Hi All,
My Business need to setup followings if possible.
Requirement 1: Create Guest Access
Requirement 2: AD authentication for Laptop users.
Pls help me to setup this network.
AS
↧
NPS and CISCO 1800 AP
↧
Wired 802.1x Continouos Authentication Restart in Win 7
Hi,
I'm trying to implement 802.1x authenticaion with HP switches and NPS 2008/R2.
Seems like the switch is configured properly and a 802.1x policy was created and configured to grant network access to domain users and computers. Clients are Win 7 computers, configured to enable 802.1x authentication in PEAP method with secured password (EAP-MSCHAP v2) and not required to validate the server's (certificate (although the server has an issued certificate.
The problem is that the client seems to be authenticated, and immediately restarts the authentication, which eventually fails - as I see in the logs under Wired-AutoConfig.
I'd be thrilled to get any assistance with that issue.
Thanks a lot,
Lena.
↧
↧
Restrict access to wireless network to Domain laptops only
Hi,
I have found several posts related to this and none seem to work..
We use a windows based NPS. it is currently set to allow anyone to connect with their domain username and password.
I am trying to restrict Mobile Phones (iphone and android) from connecting to our wireless network.
So to the Network Policy I added "Domain Computers" (using "Windows Groups", I also tried "Machine Groups") within the Conditions tab.
I tested to see if a laptop could still connect and it could not.
I have tried many many different combinations within the conditions tab to try and get this working but to no avail.
1. just having "domain computers" (either windows or machine groups)
2. having domain users and domain computers (with all combinations of windows/machine/users groups)
3. I even tried Operating system conditions
These are all set in "And" values, if set to OR (in combination with Domain Users) then the laptop connects, but then so does the phone.
And no matter what value I set the Windows 7 SP1 laptop would not connect, unless the only condition around was "Windows Groups" - "Domain Users"
I have tried:
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/617e7dde-202e-4d31-bd40-3e8f8043bf86
http://www.edugeek.net/forums/windows-server-2008-r2/72277-wireless-authentication-nps-machine-groups-policy.html
http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx
and several others...
When Domain Computers is used, I have seen that the wireless is connected pre-logon, but as soon as the user is logged in the wireless disconnects, never to reconnect.
Please can someone help me with this.
Thanks,
-Tim
↧
Domain Controller GPO causes Event ID 6273, Reason Code 16, Credential mismatch in NPS
I am running NPS as a RADIUS server on a domain controller for a Cisco VPN gateway on Windows 2008 R2 for the domain in our subsidiary in the U.S. We have it configured using MS-CHAP-v2 and authenticating against AD (authenticate on local machine) and all is good. However, when I applied a GPO that we developed and deployed in our head office using the CIS CAT tools to increase security on the domain controllers, the NPS server begins rejecting everyone who connects with Event ID 6273, Reason Code 16, "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.".
If I remove the GPO, all is well again. I have gone through the GPO and made sure there were no references to accounts (groups or otherwise) or network paths that were not available in the aforementioned domain. I am wondering if NPS requires unauthenticated
access to the directory in order to perform the account lookups. The reason I ask is that after the GPO is active, I never see the event indicating a connection to the directory (Event ID 4400). We have disabled all unauthenticated access to AD as well as
anonymous account enumeration in the GPO. Should we be running NPS with a user account in this case?
↧
PEAP authentication on NPS doesn't work when applying latest root certificate update
If you are struggling with your WiFi right now after yesterday's root certificate update, you might have the following conditions on Windows Server 2008 R2:
- The amount of root certificates is about 350-ish
- The event log shows a message denying requests because of "The message received was unexpected or badly formatted."
This is basically the same as mentioned in this question: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/cd2d5bc8-e89b-474e-a66f-007f20d93a8a/
The workaround / solution is method 3 of this KB article: http://support.microsoft.com/kb/933430 (configuring Schannel to not send a series of trusted root certificates in the handshake) There's only a hotfix available for Windows Server 2003, not for Windows Server 2008 or Windows Server 2008 R2.
My question: Will there be a hotfix for Windows 2008 R2 any time soon?
↧
↧
Certificate for EAP authorization is gone
Hi,
I'm using NPS and Radius to authenticated users with wireless access point. It's working fine, but only one problem with certifcate!
After some time (it's about 1 day) certificate for EAP authorization is gone. I can see it in Certificates snap-in under Personal tab, but not in NPS server and also user authorization after that fails.
