I am having a problem with the connection request policies,over there i can set the condition for them the check the use name ,identity type and etc...

however i can set the policy to allow some user to log in but i am making another policy where by client without the firewall on cannot access ,but it cannot work. NID help PLZ

Every time my NAP Client  recive only  class full or class less  then i cant compleate my lab, hwo to fix  that problem my frs

I have inherited a Win 2008R8 server with several users (8).  Some have recently changed to new laptops and now cannot login.  I have been told they need to have the exact same username (or computername as the old system to be able to login.  Is this true?  Do I now need to make sure they have the same username?  Do I need to create the old username on their new systems and migrate their data and settings to that username?  This is a file server - no Active Directory - all local users.

Thanks!

Hi, 

When users use their iPhones to connect to our Wifi they authenticate to our RADIUS server using their AD username and password. They then get prompted to install a Certificate. This appears to be the same certificate an all devices. This is the certificate that is selected in the Authentication Methods on the NPS server, we are using EAP-PEAP. 

The thing I cant quite get my head around is how to revoke access to the network once this certificate has been issued... I have authenticated as a user on a iPhone then disabled the users AD account but am still able to gain access to the corporate wifi. This seems correct as the same certificate is being issued to all users and that certificate is still valid. 

How could I revoke the Users access once they have left?

Also.. I would prefer for every user to install their own certificate. I have a Offline Root CA and an online Sub CA that can issue certificates, I want to know if it is possible for each user to install their own certificate when they authenticate to the RADIUS Server making it easier to just revoke their individual certificate.

Any help would be much appreciated as I can't seem to google the correct thing. 

Hi to all.

I have create a bat file that copies files from one server to other.

The bat is on Server1. Runs every night through a Task Scheduler --> Copy files from Server2  to a folder from Server1.

The task runs under an AD account so i don't have problem with access rights.

That i want is to run this task under local administrator account of Server1. When i do this i have error because servername\administrator does not have access to folder of server2.

What access rights can i give to  to folder on Server2  in order Server1 can have access?

Thank you

We want to provide wireless Internet access to visitors. Visitors will be given credentials mapped to indiviudal AD-accounts in a specific security group. 

In win 7, when you connect to a wireless network with WPA2-Enterprise (radius), you are prompted for username and password (if your computer is not a domain member). It appears that the windows 7 by default tries to authenticate over some sort of EAP. However I have not found a NPS network policy that will match the win 7 default eap settings.

The thing is that we don't want to mess with our visitors configuration, hence it would be easy if we could configure our NPS network policy so it works with the clients default settings.

The final question: What is the default setting in win 7 for authenticating towards a WPA2-Enterprise/radius wifi network?

Hi,

i´m unsure if my way is right, therefore I started this topicto clarify. We´ve multiple IP-Cameras outside and the LAN Ports schould be protected through NPS.The Cameras does have 802.1x support, but i´m very unsure how to configure it.

It is requiered to upload the root-ca-,  a client-certificate with a private key and to enter a "EAP-Identitiy".
I´ve created a Usergroup called "IP-Cameras" and adionally I´ve created a User called "Camera 1", which I´ve also added in the "EAP-Identity" field in the Web-configuration of the Camera. Radius Client is a HP ProCurve Switch

My configuration in NPS looks like this:

Condition: Usergroup "domain\IP-Cameras"
Service Type: Framed
Dial-In-Properties: True
Tunnel-Type: VLANs
Tunnel-Medium-Type: 802
Tunnel-Pvt-Gorup-ID: 127 (This is the VLAN which the cameras should go, if they are allowed)
EAP-Method: Microsoft: Smartcard

Ihope someone cantell me ifit works orif thereisamistake in.

Hello,

I'm working in my organization to deploy a Wireless infrastructure for employees access.

My idea was to use PEAP security using our AD domain and NPS.

My lab is working perfectly. Motorola AP and a DC that provide also the role of NPS.

