NAC: Getting in control of your MAB enabled clients

It has been a while since I wrote a paper about the implementation of NAC. Now almost a year later it is finally in progress of implementation. One of the most time consuming processes and error sensitive ones is the adding of MAC addresses to the Active Directory of devices which doesn’t support Dot1X.

Unfortunately there are a lot of devices which don’t speak Dot1X or having troubles with it. So if you want to do it right (IMO) you put these devices in different categories (and subnets) so you can put ACL’s on it (MAC spoofing can be easily done). At this moment we have three different categories within MAB authentication, which may grow in the near future; Thin clients, Printers and temporarily devices.

To keep an clean view of all these MAC addresses in the AD I categories these MAC address in different OU’s, so I have three different OU’s which represent the different devices. We use Microsoft NPS server as Radius server and unfortunately you can’t (at least I didn’t find it) use the OU as a hit for a rule. So you also need to make three groups in which you place the MAC addresses (these are user objects in the AD). You also want to delete the “Domain User” group from the MAC address. Otherwise people would be able to login with MAC address on you domain members.

So there you have already three different steps to just add one MAC address.

  1. Add the MAC address to the right OU.
  2. Add the MAC address to the right group.
  3. Delete the group Domain Users (to accomplish this, set the other group as primary.)

This isn’t a problem, but if you have to add MAC addresses regularly, this is quiet annoying and you easily forget one of those steps. Another thing you might consider is that most of the time MAC addresses are added by other persons, it would be nice if you give them a tool which makes it easier for them and less faulty.

To accomplish this I wrote a Powershell script (actual my first one, so be nice 🙂 ). This scripts draws a simple menu where a user simply can add or delete a MAC address. Since we in the same project move the printers to DHCP (reservations) I also added this option.


Below you find the powershell script, make sure the users have rights to the right OU in the AD, in the example it is “Network Access” and also give them rights on the User folder in the AD, otherwise the “Domain Users” group can’t be deleted (Took me almost an hour). If you also want to use the DHCP functionality, make sure they have rights there too. The script makes use of Quest “ActiveRoles Management Shelf“, so this one needs to be installed.

I tried to translate all the Dutch comment, to English and I also filled the variables with fictional values. If you have any comments or improvements, please let me know. Since it is my first powershell script, I’m sure there are.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *