Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

User Code 16 error on NPS Server when Windows 7 Clients Connect

September 24, 2013, 7:00 am
$
0
0

Hi,
I'm having a problem on a site using NPS (Radius) for wireless (Windows Server 2012 DC).
Basically what's happening is:
Android, IOS and Widows devices (Phones, Tablets) can connect to Wireless using NPs (they are prompted for user name and password which work fine)
Windows 8 Laptops can also connect using AD Credentials ok - There is a Cert prompt on first connection you click ok and connect successfully.
Windows 7 Laptops cannot connect - we get prompted for credentials and we enter them in and get an error stating that the connection was unsuccessful.
The Wireless connection on the Laptops is being managed by Windows and I have tried it on different Hardware with the same effect. I have copied the settings on the Windows 8 Laptops exactly and matched them to the Windows 7 Laptops again to no effect. 
Does anyone have any ideas why the Windows 8 laptops connect successfully but Windows 7 can't? I suspect it's to do with the Cert prompt I get on the Win 8 laptops but don't get on the Win 7's. I have changed the settings of the Wireless connection to all possible combinations but still no joy.

Any ideas?

Below is the event logged on the NPS Server

Network Policy Server denied access to a user

Contact the Network Policy Server administrator for more information.

User:

                Security ID:                                            NULL SID

                Account Name:                                     student

                Account Domain:                                 XXXXXXXX

                Fully Qualified Account Name:          XXXXXXXX\student

Client Machine:

                Security ID:                                            NULL SID

                Account Name:                                     -

                Fully Qualified Account Name:          -

                OS-Version:                                           -

                Called Station Identifier:                      00-0F-B7-21-B9-1C:XXXXXX_WiFi

                Calling Station Identifier:                     20-10-7A-2B-4C-0E

NAS:

                NAS IPv4 Address:                                10.XX.X.250

                NAS IPv6 Address:                                -

                NAS Identifier:                                       -

                NAS Port-Type:                                     Wireless - IEEE 802.11

                NAS Port:                                               24581

RADIUS Client:

                Client Friendly Name:                           wlan-controller.xxxxxxxx.com

                Client IP Address:                                  10.xx.x.250

Authentication Details:

                Connection Request Policy Name:     Secure Wireless Connections

                Network Policy Name:                         -

                Authentication Provider:                     Windows

                Authentication Server:                         XXX-DC01.xxxxxxxxxx.com

                Authentication Type:                           PEAP

                EAP Type:                                               -

                Account Session Identifier:                 -

                Logging Results:                                   Accounting information was written to the local log file.

                Reason Code:                                        16

                Reason:                                                  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Search

help

September 24, 2013, 10:29 am
$
0
0
do I need network access protection on my personal computer if no why does it keep telling me to turn it on

Unable to install NPS role

April 3, 2008, 9:53 am
$
0
0

I have attemped to install NPS on a 2008 domain controller with no success. I have tried this on 2 different servers. I run all 2003 servers. I am in a 2000 AD forest. Is it necessary to update the forest to 2003 in able to implement NPS on a 2008 server? I get the following error message when I try to install NPS:

 

Network Policy and Access Services



Network Policy Server

Network Policy and Access Services: Installation failed



<Error>: Attempt to install Network Policy Server failed with error code 0x80070643. Fatal error during installation

 



The following role services were not installed:

 



Network Policy Server

Wireless Network Access using Windows Authentication Design

September 25, 2013, 9:43 pm
$
0
0


Hi,

I am trying to use domain account in a one way forest trust setup for wireless network access. Please comment on this design, thank you!



NAP and Sophos AV?

July 30, 2008, 4:30 pm
$
0
0
Does anyone have any experience with NAP and Sophos that they would like to share? We use Sophos 7.5.1 on our network, and we're thinking about deploying 802.1X and NAP (with dynamic VLAN distribution). In my lab test Sophos is not being recognized as a valid AV client by NAP, therefore I'm not "fully compliant", but maybe it's just an error somewhere in my configuration?

Also, we have a few MACs on our network (sigh). How do you guys deal with MACs in your NAP environment? Manual static VLANS? 

Thanks!

Dan

SSTP Error 0x8007274D

April 30, 2012, 1:39 pm
$
0
0

I am tying to create a VPN connection in order to access my files at home. I am trying to use SSTP but unfortunately with no success. The error that I am getting is this;

Error 0x8007274D: No connection could be made because the target machine actively refuse it.

Can anyone tell me what can I do to avoid this error and connect successfully to my home network?

802.1x, Dynamic VLAN, HP 2530-48G, Server 2012@Hyper-V 2012

October 24, 2013, 7:28 am
$
0
0

Hello, I would like to ask for help with setting up a network with 802.1x authentication for vlan assignment. 

Situation:

1x Hyper-V Server host, 1 physical network interface

1x Windows Server 2012 AD PDC, 3 virtual interfaces, DHCP with 3 scopes (172.16.0.0/23,172.16.2.0/23 and 172.16.4.0/23), NPS

8x HP 2530-48G switches

3 types of clients - 1) Teacher Computers, Network elements (switches, printers)  (net ..0.0/23, always wired, VLAN 10); 2) Student Computers (in classrooms, net ..2.0/23, always wired, VLAN 20) 3) Guests, WiFi APs (net 4.0/23, wireless and wired, VLAN 30)

What I need is to set up dynamic vlan assignment for each client type, so when client authenticates it is assigned the correct VLAN (VLAN 10 or 20), without authentication it is assigned VLAN 30. Switch actually does assign client to VLAN 30, but that is the problem, I am not able to authenticate. I have set NPS according to http://technet.microsoft.com/en-us/library/cc772124(v=ws.10).aspx and http://technet.microsoft.com/en-us/library/cc754422(v=ws.10).aspx, have set up the switch but without success - Event ID 6723, reason code 23 error is logged in event viewer. I googled around and did not find any solution. Can anyone help me please?

What network policy to exclude non-domain computers ?

October 29, 2013, 2:41 am
$
0
0

Not using NAP DHCP any more - it does not work on IPv6 scopes (can anyone explain?)

No Wifi on this particular network.

My IPsec / HRA is working very nicely.

Now I want to generate an identifiable event, and preferably deny access if a non-domain computer gets plugged into an Ethernet port. (I have found that more and more computers from corporate have NAP installed, so "non-NAP capable" does not work as filter)

I thought I could add a catch all rule at the bottom of my list of rules, but everytime I try this my domain joined computers start getting denied access. First they are granted access as DOMAIN\COMPUTER$, then they are denied access as COMPUTER.

I don't understand what is causing the deny access for the COMPUTER. I thought that once a rule is matched, NPS stops processing further rules.

Can someone provide my with some guidance?

I tried: unspecified network access server, Condition: NAS port type Ethernet, Access Permissions : Access Denied, Authentication : Default, no constraints, NAP Enforcement : Limited access

CarolChi

Search

high availability of NPS server and DR

April 12, 2011, 10:00 am
$
0
0

Availability of NPS is critical because it's absence would cause all machines to remain in quarantine zone. So for that what are the best practices for high availability ? for 802.1X approach.

NLB of two servers and backups sent to DR ?

Supplying IP address of two NPS servers on all switches so that in case of unavailability of one NPS another is taken up automatically ?

Setup on Clustered HyperV with NPS as high available virtual machine ?

What would be the best DR for this ?

Shahid Roofi

Unable to map a folder in wondows 2000 server service pack 4 from windows 8

November 3, 2013, 9:27 pm
$
0
0
I am Unable to map a folder in wondows 2000 server service pack 4 from windows 8   please help me out for resolving this issue.

two certifikate

October 31, 2013, 12:39 am
$
0
0

I am setting up peap-tls on my wireles nettwork, buth when i connect to the network it pops up a baloon asking to choose what certifikate i whant to use, i have two user certifikate withe client authentikation, one are issued by the lync server and cant be used for any thing else, so i have to use the otherone, ore the baloon pups up again.

are there any whay i can set that it to use the correct sertificate and not promt users to choose?

restrict user from accessing the network

November 6, 2013, 7:30 am
$
0
0

Hi,

can i restrict a user that is member of domain users group to not accessing the resource on a specific server?

scenario - i have 3 server windows 2008 r2 (one is TS one is DC and one is FS )

can i restrict the user that he cannot do the \\ to the FS server?

THX

Erro ao mapear mais de uma unidade de rede com mais de um usuário remoto

October 1, 2013, 1:56 pm
$
0
0

Olá, poderiam me ajudar?

Ambiente: Grupo de Trabalho com um server 2008r2 e 10 clientes w7.

Server: Compartilhamento de arquivos, com 6 partições e um usuário local para cada compartilhamento.

Problema: Ao mapear mais de uma unidade de rede no cliente é apresentado o erro "Atualmente a pasta de rede específicada está mapeada com um nome de usuário e senha diferente.

Para conectar-se usando outro nome de usuário e senha, desconecte os mapeamentos existentes para este compartilhamento de rede."

Obs. É possível um segundo mapeamento quando este for feito IP e não pelo nome do server, porém nada mais.

Grato.

Windows server 2003

November 7, 2013, 3:24 am
$
0
0
I need to know if you can restrict the users from accessing the internet browsers.

VPN connection fails with "795 - tunnel type being used is not allowed"

October 25, 2013, 7:22 am
$
0
0

I'm getting this error, "Error 795: The remote connection request was denied because the VPN tunnel type being used is not allowed" when I try to connect to a newly created connection on Server 2008 Foundation. 

I've tried about half a dozen times to recreate the RRAS, but it makes no difference. I only have one network card in the machine, but I've read that that's OK, but it means that I can't use the wizard. The server is behind a basic ADSL router, which is also the DHCP server. This router (Bipac 7800N) has some VPN settings, but they are all disabled - I am certainly connecting to the server, and I have ports 500, 1701, 1723 and 4500 open and pointing to the server.  

I've got IPv4 enabled as a LAN and Demand Dial router, and also as remote access server, Windows Authentication with EAP and MS_CHAP_v2. I've enabled IPv4 forwarding, using DHCP address assignment. Under "Ports", I've got IKEv2, L2TP, PPTP and SSTP as Used By RAS for 50 ports (though there's only two users on the server). 

My user account has Network Access allowed for Dial-In, and I can connect using RDP. 

I can't connect from anything, even another PC on the same LAN (7 Pro), or even from the server itself. iPhone, work PC (7 Enterprise), or laptop (8.1 Pro) all fail. 

Any ideas anyone?? Thanks!

Search

Mapping a network drive is not refreshed

October 31, 2013, 10:02 am
$
0
0

Greetings
I have WIN SERVER 2008 R2 DC simple file server.
All users connect to the domain.
I've mapped a network drive. There is a problem on a network drive does not refresh files on the workstation. User scanDocument to server shared folder.Some users see the file and a other user sees after a few minutes thefile is being on the server. This happen severy time toanother user.
Server formatted
Replaced Switch
Replaced Router
Communication cables have been replaced.
Replaced Printer
Scanning was another workstation in stead of the server. The same phenomenon occurs.

pleas Help

Thank Yaniv

 

Enforce Network Access Protection will not stay checked in Windows 7 64 bit

November 6, 2013, 10:29 am
$
0
0
Enforce Network Access Protection will not stay checked in Windows 7 64 bit. This is on a test network and everytime I check the box from within the Protected EAP Properties window and then go back to check, the setting is unchecked. I can connected to my Windows Server 2012 RRAS server using NPS, but I am in a quarantined state. Please help.

Enable NAP,PXE-E11 ARP Timeout

November 5, 2013, 7:23 pm
$
0
0

Hello everyone, I encountered a problem.

My environment has deployed WDS,And it can normal installation system.But then the company calls for NAP.Enable the NAP after,The"NAP DHCP Nonsupport NAP" configuration of the network policies for Allow limited access ,And has been added to the DHCP,WDS,DNS,NPS to set of Remediation server Groups.but PXE boot ,Get the IP address 192.168.188.12 mask 255.255.255.255 ,Prompt error PXE-E11 ARP Timeout.I can't contact WDS client.

Possible reason is that after the access to the IP to add static route,lead to the client cannot access WDS.

Is there anyone solution!

