Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

Radius Proxy server

November 12, 2013, 1:24 am
$
0
0

 I have a radius proxy server in linux OS this is called as central radius proxy server and I have another NPS 2008 enterprises radius server  with AD and Ms E Peap Authentication. I Forward the request to central server through remote radius server group because another domain user are not able to connect but some users are not able to connect his domain controller through win 2008 server.

1. all domain are forwarded the connection to central server is linux based.

2. all roaming users are connected his respective domain in roaming through central server and loacal radius server.

 I have facing the problem in radius proxy win 2008 server. roaming user are not connected through windows radius proxy server. ple help me regard configuration. 

Search

Authentication with computer certificates stopped working from one day to the other

November 12, 2013, 12:50 am
$
0
0

Hello,

i'm a bit confused. From one day to the other authentication is not working.

But...

there is no error in any eventlog (Radius server (w2k8), CA (w2k8r2 - hyperv), client)
i can see in the IN* log that there a incoming requests
all system times are in sync

i think it ends in a timeout. but i can ping the CA and the snapin "enterprise PKI" says everything is OK

Example Log entries:

"SERVER-RADIUS","IAS",11/12/2013,09:02:18,11,,"DOMAIN\NB-303$",,,,,,,,0,"1.2.3.4","radiusclient",,,,,,,5,"Drahtlos mit Zertifikaten",0,"311 1 ::1 11/11/2013 17:37:50 1533",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Sichere Drahtlosverbindungen 2",1,,,,"SERVER-RADIUS","IAS",11/12/2013,09:02:18,1,"host/NB-303.domain.local","DOMAIN\NB-303$","MAC-MAC-0B-42-9A:SSID123","MAC-59-75-E8",,,"SSID123",,1,0,"1.2.3.4","radiusclient",,,19,"CONNECT 54Mbps 802.11a",,,5,"Drahtlos mit Zertifikaten",0,"311 1 ::1 11/11/2013 17:37:50 1534",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Sichere Drahtlosverbindungen 2",1,,,,"SERVER-RADIUS","IAS",11/12/2013,09:02:18,11,,"DOMAIN\NB-303$",,,,,,,,0,"1.2.3.4","radiusclient",,,,,,,5,"Drahtlos mit Zertifikaten",0,"311 1 ::1 11/11/2013 17:37:50 1534",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Sichere Drahtlosverbindungen 2",1,,,,"SERVER-RADIUS","IAS",11/12/2013,09:02:36,1,"host/NB-303.domain.local","DOMAIN\NB-303$","MAC-MAC-0B-42-9A:SSID123","MAC-59-75-E8",,,"SSID123",,1,0,"1.2.3.4","radiusclient",,,19,"CONNECT 54Mbps 802.11a",,,5,"Drahtlos mit Zertifikaten",0,"311 1 ::1 11/11/2013 17:37:50 1535",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Sichere Drahtlosverbindungen 2",1,,,,"SERVER-RADIUS","IAS",11/12/2013,09:02:36,11,,"DOMAIN\NB-303$",,,,,,,,0,"1.2.3.4","radiusclient",,,,,,,5,"Drahtlos mit Zertifikaten",0,"311 1 ::1 11/11/2013 17:37:50 1535",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Sichere Drahtlosverbindungen 2",1,,,,"SERVER-RADIUS","IAS",11/12/2013,09:02:36,1,"host/NB-303.domain.local","DOMAIN\NB-303$","MAC-MAC-0B-42-9A:SSID123","MAC-59-75-E8",,,"SSID123",,1,0,"1.2.3.4","radiusclient",,,19,"CONNECT 54Mbps 802.11a",,,5,"Drahtlos mit Zertifikaten",0,"311 1 ::1 11/11/2013 17:37:50 1536",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Sichere Drahtlosverbindungen 2",1,,,,"SERVER-RADIUS","IAS",11/12/2013,09:02:36,11,,"DOMAIN\NB-303$",,,,,,,,0,"1.2.3.4","radiusclient",,,,,,,5,"Drahtlos mit Zertifikaten",0,"311 1 ::1 11/11/2013 17:37:50 1536",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Sichere Drahtlosverbindungen 2",1,,,,"SERVER-RADIUS","IAS",11/12/2013,09:02:36,1,"host/NB-303.domain.local","DOMAIN\NB-303$","MAC-MAC-0B-42-9A:SSID123","MAC-59-75-E8",,,"SSID123",,1,0,"1.2.3.4","radiusclient",,,19,"CONNECT 54Mbps 802.11a",,,5,"Drahtlos mit Zertifikaten",0,"311 1 ::1 11/11/2013 17:37:50 1537",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Sichere Drahtlosverbindungen 2",1,,,,"SERVER-RADIUS","IAS",11/12/2013,09:02:36,11,,"DOMAIN\NB-303$",,,,,,,,0,"1.2.3.4","radiusclient",,,,,,,5,"Drahtlos mit Zertifikaten",0,"311 1 ::1 11/11/2013 17:37:50 1537",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Sichere Drahtlosverbindungen 2",1,,,,

What is the best way to troubleshoot this behaviour ?

