NPS Configuration

“Wired Authentication and How to Bypass Cisco IP phone from NPS without creating AD Account“

After spending thousands tries and errors we have figured a way to how bypass Cisco IP phones  

And authenticate PC connected to it without any AD account.

Configuration is separated into two parts:

a.      Switch Configuration

1-      Enabling IEEE 802.1X Authentication and Authorization

-          Global configuration:

aaa new-model

aaa authentication login console enable

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

radius-server host  <your NPS ip>  key < your preshared key>  

2-      Enabling the IEEE 802.1X Host Mode :

-          Port configuration :

authentication event fail action next-method

 authentication host-mode multi-domain

 authentication order mab dot1x

 authentication priority mab dot1x

 authentication port-control auto

 mab

 dot1x pae authentication

                for more information check below links :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html

b.      NPS Configuration :

1-      And this is the master key “Create two Connection requests”, one for accepting traffic from IP phones and one for accepting traffic from Computers.

2-      To accept traffic from IP phone create connection request with below properties

-          Conditions tab : select “Calling station ID” condition

-           Create regex to match your environment IP Phones MAC addresses.

Ex: ^(70-d|b0-f)

It matches any MAC starts with 70-d or b0-f

You can find how to create regex for NPS in below link

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-reg-expressions

-          Settings tab : choose this option in Authentication section :

Accept users without validating credentials

-          Settings tab: add following settings to standard section

Framed protocol: PPP

Tunnel-Medium-Type: 802 (Include all 802 media plus ……)

Tunnel-pvt-Group-ID: <Voice Vlan ID>

Tunnel-Type: Virtual LANs (VLANs)

-          Settings tab: in Vendor Specific section

Add attribute named “Cisco-AV-Pair”

Vendor: Cisco

Value: “device-traffic-class=voice”

3-      To accept traffic from computers create connection request with below properties

-          Condition tab : select NAS port type = Ethernet

4-      After that you can create Network policies for users or computers authentication as per your environment needs.

For more information about how to create network policy check below link
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-configure

Author :
Mostafa Saber
https://www.linkedin.com/in/mostafa-saber/
Keroles Khalil
https://www.linkedin.com/in/keroles-khalil/