Windows XP PEAP Computer Authentication Fails

November 8, 2013, 11:09 am
$
0
0

Hello,

I am trying to setup a wireless network access policy which allows client computers to authenticate with their computer credentials for wireless access. Clients connect to the SSID which is controlled by a Cisco WLAN controller.  The WLAN Controller points to NPS server which is a Windows server 2008 R2 which is also an AD Domain Controller. The only condition that I have currently setup is a Machine Group rule that the computer must be part of theDomain Computers AD group.

My Policy works on Windows 7/8 Computers but does not work on Windows XP computers. All Computers are using windows wzcsvc to manage wireless networks. Everything works when using Domain Users as the NPS condition but we must use Computer authentication instead.

By looking at the NPS logs I see that there is a difference between authentication attempts from Windows XP computer and Windows 7 computers. The logs of the NPS server only shows authentication attempts with the user name for Windows XP Computers but they show the computer name for Windows 7.

In Windows XP, I have tried setting forcing Computer Authentication by changeing the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode to 2. The Authmode dword was missing from this Registry Key so I had to create it but it did not help anything.

I have tried everything on three different Windows XP laptops with the same result.

The SSID Properties in XP are set to:

Authenticaiton: WPA2

Data Encryption: AES

EAP type: PEAP

"Authenticate as computer when computer information is available" isChecked

The NPS log below show that the RADIUS User ID being sent to NPS is the computer name on Windows 7 but on Windows XP it's the user's name. I don't know what I'm doing wrong but I suspect this is part of the issue.

Thanks!

LOG FOR SUCCESSFUL ATTEMPT (Windows 7)

Network Policy Server granted full access to a user because the host met the defined health policy.

User:
    Security ID:            ''DOMAINNAME"\''COMPUTERNAME''$
    Account Name:            host/''COMPUTERNAME''.''FULLDOMAINNAME"
    Account Domain:            ''DOMAINNAME"
    Fully Qualified Account Name:    ''DOMAINNAME"\''COMPUTERNAME''$

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        d0-c7-89-b8-6a-40:"SSIDNAME"
    Calling Station Identifier:        3c-a9-f4-1f-a5-18

NAS:
    NAS IPv4 Address:        192.168.5.251
    NAS IPv6 Address:        -
    NAS Identifier:            "WLC-CONTROLLERNAME"
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            13

RADIUS Client:
    Client Friendly Name:       "WLC-CONTROLLERNAME"
    Client IP Address:            192.168.5.251

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        Wireless Access
    Authentication Provider:        Windows
    Authentication Server:        "NPSSERVER-FQDN"
    Authentication Type:        PEAP
    EAP Type:            Microsoft: Secured password (EAP-MSCHAP v2)
    Account Session Identifier:        -

Quarantine Information:
    Result:                Full Access
    Extended-Result:            -
    Session Identifier:            -
    Help URL:            -
    System Health Validator Result(s):    -

----------------------------------------------------------------------------

LOG FOR UNSUCCESFUL ATTEMPT (Windows XP)

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            "DOMAINNAME"\"USERNAME"
    Account Name:            "DOMAINNAME"\"USERNAME"
    Account Domain:            "DOMAINNAME"
    Fully Qualified Account Name:    "FULLDOMAINNAME"/OU/OU/"USERACCOUNTNAME"

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        d0-c7-89-a1-2d-f0:"SSIDNAME"
    Calling Station Identifier:        00-16-6f-45-9e-ac

NAS:
    NAS IPv4 Address:        192.168.5.251
    NAS IPv6 Address:        -
    NAS Identifier:            "WLC-CONTROLLERNAME"
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            13

RADIUS Client:
    Client Friendly Name:        "WLC-CONTROLLERNAME"
    Client IP Address:            192.168.5.251

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        Connections to other access servers
    Authentication Provider:        Windows
    Authentication Server:        "NPSSERVER-FQDN"
    Authentication Type:        EAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            65
    Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

windows server 2008 asking password

November 11, 2013, 10:44 pm
$
0
0

I have several computers in my network that are not part of a domain, however i have a data server that is part of a domain. I have mapped drives from the computers to the data sever no issues. However, for the first time, i set "everyone" permissions to one folder, when i try to map to it, it asks me for a password. I don't have a username for these specific computer, i'm sure i could use mine, but would like to know why this is happening?
os install server2008std

thanks
ghalib-9999984566

ghalib-9999984566

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>