* Certificate was requested using certificate enrollment wizard and using Domain Controller template
* Validity is showing 1 year
I'm not understand what's going on? Can someone help? Please, see screenshot.
Aigars
↧
interface
what does interface not registered mean on windows media player? im trying to burn songs and thats what popped up
↧
802.1x NAP with Cisco 2950
Hi all,
Im looking at labbing up a NAP environment with a 2008 R2 windows environment and a cisco 2950 switch.
I have configured up all of the windows side - but am having a bit of trouble with the switch config... so
1) I just grabbed a 802.1x capable switch from a mate for the purposes of this lab. But is there anymore i need to check. The cisco site seems to suggest that a 2905 wont work for NAC integration - but i only want NAP. Firmware version 12.1(22)EA9.
I found this - http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11/release/notes/OL14991.html#wp999587 which seems to indicate the EI firmware is required - but then i also found this http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/bc8d2a11-1899-42d7-b2d9-0fed8f825347/ that refutes that - can anyone help with a definitive answer ?
2) I've had a look at a bucket-load of blog entries and looked at kleefys blog entry/cast at (http://blogs.technet.com/mkleef/archive/2007/09/03/network-access-protection-with-cisco-switches-blogcast.aspx) - this has an example cisco switch config - but, to be brutally honest, i have no idea what commands to enter to actually get that configuration going - as i've never done much more than use the web interfaces on switches (hey, thats what the network teams are for!). Could anyone be kind enough to help out with a basic run through - i get what most of the commands are doing in kleefy's example config - i just dont know how to get them in there! (and cisco'ese seems to be an alien language)
Thanks in advance.
↧
NAP DHCP combination with IPSec & 802.1x
Hi All,
Can we combine NAP DHCP with NAP IPSec and 802.1x methods? If yes, then what are the requirements for this configuration.
Thanks in advance for the help.
↧
↧
RADIUS - EAP-MSCHAP
Good afternoon all,
I'm having some issues configuring NPS for EAP-MSCHAPv2. What I've done so far:
1. Added the NPS server role
2. Configured a RADIUS-client with a shared secret. Configured RADIUS on the AP and verified connectivity.
3. Added a AD-group called WiFi and added all the computers/accounts for WiFi access.
4. Created a new Network Policy and Connection Request Policy by using the 'RADIUS Server for 802.1X Wireless or Wired Connections' using following settings:
- Type of 802.1X Connections: Secure Wireless Connections
- RADIUS Clients: Added the previously configured RADIUS client from step 2.
- Type: Choose EAP -MSCHAPv2 and set the Authentication Retry to 20 (for debugging reasons).
- Groups: Added the WiFi group
But when trying to connect to the RADIUS WiFi the client keeps verifying. The following are snippets from the RAS tracing-logs.
[8204] 10-01 15:03:44:357: EapChapBeginMSChapV2
[8204] 10-01 15:03:44:357: ReadConnectionData
[8204] 10-01 15:03:44:357: EapChapBeginCommon
[8204] 10-01 15:03:44:357: ChapBegin(fS=1,bA=0x81)
[8204] 10-01 15:03:44:357: ChapBegin done.
[8204] 10-01 15:03:44:357: EapMSChapv2MakeMessage
[8204] 10-01 15:03:44:357: EapMSChapv2SMakeMessage
[8204] 10-01 15:03:44:357: EMV2_Initial
[8204] 10-01 15:03:44:357: ChapMakeMessage,RBuf=0000000000000000
[8204] 10-01 15:03:44:357: ChapSMakeMessage
[8204] 10-01 15:03:44:357: CS_Initial...
[8204] 10-01 15:03:44:357: MakeChallengeMessage...
[8204] 10-01 15:03:44:357: GetChallenge.
[8204] 10-01 15:03:44:357: GetChallenge: LsaCallAuthenticationPackage succeeded
[8204] 10-01 15:03:44:357: GetChallenge.
[8204] 10-01 15:03:44:357: GetChallenge: LsaCallAuthenticationPackage succeeded
01 0A 00 1B 10 50 95 10 2C 97 65 EC 43 7B 19 1E |.....P..,.e.C{..|
DF 3E 51 29 C8 53 52 56 46 50 31 00 00 00 00 00 |.>Q).SRVFP1.....|
[5916] 10-01 15:03:44:361: EapMSChapv2End
[5916] 10-01 15:03:44:361: ChapEnd[8204] 10-01 15:03:44:354: NT-SAM Names handler received request with user identity KANTOOR\btbadmin. [8204] 10-01 15:03:44:355: Username is already an NT4 account name. [8204] 10-01 15:03:44:355: SAM-Account-Name is "KANTOOR\btbadmin". [8204] 10-01 15:03:44:355: Successfully created new RAP Based EAP session for user KANTOOR\btbadmin. [8204] 10-01 15:03:44:355: No AUTHENTICATION extensions, continuing [8204] 10-01 15:03:44:355: NT-SAM Authentication handler received request for KANTOOR\btbadmin. [8204] 10-01 15:03:44:355: Validating windows user account KANTOOR\btbadmin [8204] 10-01 15:03:44:355: Sending LDAP search to SRVFP1.kantoor.local. [8204] 10-01 15:03:44:356: Successfully validated windows account KANTOOR\btbadmin. [8204] 10-01 15:03:44:357: Allowed EAP type: 26 [8204] 10-01 15:03:44:357: Succesfully created EAP Host session with session id 455 [8204] 10-01 15:03:44:357: Processing output from EAP: action:1 [8204] 10-01 15:03:44:357: Inserting outbound EAP-Message of length 32. [8204] 10-01 15:03:44:357: Issuing Access-Challenge. [8204] 10-01 15:03:44:357: No AUTHORIZATION extensions, continuing [5916] 10-01 15:03:44:361: Successfully retrieved session (455) for user KANTOOR\btbadmin. [5916] 10-01 15:03:44:361: No AUTHENTICATION extensions, continuing [5916] 10-01 15:03:44:361: Processing output from EAP: action:2 [5916] 10-01 15:03:44:361: Translating attributes returned by EAPHost.[5916] 10-01 15:03:44:361: EAP authentication failed. [5916] 10-01 15:03:44:361: No AUTHORIZATION extensions, continuing
I got the feeling that I'm missing something small. Any tips would be greatly appreciated.
Kind regards,
MaartenDD
BehindTheButtons - STRONG IDEAS, FLEXIBLE SOLUTIONS - http://www.behindthebuttons.com
↧
802.1x error 23 only on Mac clients
I have been using server 2008 R2 for NPS using 802.1x for about a year or so with my windows clients and it has been working perfectly. Recently however my mac clients cannot authenticate successfully. They get the error posted below. I cant find the eap log file or at least I dont know what the name of it is. All my Windows clients still work fine, just the couple mac clients cant authenticate even though they have been working fine up until very recently.
Network Policy Server denied access to a user.Contact the Network Policy Server administrator for more information.
User:
Security ID: DOMAIN\username
Account Name: username
Account Domain:DOMAIN
Fully Qualified Account Name:DOMAIN\username
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name:-
OS-Version: -
Called Station Identifier:000B866D50A0
Calling Station Identifier:F0B47923378A
NAS:
NAS IPv4 Address:172.20.XX.XX
NAS IPv6 Address:-
NAS Identifier:172.20.XX.XX
NAS Port-Type:Wireless - IEEE 802.11
NAS Port: 7
RADIUS Client:
Client Friendly Name:Aruba-Master
Client IP Address:172.20.XX.XX
Authentication Details:
Connection Request Policy Name:Secure Wireless Connections
Network Policy Name:Secure Wireless Connections
Authentication Provider:Windows
Authentication Server:RADIUS.domain.lan
Authentication Type:PEAP
EAP Type: -
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
↧
How to change ARP offload setting when IP lease expires when client PC in sleep?
In most cases, DHCP is used in network environment. DHCP server sends out Lease Expiration Time to DHCP client when assigning DHCP IP. If the lease time expires when the PC is in sleep mode, ARP offload seems still working
and will respond to DHCP server’s ARP request wrongly, because the original IP of the PC has expired and been marked as available at DHCP server.
Question: how could a PC and who in the PC should change the ARP offload settings in this case?
Thanks.↧
server 2008 R2 network login not working
Help...I have three computers - 1. server 2008 R2 and 2 windows 7 pro - all have same user name and password - firewallls are disabled - all on same workgroup - all have static IP address with same DNS - under advanced network discovery is
on - password protection is off - so here is my issue, I have three shared folders on the server with everyone and the user account with full access. If I try to browse through the network I can see all three computers fine. I can see the public folder on
both the windows 7 computers but if I try to access the server I get a username and password prompt. I type in the username and password and it will not take it. I can get into the server by its IP address 192.168.1.73 and see the shared folders no problem
but I need to be able to see the servers shared folders through the network. I know the username and password works because that is what I use to log onto the server. I have put in 30 plus of this setup and this is the first time I have had this issue. I also
made sure the clock was synced correctly with all computers. Any ideas would be great. Thank you,
↧
↧
NPS Windows 7 clients can't connect | iPhone connects!
Server 2008 R2 (RDS, NPS)
Access point: WRT54GL
Using a wildcard certificate
Ironically, my iPhone 4 connects to the wireless network just fine! I logged in w/ my domain credentials and then I had to accept the wildcard certificate we use, and bam, in on the corporate network using domain credentials.
However, I can't get our Windows 7 machines to connect.
With the current settings, the connection request generates 2 error messages in the Event Viewer - 1 for the computer and 1 for the user attempting to authenticate - both of which say: "Network Policy Server denied access to a user... The message received was unexpected or badly formatted."
I've tried creating a wireless profile on the laptop - and not validating certificates = no go.
The EAP service is running on the laptop.
The NAP service was NOT running on the laptop. I started it. Didn't affect anything.
I read that import certifcates on the client might be necessary... That doesn't sound right. I don't want to have to touch each client - or even apply through GPO.. Is this even relevant?
I have received other error messages in the past when I was tinkering with different connection and network policy settings. But this is where I’m at now.
Help!? Thanks!
↧
Error 629 VPN connection, with NAP and NPS enable
This is the scenario I'm running with this issue:
I have a SERVER1 as domain "domain.com" which it has the certification role as a CA also AD + DNS, I have another SERVER2 with NPS and RAS enabled, this scenario is to try NAP trhough VPN.
The SERVER2 is getting the CA from SERVER1 which is stored on the Personal store on SERVER2, which is a "Computer" cert.
Both servers are Win 2k8 R2
This SERVER2 has 2 Network, Private and Public IP, the Client it is a Win 7 Professional, already set up with the credentials received from AD DS, because this Client is part of the domain.
I am using an Extensive Authentication Protocol (EAP), to be more specific SECURITY TAB on my VPN connection, Microsoft Protected EAP (PEAP) (ecription enabled) and the check from "Fast reconnect has been disabled".
I have torubleshoot the most I can, and searched over the Forum, but luck yet, I'm getting this error
"The server "SERVER2.Domain.com" presented a valid certificate issued by "Domain-SERVER1-CA", but "Domain-SERVER1-CA" is not configured as a valid trust anchor for this profile."
What might be causing this? because is not allowing the connection at all.
The NAP only check if Firewall is enabled by the way.
Thank you in advanced for any help you might have.
And from SERVER2 on the Event viewer I'm getting this error:
"The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided
below. Correct the problem and try again.
The certificate's CN name does not match the passed value."
Additional Event from NPS on SERVER2:
Contact the Network Policy Server administrator for more information.
User:
Security ID: DOMAIN\User
Account Name: DOMAIN\User
Account Domain:DOMAIN
Fully Qualified Account Name:DOMAIN\User
Client Machine:
Security ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Account Name: CLIENT.Domain.com
Fully Qualified Account Name:DOMAIN\CLIENT$
OS-Version: 6.1.7601 1.0 x86 Workstation
Called Station Identifier:W.X.Y.Z
Calling Station Identifier:W.X.Y.R
NAS:
NAS IPv4 Address:O.P.Q.R
NAS IPv6 Address:-
NAS Identifier:SERVER2
NAS Port-Type:Virtual
NAS Port: 257
RADIUS Client:
Client Friendly Name:SERVER2
Client IP Address:O.P.Q.R
Authentication Details:
Connection Request Policy Name:VPN connections
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:SERVER2.Domain.com
Authentication Type:PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier:XXXXXXX
Logging Results:Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
↧
How to check the NPS logs in the Event Viewer
I configured the Log File Properties in Accounting in NPS server as the following screenshots. And I checked there has indeed been a NPS log file. However, the content of the log file is not friendly to read in the notepad. May I check the NPS log in the Event Viewer? Thanks.
↧
SSTP EAP
SSTP Environment Windows Server 2008 R2.
Server02R with RRAS and CA (standalone) services, and Server02N with NPS Services.