In the real world we have the same Motorola AP but our NPS (joined to the domain) and CA reside in the same Windows 2008 Enterprise server and the DC is on a different Windows 2008 standard server machine .

Same configuration but not able to connect with any mobile device. The local NPS certificate use the same Template generated by the AD CS.

The NPS doesn't show any attempt to connect but the NPS log file shows the following:

<Event><Timestamp data_type="4">05/31/2013 12:35:42.755</Timestamp><Computer-Name data_type="1">SDBFI-RADIUS01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Acct-Session-Id data_type="1">70CB7B5E-980C8201F159-0000000088</Acct-Session-Id><Calling-Station-Id data_type="1">98-0C-82-01-F1-59</Calling-Station-Id><Called-Station-Id data_type="1">00-15-70-CB-E2-F1:SDB-OFFICE</Called-Station-Id><Vendor-Specific data_type="2">00000184020C5344422D4F4646494345</Vendor-Specific><NAS-Port data_type="0">1</NAS-Port><NAS-Port-Type data_type="0">19</NAS-Port-Type><Framed-MTU data_type="0">1400</Framed-MTU><Service-Type data_type="0">2</Service-Type><NAS-IP-Address data_type="3">10.118.118.253</NAS-IP-Address><NAS-Identifier data_type="1">sdbit-ap01</NAS-Identifier><NAS-Port-Id data_type="1">radio1</NAS-Port-Id><Connect-Info data_type="1">CONNECT 65Mbps 802.11bgn</Connect-Info><Client-IP-Address data_type="3">10.118.118.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Class1</Client-Friendly-Name><User-Name data_type="1">paolo.caforio</User-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">INTRANET\paolo.caforio</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">INTRANET\paolo.caforio</Fully-Qualifed-User-Name><Class data_type="1">311 1 10.101.1.52 05/29/2013 16:58:59 479</Class><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

<Event><Timestamp data_type="4">05/31/2013 12:35:42.755</Timestamp><Computer-Name data_type="1">SDBFI-RADIUS01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Acct-Session-Id data_type="1">70CB7B5E-980C8201F159-0000000088</Acct-Session-Id><Class data_type="1">311 1 10.101.1.52 05/29/2013 16:58:59 479</Class><Session-Timeout data_type="0">30</Session-Timeout><Fully-Qualifed-User-Name data_type="1">INTRANET\paolo.caforio</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">INTRANET\paolo.caforio</SAM-Account-Name><Client-IP-Address data_type="3">10.118.118.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Class1</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

I didn't find any document that suggest to have the NPS on a DC, therefore I would prefer to keep the two roles on different machines.

Can you suggest a solution to this problem?

thanks,

Paolo

We have a single DHCP server providing DHCP services for round 23 sites.

Recently we migrated our DHCP services from a Windows Server 2003 server to Windows Server 2008R2. I’ve enabled, Routing and Remote Access Services (RRAS) - IP Routing - DHCP Relay Agent on the old 2003 server to relay DHCP requests on to the new 2008R2 server. I can see the on the old server DHCP Relay Agent Requests received increasing and the new DHCP server is responding by renewing DHCP leases.  All good.

Our ISP has now updated all our company site routers IP Helper configuration to forward DHCP request directly to the new 2008R2 DHCP Server. Eventually the old sever will be decommissioned. I believe, I should now start to see less requests going to the old 2003 server, that has DHCP Relay agent enabled. I suspect we still have some remote sites with the routers IP Helper still pointing to the older DHCP server instead of the new.

(I know this is a backwards way around of migrating DHCP services.  i.e. it may have been much easier to give the new server the same IP address as the old DHCP server after turning off the old server, instead of changing all the sites routers IP configurations.)

What I need help with now is, how can I determine what computers are still requesting DHCP renewals form the old server? Is there a log file for the DHCP Relay Agent, I can inspect?

Thanks, Andrew

We have the following config:

• Windows 2012 DHCP with NPS and HRA services installed (192.168.5.11)
• Windows 2008 R2 with SCCM 2012 SP1 - no NAP settings (192.168.5.125)
• Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)

We have configured the following policies on the NPS Server:

• Connection Request: DHCP: Called Station ID: 192.168.8.0
• Network Policies with appropriate MS-Service Class for DHCP scope, with compliant and non-compliant Health Polices (very simple, the only thing that isn't being checked is Win Updates)

The DHCP is happy to dish out IP addresses to compliant machines no problem at all. When a machine goes non-compliant it registers the non-compliant machine with event ID 6276 - Network Policy Server quarantined a user.

It then proceeds to send the limited access DHCP options which the client then happily ignores.

I've run WireShark on the clients to capture the DHCP response and I can see the different options being returned to the client, specifically option 121 with the classless static routes.

When I run napstat it says full network access - no issues raised.

Output from netsh nap client show config

Output from netsh nap client show state:

Output from netsh nap client show grouppolicy:

I've tried running: netsh nap client set enforcement ID = 79617 ADMIN = "ENABLE"and restarting the NAP agent on client machines - same thing.

Any ideas what is going wrong?

Hi There

I have NAP Server Deployed for our VPN access and it is configured to use both Text log as well as SQL Server 2008 Log, I can view the log of text, but was wondering how i can be able to view the SQL NAP Report.

Is there any tool that needs to be installed?

Thanks

.MSK

After configuring NPS and using http://technet.microsoft.com/en-us/library/dd197535%28WS.10%29.aspx it's possible to authenticate based on MAC Addresses.

Is it by design that all authentication requests handled, are changed to MAC Address Authentication?

We want to have three Network Access Policies, two based on Active Directory Account, one based on MAC Address.

After entering the registry values and rebooting the server, it's only possible to authenticate based on MAC Address.

Do we need seperate NPS servers, one for MAC based authentication and one for A.D. account authentication?

Thank you in advance.

Господа, возникла следующая ситуация

Пытаюсь с windows server 2003 sp2 попасть на другие машины (шары)

На один дает на 8 других нет, настройки на маршрутизаторе одинаковые.

 bgw-zainsk#sh run | i 192.168.20.160
 permit udp host 192.168.20.160 host 10.10.4.10 eq ntp
 permit tcp host 192.168.20.160 host 10.10.4.10 eq 139
 permit tcp host 192.168.20.160 host 10.10.4.10 eq 135
 permit udp host 192.168.20.160 host 10.10.4.10 eq netbios-ss
 permit tcp host 192.168.20.160 host 10.10.4.10 range 3000 65100
 permit tcp host 192.168.20.160 host 10.10.4.10 eq 445

Клиент для сетей microsoft установлен

I realise there are many questions on this topic but despite reviewing many, I still cannot get Direct Access clients connected remotely.

Our setup is as follows:
DC: Server 2008 R2
CA: Server 2008 R2
RA: Server 2012 with single NIC, using public address to NAT to it

Ultimately will be set up with Windows 7 clients using our local CA, but thought best to get working first using Win8 client using the more simple Kerberos Proxy method.

I went through the basic steps of setting up the RA access and using just AD authentication.

I have been through the usual troubleshooting steps and found that the NRPT table was being fully populated by the GPO used for clients as it was missing the CA details. ie. "netsh namespace show policy" result was missing the name of the CA for both the DirectAccess-NLS.domain.local and domain.local, so I manually edited the NRPT table and added both those results in but this has made no change.

Running netsh interface httpstunnel show interfaces shows that the interface is active

The remote access just says "connecting" and I can't see anything of relevance in the event logs on the DC or RA.

