Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

DHCP deny filter

$
0
0

i have installed DHCP its working awesome. i have configured "ALLOW" filters.

Now i want to configure my DHCP server in such way that only MAC which is in allow list

will work and other all blocked is this possible ????

can we add *.* or *FE-01-56-23-18-94-*-F2 like to block all others.


Akshay Pate


Differences between IAS and NPS

$
0
0

Hello i am an intern at my local city hall in the IT divsion,

I currently set up a NPS radius Server with a Ruckus Controller as my Client.

I have to prove to my boss why i preferred using NPS instead of IAS.

I did my research as any normal person would do and i concluded that mainly :

NPS can offer new ways to control policies on the network acces, it's more flexible.

The enrollment of the active directoy is integrated, so authentication through it is possible.

but i couldn't understand the rest, i know that it's suppose to offer "VPN Services, Dial-up Services, 802.11 protected Acces, Routing & Remote Access(RRAS)"

but some of these terms i'm not sure i clearly understand it.

I am a french student so forgive me for any bad english.

Thank you all in advance


NPS, Public Cert and Multiple Servers

$
0
0

hi,

we have two nps proxy and 4 nps servers behind them

the proxies are servicing many WIFI AP's for dynamic vlan using dot1x and authentication using PEAP/MSCHAPv2

i found some related posts but none of them was totally completed

the main question is : has anyone bought public cert for NPS which is working ! i chatted with godaddy and geotrust and thawte but they never gave me a total solution or a definite YES or NO

they just say if it is that way or this way .. yes we can otherwise no so i cannot reach a final decision

and after that the question is : can i install one cert on all nps servers ?

tx all

Returning User-Name AVP in Access-Accept

$
0
0

Is it possible to configure NPS to return the User-Name AVP in the Access-Accept to cope with anonymous outer identities?

Where 802.1X authentication is taking place and a anonymous outer identity has been used (meaning that it differs from the inner identity) with a TLS based EAP, such as PEAP, it should be possible to return the inner identity used in the Access-Accept for the NAS to use so that it works with the 'real' identity.

Use of the User-Name AVP also provides the RADIUS server the ability to always return a users identity normalised for the NAS to use. (For example, where domain\user is supplied by a user, the RADIUS server can always respond with user@fqdn.)

As increasing numbers of features are being implemented in switches and access points, such as L7 application visibility and control, it is imperative that such devices work with an accurate identity that cannot be spoofed and is consistent for a discrete user.

If this is not possible today, how would one go about making a design change request to Microsoft to accomplish this? Is this an oversight? Competing RADIUS servers such as FreeRADIUS and Radiator have this ability when configured

For reference, this is RADIUS standard behaviour.

RFC 2865 states in Section 5.1:

[The User-Name AVP] MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session.

RFC 3579 states in Section 3:

The User-Name attribute within the Access-Accept packet need not be the same as the User-Name attribute in the Access-Request.

Furthermore, where federated authentication has taken place, such as in eduroam, and a User-Name AVP has not been returned in the Access-Accept yet a Chargeable-User-Identity has after being requested, it should be possible to configure the RADIUS implementation to add a User-Name AVP set to cui@realm to the Access-Accept it sends on to the NAS so that it gets an identity that identifies the user with a constant identifier.

Is support for Chargeable-User-Identity (RFC 4372) ever planned for NPS?

See:

https://community.ja.net/library/janet-services-documentation/chargeable-user-identity-eduroam-freeradius-implementation



Why non NAP-capable network policy must be enabled to process group policy?

$
0
0

The issue is that I must have this default network policy  for wired networks enabled in my NPS if I want Windows PCs connected before logging on to domain with user´s credentials.

But, what really puzzles me is the fact that the policy (non NAP...) isn´t checked. When its enabled, the first policy, compliant policy, is advertised and is the one that lets the computer connect to the net with its account (computer account).

OS: Windows Server 2008 R2

Compliant conditions: Healt Policy Compliant; Machine Groups domain\domain computers.

Non NAP-capable conditions: non NAP-capable; NAS port type Ethernet.


Thanks in advance.

The user Administrator connected from MYIP but failed an authentication attempt due to the following reason: The account does not have permission to dial in.

$
0
0

I did setup VPN on my windows server 2012

Now i am trying to connect my remote server via my local computer but i am getting the error below

Apperantly i have to give Administrator VPN access permission

How can i do that ? thank you

Error below - i see this error log at my remote windows server 2012

The user Administrator connected from MYIP but failed an authentication attempt due to the following reason: The account does not have permission to dial in.


Browser based Pokemon Style MMORPG Game Developer Used asp.net 4.0 routing at it'sMonsters

Configuring NPS for VPN requests

$
0
0

Hello,

I have configured NPS on a server (OS: Windows Server 2008 R2) with Active Directory. On the router there's a setting where the RADIUS requests will be forwarded to an external RADIUS server (XAUTH).

