vlan ID>
Tunnel-Type: Virtual LANs (VLANs)

-          Settings tab: in Vendor Specific section
Add attribute named “Cisco-AV-Pair”
Vendor: Cisco
Value: “device-traffic-class=voice”

3-      To accept traffic from computers create connection request with below properties
-          Condition tab : select NAS port type = Ethernet

4-      After that you can create Network policies for users or computers authentication as per your environment needs.
For more information about how to create network policy check below link
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-configure


Author :
Mostafa Saber
https://www.linkedin.com/in/mostafa-saber/
Keroles Khalil
https://www.linkedin.com/in/keroles-khalil/

Comments

Post a Comment