The event logs on the client that I believe are relevant are ones like these:
------------------------------------------------------------------------------
Log Name:      System
Source:        Microsoft-Windows-DNS-Client
Date:          12/06/2013 12:22:13 p.m.
Event ID:      8015
Task Category: (1028)
Level:         Warning
Keywords:     
User:          NETWORK SERVICE
Computer:      Win8client.domain.local
Description:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : {EFCC42D3-AD98-4993-8A66-BAEB9381E1CE}
           Host Name : Win8client
           Primary Domain Suffix : domain.local
           DNS server list :
              118.148.1.10, 118.148.1.20
           Sent update to server : <?>
           IP Address(es) :

             172.20.10.4

-----------------------------------------------------------------------

The adapter referred to is the "Tunnel adapter isatap"

I know the NAT'ing is working as I can successfully ping the RA server from outside

Hello, (Before want say sorry for my english)

( I speak it only since very little and this is only a model for my project BTS)

so, I installed a server NPS, AD CS in order to manage connections towards my wifi acces points through my Controller “RUCKUS ZoneDirector”.

The NPS is based on our active directory to manage the users. 

Under the conditions, it is configured manner according to: 

In active the directory, I have my users and my computers in this groups

Then the certificate of my server NPS, which I had to generate  with AD CS, I exported it and to install it on my Active Directory, in order to diffuse it with a GPO. 

This GPO sends information to the computers all the information of the hotspot "vdb-radius", the automatic inscription, automatic request of certificate. 

Before i precisely defined groups under the conditions of my network policies on my nps, I had to put all the computers of the domain and all the users of the domain just to see if my gpo would function.

It continue to work even after I put the group “groupe_wifi_radius_users”  but when I add my other group “groupe_wifi_radius_pc” it refuses. 

It's like i can only put a user group in my nps policies but it refuses my computer group, even though the computers i try to connect are well in this group.

Here the error message which i traducted from french : 

Server NPS refused the access to a user.  Contact the administrator of server NPS for more information. 

User:  ID of safety:  

WIN \ rtest Name of account:  

WIN \ rtest Field of account:  

WIN Name of complete account: win.beauvais.fr/Utilisateur/Wifi_Radius/Ruckus Test

Computer customer: 

ID of safety:  

NO SID Name of account:  

-

Name of complete account:

-

Version of the operating system: 

 -

 Identifier of the station called: 

C4-01-7C-FC-B0-99:

 identifier vdb-radius of the calling station: 

C4-85-08-F2-56-7A Server NAS:

 Address IPv4 of server NAS:

 192.168.250.10

Addresses IPv6 of server NAS:

 -

Identifier of server NAS:  

Standard C4-01-7C-FC-B0-99

Type of port of server NAS:  

Without wire - IEEE 802.11

Port of server NAS:   1

Customer RADIUS: 

Convivial name of the customer: 

ruckus.beauvais.fr

Address IP of the customer:  

192.168.250.10

Information detailed on the authentification: 

Name of the policy of request for connection:

 Protected connections without wire

Name of the policy network: 

Connections to other accesses servers

Supplier of authentification: 

Windows Server of authentification:

 Standard SVR-RADIUS.win.beauvais.fr

Type of authentification: 

Standard EAP

Type EAP:  

- Identifier of the session of the account:

 -Results of journalizing:    Information of follow-up was registered in the file local newspaper.  Code reason:   65 Reason:    The parameter Access authorization network in the properties of the incoming calls of the account of user Active Directory is defined to refuse the access to the user. To modify this parameter To authorize the access or To control of them the access via the policy of remote access, reach the properties of the account of user in Utilisateurs and computers Active Directory, click on the mitre Incoming call, and modify Access authorization network

Apprentice Network Administrator Division of Telecommunication and Information Systems for the City Hall Of Beauvais,France

We have a couple different network policies. Some users are being denied access with the default deny policy - but we are unsure why they are not matching our first policy, which has the following 2 conditions:

Operating System: 5.0 or greater
NAS Port Type: Wireless 802.1 or Wireless-Other

The devices connecting are windows devices.

Any ideas? Or, better yet, any way to figure out which of the conditions was not met, causing it to drop to the next policy? Thanks.