Greets

Stephan

RRAS NAT and notNAT

November 7, 2013, 11:34 am
$
0
0

Is it possible to use RRAS to NAT and not NAT at the same time?

this is what I mean.

I have 2 physical interfaces on this server plugged into a switch.  

eth0-- publicIP

eth1-- privateIP


If, a packet comes from eth1 bound for the public ip range

Then, I want it NATed to the eth0 address and off to the switch.

If, instead the packet is bound for my private ip range I want it to just go straight to the switch.

Make sense?


IAS on windows 2003...is there something similar in Windows 2012 R2

November 13, 2013, 6:29 am
$
0
0

Hi All,

We are looking for a solution to replace the old IAS on Windows 2003 and have something similar on the modern Windows 2012 R2.The configuration of IAS is quite basic, just the basic policies, etc.

The IAS server is behind the Firewall which is configured to talk to IAS for allowing VPN users to get into the network.

We want to have a similar implementation on a Windows 2012 R2 box. Is there any way to implement what IAS is doing  or we must use a more complicate approach?

Thanks,

NPS Hotspot 2.0 eap-AKA

November 14, 2013, 1:46 pm
$
0
0

Hello all,

i am trying to configure Windows 2012 NPS for EAP-AKA authentication to build an hotspot 2.0 (802.11u).

I am searching documentation about NPS EAP-AKA configuration.

someone can help me please?

Thanks

Michele

NAP agent callbacks not working

November 15, 2013, 6:18 am
$
0
0

Hi,

I am developing an SHA. I have created a service that implements its callbacks. The service install and uninstall without any problem but I am facing following problems:

1. when I try to run it in network service account it does not run. although it shows status started in SCM, i cannot see any log that i am writing in file.

2. when i run it as local system service i can see logs getting created in system32 folder but callbacks are not invoked. I checked in event logs and it shows event id 30 generated for my SHA.

i could deduce that there is some problem in communication between nap agent and my SHA but i am not able to pinpoint the issue. when my sha service starts i can see nap agent binding getting initialized successfully. what can be possible problem?

i checked registry entries also and i noticed that default windows SHA has following entries which are not getting created when i register my SHA:
- Id (value: 79744)
- Enabled (value: 1)

However, adding above entries manually with appropriate value did not help. What can be the problem? Please help.

Edit: I also noticed that NAP agent service runs as network service while my sha is running as local system. is it that network service cannot access local system service?

netsh nap client show state

November 18, 2013, 6:49 am
$
0
0

Hello'

NAP is not ON....how do I correct this pls.

Some thing I can cut and paste would be handy.

I have a log but can't send it....laptop corrupt.

sharine

NAP Development

November 19, 2013, 4:14 am
$
0
0

 I  am software developer in ISC company in Iran.

I must develop NAP for getting  report  from  registry code of our company network  Clients.

I implemented RegistrySHA and  RegistrySHV for reading arbitrary registry code from client and make decision  based on reported value.

according above :

1- when I added  RegistrySHV.dll by regsvr32 command , the RegistrySHV was added to system health validators list on nps console and The RegistrySHV UI worked correctly

but  this error :

                        " SHV ID : xxxx Can not create validator"

   was showed in NAP Server Events  and my SHV and SHA couldn't  communicate with each other.

2- Whether it is necessary  that I implement QEC module such as your example or not?

3 - whether I must implement the used enforcement client in my SHA and SHV modules or Not?

otherwise , do I specify  used enforcement client or enforcement protocol (I used EAP Qec)  in my SHA or SHV source code?

Please Help me

Search

NPS stop working

November 19, 2013, 1:43 am
$
0
0

Hello,

NPS stop working after in-place upgrade WS2012 to WS2012R2.

Service started, Event log empty, Log not created and NPS not authenticate via any Network policy.

Any idea ?

Thanks,

Snake AG

how to open port 444 and 443 on windows server 2008 R2

November 19, 2013, 9:34 am
$
0
0
This is a new web server and we need open port 444 and 443 on windows server 2008 R2 , could you anyone please suggest.

Windows XP PEAP authentication fails

February 28, 2011, 2:07 am
$
0
0

Hello,

I am trying to make a client computer authenticate with domain credentials to the NPS for wireless network auth. The logs of the NPS server only shows authentication attempts with the computer name. Our setup:

Client: Windows XP SP3, wireless networks managed by wzcsvc

The client tries to connect to a wireless network, controlled by a Cisco Wlan Controller. This controller is configured to use the NPS server as Radius.

NPS and AD server: Windows 2008 R2

I tried the following without any results:

  • setting the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode to 0 and 1
  • disabling our GPO on the specific laptop and domain user logged on to the laptop


If I adapt the NPS policy for computer authentication, everything works and access is granted but if I specify a domain user group, the authentication fails.
I have the impression the wzc tool is a bit buggy, from time to time the NPS logs do not report authentication attempts anymore. After a net stop/start wzcsvc, it works again. I looked around on alot of fora and Microsoft articles but I really can't find what the problem is. Any suggestions?

