Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

NPS Network Policy based on OU structure

August 30, 2013, 12:31 am
$
0
0

Hi,

I have created a 802.1x on our wired network, using this http://technet.microsoft.com/en-us/library/cc772124(v=ws.10).aspx

and this one http://social.technet.microsoft.com/Forums/windowsserver/en-US/a0bfc02e-4176-4add-9691-e4d118275511/using-certificate-oids-to-authenticate-wifi-users

This works as expected, everyone will get the network defined in the policy.
But i would like to change this access from Groups to which OU in the AD, users or machine is IN.

I tried to find out which condition i could use for this, but i did not have any luck yet.

So my question is:
Can I get our NPS to grant access based on the OU i define in the policy ?

Is there anyone in here that knows anything about this ?

Regards,
Frank

Search

The certificate chain was issued by an authority that is not trusted

August 30, 2013, 6:00 am
$
0
0

All,

Please help,

I have setup a wireless connections policy using the 'Radius server for 802.1X Wireless or Wired Connections' wizard in network Policy Server interface. I am copying the same config settings from a previously working configuration (my old server which is now offline)

I am trying to connect with W7 pro using WPA2-Enterprise using Microsoft:Protected EAP (PEAP)

I have installed certification services on my Server 2008 R2 Domain controller, I then access MMC/Console Root/Certificates/Local Computer/Personal/Certificates and exported the CA root certificate to a removable disk.

When i install the cert on the W7 client, I import it using the wizard into the Trusted Root Certification Authorities Store. This cert is then visible within the list of certs to validate when making a wireless connection.

The damn connection just wont work, every time getting the error log on the server

Logging Results: Accounting information was written to the local log file.

Reason Code: 265

Reason: The certificate chain was issued by an authority that is not trusted.

The CA Root certificate on my Server is stored in the Trusted RootCertification Authorities store and is stored on the client.

Why am i getting this error code? what can i do to trace the fault and fix?

thanks

NAP on 2008 R2 with DirectAccess 2012 RC

July 3, 2012, 12:27 pm
$
0
0

I'm running IPsec NAP on two indentically configured Windows 2008 R2 servers that are also standalone CAs for NAP.

I'm in the testing phases of a Windows 2012 RC DirectAccess server that is behind a NAT. Certificates from our domain CA (not the standalone ones for NAP) are used so Win7 clients can also connect. When the computer establishes a DirectAccess connection it's unable to connect to any resource that are part of NAP (only non-NAP resources, exceptions are available). napstat reveals that the client is healthly (it also has the health certificate).

Here's how the Connection Security Rules look on a client:


The first four were automatically generated by the DirectAccess server, the other four are for NAP purposes (before a DA test server was introduced).

It appears these settings don't coexist all that well. If I go to my DA server and click "Enforce corporate compliance for DirectAccess with NAP" I have even less connectivity (unable to reach DA server from clients in DA...).

What am I doing wrong, are additonal logs, information needed to better assist me.


NPS not capable of authentication users

September 2, 2013, 4:52 am
$
0
0

We use a rather simple scheme in this situation which checks wether users are part of a group. If so access is granted based on WPA2-ENT with PEAP. Since several weeks (during my vacation) we have had an issue that is causing clients not to be able to log into WiFi anymore. It simply states;

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

The strange thing is; This server also provides VPN access via a similiar scheme which is perfectly capable of checking the rights of the users. Also the passwords of the users are correct since all our users use the "sign in with Windows Credentials" option. Manually entering usernames in both DOMAIN\User or user@DOMAIN.example with correct passwords does not work and results in the same server-side error.

Clients are all Windows 8, NPS is Server 2012 Standard Build 9200 with all updates installed.

More info

  • NPS server can reach (based on ping) via both IPv4 and IPv6.
  • APs are registered in NPS as Cisco and non-NAP capable.
  • APs run only IPv4.
  • I have tried turning it off and on again.

Any suggestions as to where I may look for the solution?

EDIT Was unable to post this in the http://social.microsoft.com/Forums/en-US/partnerwinserver2012/threads forum due to the new interface...

Custom radius attributes

September 3, 2013, 8:40 am
$
0
0

Hi all,

Is it possible for the NPS server to send back a custom attribute back to our Aruba Wireless controler?  We would like to use this attribute to help dictate which wireless role to put this particular device on.  We are looking to leverage the use of the Active Directory global group which the device is in and send the group name attribute back to the Aruba wireless controller.  From there the Aruba can use that attribute to determine wireless role.

Thanks in advance,

Bill

port 80 does not work

June 25, 2012, 6:53 am
$
0
0

Hi,

I hope this post be suitable in this forum.

My little internet server doesnt work any more(from last week).

firewall and antivirus are disabled.

IIS is working locally but not remotely.

HTTPS is working (port 443).

Ping is ok.

SQL Server Reporting Service(MSSQLSERVER) is stoped.