In NPS I configured a network policy for VPN connections, chose VPN and a group from Active Directory as conditions and EAP/MS-CHAP-v2 as authentification methods.

Trying to establish a VPN connection, the VPN client asked me for username and password. I entered them and nevertheless I got an error message that both are wrong. Without XAUTH the VPN connection works fine.

Is there a special setting I forgot and have to set?

snmp trap

$
0
0
how to send dos attack as snmp trap from windows server 2008 R2

Timeout on Microsoft Network server 2008 R2

$
0
0

Hello,

I have been trying to remove the timeout. I have managed to change the GPO on the DC to 'Not Defined'. The local group policy has 30 minutes, which I cant seem to change. I have modified the timeout via the system registry to 99999, but gets over written to 30.

Could some help?

Thanks

Sajjad

802.1x deployment with MAC filtering

$
0
0

Hi,

I have recently implemented NPS server for wireless authentication and it is working fine. I wanted to have more security whoever trying to connect the wireless network to our organization. I want to implement mac filtering with AD user authentication (currently user authentication is enabled). I gone though the below article and it didn't helped for me.

Enhance your 802.1x deployment security with MAC filtering

http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx

In the article, they have mentioned to add device mac address in Calling Station ID (in dial in tab), where I couldn't able to find the option in the dial in tab.

The only option is available is below (screenshot below). I have tried to enable verify caller-ID and entered the device mac address, but still the other devices are able to connect from the same user account.

Best, Surendra

Configure NPS to block smart phones/ipads/iphones gaining access to Wireless networks?

$
0
0

Hi All,

I 'm looking into ways of only allowing Windows 7 clients to connect to a specific Wireless network, or ways to block smart phones and non domain computers from authenticating.  We're using Radius authentication which currently allows Domain Users and Domain Computers to authenticate through NPS on Server 2008R2. Becuase of this, an increasing number of smart phones are allowing users to connect to these Wireless networks by using their domain user accounts to authenticate. Even though we have PAN wireless networks available to them to use. We really need to prevent the use of smart phones on specific ESS profiles within our network.

All our domain based windows 7 clients (Laptops) have a Wireless policy installed via group policy to use 802.1X using Computer authentication. As this is the case would changing the Network Policy in NPS to only allow Domain Computer authentication do the trick? as this would then deny users from authenticating?

I was looking at configuring NAP for all clients, then only allowing the Windows 7 clients to authenticate through an NPS policy, though the additional configuration involved put of doing this if I can avoid it.


TS: Windows Server 2008 Active Directory, Configuring BSc/Hons Computer and Network Engineering

Windows Server 2008 VPN IPSEC/L2tp using Pre-Shared Key

$
0
0
I have a Windows Server 2008 R2 server that has been setup to do VPN. It currently is running under PPTP and is working fine. We are looking for a more secure option. I am wanting to do IPSEC/L2TP using a pre-shared key instead of having to use certificates. I have searched many forums and cannot find helpful guide to show the steps in configuring this. Can anyone provide some insight on how to do this? Your help is greatly appreciated.

DirectAccess - 2 Nics in 2 Subnets: What to do with Gateways?

$
0
0

I am trying to setup DirectAccess with a server that has 2 nics.  One in the DMZ and one in the LAN.  

Lets start here - is this the recommended setup?

If so, I will need to set a gateway on one of the nics as you cant do both.  Got that.  I am assuming that the gateway should be set on the DMZ nic and then use a static route to get traffic on the LAN nic into the network as needed. 

Is this correct?  Would you recommend I do something different?  Thoughts?

How to convert username to lowecase in NPS

$
0
0

I have a problem that in Cisco Prime Infrastructure I must set up all lobby ambassadors as local users matching the account name in AD. And then I can set default settings, otherwise all lobby ambassadors can set their own lifetime of tickets and so on.<o:p></o:p>

But the problem is that Cisco Prime are case sensitive in usernames. So if the user logs in with ex "Test" and the local user in Prime are "test" then Cisco prime doesn’t see this as the same user and therefore it doesn’t apply the default settings.<o:p></o:p>

So can NPS convert the given username to all lowercase?

And I'm using NPS in Windows 2008 R2.


VPN error 809 windows 7 client

$
0
0
First off I would like to thank everyone in advance for helping me with this problem. I usually am able to read through forums and usually am lucky to find solutions but this problem has no solution that I have found.
 