I want to secure more connection to SSTP VPN Server with client certificate EAP. So on the CA i create an request for client certificate and then I export and import on the local machine. Connection without EAP types works fine with user domain name and password. Problem only is when i check on the security tab in VPN Connection Use Extensible Authentication Protocol (EAP) witj drop down menu Microsoft: Smart Card or other certificate (encryption enabled)
On the Server02N with NPS services role in Connection Request Policy I crete new on with settings Override network policy authentication settings and check Microsoft smart card or other certificate and on the edit I`ve got a certificate for Server02R (sstp.example.com). When User trying to connecto to sstp vpn server he has 691 error problem. In the logs on RRAS server I`ve got eroors 20255 and 20271 with message:
CoId={0E740F79-5576-44F2-8FE2-A12A4B2055BE}: The following error occurred in the Point to Point Protocol module on port: VPN0-127, UserName: Kris SSTP Mix. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error. What What am I doing wrong? Please help me because I don`t have any idea wit that. Thanks in advance.
Server02R with RRAS and CA (standalone) services, and Server02N with NPS Services.
I want to secure more connection to SSTP VPN Server with client certificate EAP. So on the CA i create an request for client certificate and then I export and import on the local machine. Connection without EAP types works fine with user domain name and password. Problem only is when i check on the security tab in VPN Connection Use Extensible Authentication Protocol (EAP) witj drop down menu Microsoft: Smart Card or other certificate (encryption enabled)
On the Server02N with NPS services role in Connection Request Policy I crete new on with settings Override network policy authentication settings and check Microsoft smart card or other certificate and on the edit I`ve got a certificate for Server02R (sstp.example.com). When User trying to connecto to sstp vpn server he has 691 error problem. In the logs on RRAS server I`ve got eroors 20255 and 20271 with message:
CoId={0E740F79-5576-44F2-8FE2-A12A4B2055BE}: The following error occurred in the Point to Point Protocol module on port: VPN0-127, UserName: Kris SSTP Mix. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error. What What am I doing wrong? Please help me because I don`t have any idea wit that. Thanks in advance.
↧
↧
NAP and Windows 8/RT
Hi all!
We have a windows 8 RT tablet and I am having a hard time configuring it for our SSTP VPN which uses NAP. I think I have found the problem but I am not sure what to do. If I remove the health policy from my network policy on the NPS server, it allows the Windows RT tablet to connect. The default WSH policies that you can set with NAP on windows 2008 R2 server only lists Windows 7/Vista and Windows XP. So, I believe this is the problem, there are no options for Windows 8 or Windows RT clients.
Do I need to upgrade my server to 2012?? Is there a place where I can download new policies for RT and deploy them to the NPS server?
Thank you for your help!
Rob
↧
Is Windows RT client wokring for NAP(network access protocol) ?
Hi
I met a problem on NAP client setting on Windows RT client. The NAP setting on Windows RT cleint looks like as same as Windows 7 and Windows 8. I runned "netsh nap client show stat" command to make sure That the NAP agent was working and DHCP Quarantine Enforcement Client was on. But the difference is there was no Option43 in DHCP DISCOVER patcket from Windows RT client and cann't do DHCP nap quarantine.
Is Windows RT client working for NAP ?
↧
SBS2008 network - replaced Netgear DGND3700v2 router with D6300, Win7/Surface RT attach fine, but no DNS - WHY?
I'm puzzled!
DGND3700 installed for over a year, needed it to replace an existing one somewhere else, bought D6300 to replace it - goes better with the decor, and should be faster.
However, I have now temporarily borrowed back the DGND3700 to try and work out what is happening.
I configured the new D6300 to exactly mimic the settings of the old router. It works fine for cabled connections. The WiFi SSIDs and passwords are the same as for the DGND3700. And, my 6-year-old HP windows tablet with Windows 7 Ultimate connects perfectly. However, my wife's Dell notebook, and my SurfaceRT tablet, connect perfectly to the WiFi and then cannot see the internet. Diagnostics say 'config looks ok, but no response from DNS server'. Connecting the Notebook by cable makes it work perfectly.
Replacing the D6300 with the DGND3700, having re-configured the latter for my network, now has the Surface and the Notebook working fine again. Oddly, a Dell laptop I have just rebuilt (xp crashed, so reinstalled from the original media) with a connection to the D6300, now will not connect to the DGND3700! But both routers are identically configured!
I have a further WiFi access point in my office in the garden, which has continued to behave perfectly throughout. And my old Windows Tablet doesn't seem to have any issue.
Is there some sort of authentication going on which is sensitive to some sort of identity in the Router?
↧