Any help will be so appreciated.


isolate my network

September 8, 2013, 12:03 am
$
0
0

hi every one 

what can i do , if i want to prohibit limit client to connect their laptop to organization network and share and copy files from network resources even their computer in organization . i want just domain computer can access to the network and only my support team can connect non domain computer to the network . 

all server in my organization has windows server 2008 . 

How do I provide a modal dialog box configuration UI in the SHV

September 9, 2013, 2:21 pm
$
0
0
How do I provide a modal dialog box configuration UI in the SHV? The INapComponentConfig.InvokeUI implementation must be in the same dll as the SHV. The PlatformSDK example unfortunately has it in another exe that must be started before invoking the configuration from NPS. That is not how all other SHV(s) work. So I am interested in a dialog UI in a free threaded DLL. I did try copying the the SHV configuration code in the PlatformSDK example to the SHV with no success. Any examples would be greatly appreciated.

Search

802.1X PEAP MSCHAP Wireless Authentication Using Certificates Instead Of User Accounts For Non-domain PCs?

September 9, 2013, 6:08 pm
$
0
0

To reduce help desk calls and improve the user experience, we would like to move away from using domain user credentials that expire many times per year to computer certificates that can last until they are revoked or expire after a much longer term.  We can buy a commercial certificate from GoDaddy or similar company.

It is not a major problem for our own laptops since the wireless credentials are integrated with the users' Windows login, but we also have many contractors on our network who have laptops that are joined to their employers domain.  They log into their laptops with different credentials than what are needed to authenticate to the wireless.

Since these laptops are not members of our domain, we cannot manage them with group policy.  We would have a tech manually install the certificates with a USB key or from a network share. 

Is is possible to install certificates on Windows laptops that are not joined to our domain as a method to authenticate to wireless so they don't have the hassle of having to change their password in the wireless settings every time their password expires?

It is a huge hassle because when their domain password expires, they are then automatically disconnected from the wireless and therefore can't even reach our password change website or OWA to set a new password because they no longer have a working network connection.

We would also like to do the same for a few people who need to access the wireless from iPads.



How do I get a vendor ID

September 9, 2013, 2:24 pm
$
0
0
How do I get a vendor ID for my custom SHA and SHV? How much does it cost? Does anyone have a working link where this process can be started?

How do I have my SHV send configuration to my SHA via remediation

September 9, 2013, 2:23 pm
$
0
0
How do I have my SHV send configuration to my SHA via remediation. Ultimately I would like the SHV configuration to display not only SHV configuration but also SHA configuration.

Broken link

September 9, 2013, 2:15 pm
$
0
0
On http://msdn.microsoft.com/en-us/library/bb945062.aspx there is a broken link to the sample code at http://go.microsoft.com/?linkid=8076327. This is sad because the example goes beyond what is provided in the PlatformSDK providing a real world example of configuration and remediation. Could someone fix the link or provide the missing sample code.

NPS Certificate with Internal Domain

August 4, 2013, 7:23 pm
$
0
0

Hi all,

We currently run an AD domain with an internal (.local) domain name.  We're a school and run a BYOD program, so we have lots of non-domain machines, it's therefore important that the certificate used on our NPS server for our PEAP secured wireless for these users is trusted.  We've used Godaddy to sign certificates for this in the past, but after November 2015 they won't support signing certificates for internal domains (and nobody else will).

What I'd like to know, is do I have any other choice to overcome this in the future other than renaming my domain (1000 users and 1000 PC's, so not a small undertaking), or is there a way to have NPS present another name, or some other way around this?

Thanks.

Implementing DirectAccess (Can't Connect - Never Have) - Server 2012 with Windows 8 client

May 25, 2013, 9:03 am
$
0
0

I have been trying to implement DirectAccess and have been unable to do so.  

Server- 2012 domain joined with no NAT behind Cisco ASA firewall

LAN nic - no gateway - static routes - has DNS servers configured

DMZ nic - has gateway no DNS serversOn the Windows 8 client I see the DA connection but it always sits at connecting.  It never has made a connection.  

I have opened up the Cisco firewall (to test only and shut it back down) to allow all traffic to the DA Server.  During that time i tried to ping the DA host name and was successful and then tried to connect.  The only thing i saw in the logs was allow icmp from an ipv6 address and then from my external home ip address.  I then saw an allow on a single tcp from my external home ip address to the DMZ ip address on 443.  Then there were several more ICMP connections to the server from the same ipv6 address as before.  

I read that the windows firewall must be enabled on the server so I uninstalled Symantec Endpoint Protection and enabled the windows firewall.  I did the same with the Windows 8 laptop.  I am still unable to make this connection. 

Where do I start to troubleshoot this?  Even with the Cisco wide open to the server it does not connect, so i am pretty sure that is not the issue unless it is coming back into the network but i would imagine that there are logs i can look at to determine that.  

