I am currently working on a Microsoft NPS solution to provide 802.1x MAC authentication for wired and wireless clients along with providing a VLAN for the clients to be moved to.
It currently works perfect with our Wireless APs and switches, however we would like the NPS/RADIUS server to response with an Access-Accept even if the MAC address fails to authenticate which in turn would place the client in a guest/registration VLAN.
Is it possible to create a policy or rule on the NPS server that would have the effect of authorising MAC addresses that are not in the database and providing a relevant VLAN tag?
We already use the vlan/tunnel-id field to vlan tagging for the authorised users and its great.
Thanks
Best Answer
Sometimes the authenticator (depending on vendor) can act on an access-reject by design to place the end device in a holding VLAN. It might be called authentication failure vlan by some but each vendor who implements a feature like this has a slightly different naming.
I have yet to find anything within NPS that can provide the same result.
Juniper calls it the server-reject-vlan - http://www.juniper.net/techpubs/en_US/junos9.3/topics/reference/configuration-statement/server-reject-vlan-edit-protocols-dot1x-authenticator-interface-802-1x.html