Here is my situation. I have Windows Server 2008 R2. I have added the role, network policy and access in order to run VPN server. My windows 7 clients are able to connect locally to the server. When I connect through the internet using a windows 7 client I get the error 809 (The network connection between your computer and the VPN server could not be established because the remote server is not responding). I checked the configuration in my router to allow the following ports: 500, 1701, and 4500. I have disabled the firewalls on both my server, client, and router with no luck (I am also able to ping server from windows 7 clients). So I then decided to try a different client. I am able to connect using my android through the internet with no issues. Only when I try to connect my windows 7 clients I receive this error. It seems that it was configured correctly but maybe I missed something. If anyone has any other thoughts or ideas I would greatly appreciative the help.

Server 2008 R2 

The authentication method is EAP and MS-CHAP v2 with shared key bother server and client.

I have the server set up as IPv4 remote access server not IPv6.

DHCP server is running and assigns IPv4 address to clients.

In NPS I have added a network police to allow group VPN users access to connect.

I have logging enabled on server, but have no logs in tracing directory.

No events in event viewer under Network Policy and Access Services

Thanks in advance.


Unable to open Exchange Management Shell , Exchange 2013 CU1 due to kerbores authontication failure

$
0
0

Hi,

I have installed Exchange 2013 CU1 and after that I am not able to open Exchange management shell, exchange server has been installed on 2008 R2 SP1 ( not in virtual m/c ).

Error Message after Opening Management Shell as below.

++++++++++++++++++++++++++++++++++++++++++++

VERBOSE: Connecting to EXCHG2013.lync15.com.
New-PSSession : [exchg2013.lync15.com] Connecting to remote server exchg2013.lync15.com failed with the following
error message : The WinRM client cannot process the request. The WinRM client tried to use Kerberos authentication
mechanism, but the destination computer (EXCHG2013.lync15.com:80) returned an 'access denied' error. Change the
configuration to allow Kerberos authentication mechanism to be used or specify one of the authentication mechanisms
supported by the server. To use Kerberos, specify the local computer name as the remote destination. Also verify that
the client computer and the destination computer are joined to a domain. To use Basic, specify the local computer name
as the remote destination, specify Basic authentication and provide user name and password. Possible authentication
mechanisms reported by server: For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
Failed to connect to an Exchange server in the current site.
Enter the server FQDN where you want to connect.:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I tried 

  "$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server-ex10/PowerShell/ -Authentication Kerberos -Credential $cred"  and it didnot work.

Please share ideas if you have any....

  Regards,

_Subba Rao CH.

user pc failed to get certificate for radius authentication in wifi /IAS

$
0
0
hi team, I have some IAS /CA issue need your advice, thanks. we have a wifi network, Aruba WIFI AP, IAS radius server, 2008 root and sub CA servers, AD. after we renew the expiring cert on subordintate CA, the user failed to authenticate. other old users who still use old cert have no issue .but cert expire soon. the user pc supposed to recieve certs both under "user account" and "computer account" when  I run the mmc on user pc for cert mgtm. but I can find only cert under "user account" but nothing in "computer account". old pc all have both.any advice what I can check? I checked the template, the right for user and computer account access both have "enroll" checked, but "read" unchecked. does it matter?thanks

Thanks and best regards, -- KF

how to create single certificate for cluster server so that it would be validated in Direct access configuration

$
0
0

Hi,

We are in the process of testing Direct Access in our LAB and stucked while validating NLS server(Step-3) in Direct access server configuration. it showing me error "Selected URL is not accessible" while trying to validate the url of cluster server.
All servers are built on win2k12. One DC, two DA servers(Load balancing enabled), Two NLS Servers(Load balancing enabled) and a win8 client.


1: I have webserver certificate on nsl01 server
2: I have import the webserver certificate of nls01 on nls02 server.
but getting the same error while validating the cluster site; though the site is working fine if open from browser in internet explorer.

Question: how to create single certificate for cluster server so that it would be validated in Direct access configuration.

Please help...

VPN connection remains active after removing smart card

$
0
0

Hi,

I configured a Microsoft Windows Server 2008 R2 as a remote access server (VPN Server). the only allowed authentication method is "microsoft: Smart Card or other certificate." I deployed an enterprise CA in this machine and everything is working properly.

Now, the problem is that when I remove the smart card from the client while the client is connected to the VPN server, it won't be disconnected. For some security's issues I need the connection get disconnect after removing the authentication certificate (Smart Card), immediately or with expiring a timeout. How can it be done?

Does Microsoft NPS support EAP chaining (EAP-FAST V2)

$
0
0
I have a Cisco Wireless LAN controller with a number of lightweight Access Points. I utilize Microsoft NPS (2008) as my RADIUS server. I need to make sure that only certain computers are allowed to connect. I am trying to authenticate wireless clients by username/password and computer name (group membership). Is Microsoft NPS capable to do that? I heard that it requires EAP chaining or EAP-FAST v2. Looks like that only third-party supplicants are capable to supply user credentials and computer name at the same time, like Cisco AnyConnect Network Access Manager.
Viewing all 1875 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>