Thanks for any help you can lend.  I have been tinkering with this on and off for months trying to get it implemented but keep coming up empty handed. 





what is the best way to give permission a particular group/user for domain joining..?

September 11, 2013, 11:10 pm
$
0
0

I m using windows server 2008 r2 DC......by default my all user able to join domain ..................

that decrease my security level.....

so how can i remove this permission and how can i provide permission to a special user/group to  join domain

 
Search

NPS Using 3rd Part (GoDaddy in this case) Certificate

September 12, 2013, 12:25 pm
$
0
0

I realize there are other posts regarding this but I do not believe I have found any that specifically answer this question but sorry if I missed it or I am hoping for a different answer. :)

I have a school that is going to be a hybrid of BYOD and school provided Windows 7/8 and iPads. I have NPS setup on a 2008 R2 server and had purchased a cert from GoDaddy to be used on PEAP. With that said I realize that the server verification warning on the domain-based Win7 computers could be resolved if I install the cert in a NTAuth which would then distribute the same configuration in all domain computers...however this does not resolve the issue with non-domain based computers and devices (such as iPads, iPhones, Chromebooks, Android...etc) from warning them of a need to validate the server. I realize that some of these devices you can actually turn off validation but these students are not going to do this on every device they bring in. Is there any way that we can either stop the server validation requirement or reconfigure (something) so that these devices will valid the server? I have read that the reason is that public CA's do not provide "Data Encipherment" into their certs "key usage". If this sounds like part or all of the cause is it possible to have a public CA (GoDaddy) include "Data Encipherment" in their certs? I just cannot believe that everyone in a BYOD situation just accepts the fact they are going to receive warnings about validating the server every time they connect a new device or "forget" the SSID and reconnect.

Thanks in advance. 

NPS MMC

September 13, 2013, 6:37 am
$
0
0
How can server 2008 NPS MMC display more than 1500 RADIUS Clients when I access the  NPS MMC? It does not display more than 1500 clients. Send reply torhorton3@elp.rr.com 

Problems with windows 7 wired 802.1x reauthentication - " user authentication" mode. Please help! many thanks

October 26, 2011, 4:52 am
$
0
0

Hi all,

I am trying to set up a 802.1x enivorment for work .   I would like the workstations to be authenticated every time when a user log on and different users will get different downloadable ACLs/ or drop them into different VLAN from Radius servers.

 A wired thing happened with windows 7 client reauthentication:  whenever there is a failed authentication after a user logs on, the PC is no longer reauthenticate the next user at all and it stays in the auth failed status.  I cannot see request hit radius servers at all and switches dont get responses from the client either.   but it always works if i manually disconnect and reconnect the network connections. However, the SP3 client is able to do the reauthentication no matter what.  

Here are some details:

Switch: Cisco 3750   ( tried latest IOS, still same)

Radius servers:   tried on both Microsoft NPS and Cisco Indentitiy Services Engine, same result. Switch port authentication is in low impact mode which means it allows access  to the DHCP servers and other necessary network resources, such as domain controller.

Can anyone please help have a look at this problem??  really appreciate!



Building policies for 802.1x and switch management

September 21, 2013, 4:35 am
$
0
0

I currently have a few HP Procurve switches setup with 802.1x authentication on the access ports and are managing the authentication with a 2008R2 server with the NPS role.

Now i would also like to use this same radius server to authenticate the manager login on the switches (telnet/ssh/https) to be able to login with certain domain accounts on the switches.

I'm just not understanding how to separate the policies on the NPS server. Right now for example we have a specified that a certain group (for example the group NET-USERS) of users are given access when they attempt to connect to a 802.1x port with their AD credentials.

Now if i enable RADIUS authentication for the switch management, if a user with membership of NET-USERS tries to login, they will also be given access to the switches. I want to be able to allow NET-USERS to only connect through 802.1x port authentication, and only a certain NET-ADMIN group to be able to authenticate for the switch management.

I hope someone understands my issue, and have a sollution :-)

Windows XP PEAP authentication fails

February 28, 2011, 2:07 am
$
0
0

Hello,

I am trying to make a client computer authenticate with domain credentials to the NPS for wireless network auth. The logs of the NPS server only shows authentication attempts with the computer name. Our setup:

Client: Windows XP SP3, wireless networks managed by wzcsvc

The client tries to connect to a wireless network, controlled by a Cisco Wlan Controller. This controller is configured to use the NPS server as Radius.

NPS and AD server: Windows 2008 R2

I tried the following without any results:

  • setting the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode to 0 and 1
  • disabling our GPO on the specific laptop and domain user logged on to the laptop


If I adapt the NPS policy for computer authentication, everything works and access is granted but if I specify a domain user group, the authentication fails.
I have the impression the wzc tool is a bit buggy, from time to time the NPS logs do not report authentication attempts anymore. After a net stop/start wzcsvc, it works again. I looked around on alot of fora and Microsoft articles but I really can't find what the problem is. Any suggestions?

Thanks!

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>