Thanks!

DHCP configuration issue

November 20, 2013, 9:15 pm
$
0
0

Dear sir,

We are having DHCP server with windows 2012, there is no other role installed with it. Total 6 scopes are created and all are working ok.

The issue is we use to bind mac in DHCP for new PC/device. But the device is taking next free IP address automatically without binding mac in DHCP.

If i bind the mac then it will take IP as per assignment but if not then it will take IP automatically. I want to stop the same, the new device/PC should take IP address only if the mac is bind in DHCP otherwise not.

Please help me out for the same asap.

Windows XP Client Rejected (wired 802.1x), Reason Code 7: NO SUCH DOMAIN

November 21, 2013, 2:13 am
$
0
0

Hi.

I have an authentication problem with my Windows XP clients. My server is Windows Server 2008R2 with NPS installed and configured for Wired 802.1x. The setup should be fine as my Windows 7 machines can authenticate correctly if they have a certain computer certificate.

The error code in the log is 07 - No Such Domain

When I look at the log more closely I can see that somehow the authentication request shortens the computer name of my Windows XP machine, and thats why it cannot recognize the domain name. No matter which computer name I choose for my machine it always shortens the name to 11 characters. An example:

Working Windows 7 authentication log: 

User Name: host/computer7.domain.localConnect Request IAS_SUCCESS

Windows XP authentication log for two different computer names (xp.domain.local and winxp.domain.local):

User Name: host/xp.domain.lConnect Request IAS_NO_SUCH_DOMAIN

User Name: host/winxp.domaiConnect Request IAS_NO_SUCH_DOMAIN

Any suggestions on why the computer name is cut off? Thanks.

Unable to install NPS role

April 3, 2008, 9:53 am
$
0
0

I have attemped to install NPS on a 2008 domain controller with no success. I have tried this on 2 different servers. I run all 2003 servers. I am in a 2000 AD forest. Is it necessary to update the forest to 2003 in able to implement NPS on a 2008 server? I get the following error message when I try to install NPS:

 

Network Policy and Access Services



Network Policy Server

Network Policy and Access Services: Installation failed



<Error>: Attempt to install Network Policy Server failed with error code 0x80070643. Fatal error during installation

 



The following role services were not installed:

 



Network Policy Server

NPS : Radius client Shared-Secret issue

October 30, 2013, 6:08 am
$
0
0

Hello all,

We have recently migrated our windows 2003 IAS server configuration to a Windows 2008 R2 NPS server by means of exporting and importing the config file.

This is used to provide Radius service, our Radius clients are Network Switches.

There are more than 100 switches, since the migration the Radius service functions correctly except that from time to time randomly one of the Switches stop being able to authenticate with the Radius server, this seems to be related to the Shared-Secret between the Switch and Radius client configuration on the NPS server, in these cases we just have to retype the shared-secret on the Radius Client configuration on the NPS server and that solves the problem.

Has anyone come across similar problem or would know why this is happening, we have not been able to find anything significant in the log files.

Thanks for your help,

Luca

Search

WPA2-Enterprise Radius Authentication Windows Server 2008 R2

August 19, 2013, 6:39 pm
$
0
0

Hello,

I have tried a few online tutorials for providing secure wireless access.  I currently have a server running Server 2008 R2 that has RRAS, NAP, and AD CS installed on it.  My goal is to create a wireless SSID that utilizes WPA2-Entperise for users to connect.  Their AD credentials would need to belong to my "Wireless Users" group.  I have seen tutorials that involved certificates, and some tutorials that simply added the RADIUS clients along with the network/connection policies, and then added the settings to the router.  When I've tried both ways, the wireless network never connects to the network.  If I un-check the "Use Windows login credentials" a username/password field pops up.  I enter the credentials (tried both username and domain\username) of an account that is part of "Wireless Users".  When I hit OK it sits for a few moments, and then pops back up again.  When I do check "Use Windows login credentials" it says it can't connect.

I have tried different firmware on the router, and I know the router is not the issue.  This server is joined to my domain controller.  It feels like the NAP server is not reaching the domain to authenticate credentials.  Am I doing anything wrong that I should be made aware of?  In NAP if I right click the server, the "register in active directory" is greyed out, which I assume is because it's already joined to the domain.

I appreciate any help you can provide.

-Ken


How to turn on/off auto-remediation setting through C++ code?

November 21, 2013, 5:31 am
$
0
0

Hi,

I am developing a SHV. As a part of it I need to create a utility tool on which will have one check box to turn on/off auto remediation setting in NPS for particular network policy. How should I do this? I checked NAP interfaces but none offers such facility.

Thanks and regards, Aditya Dange.

Network Policy Server (NPS) - The specified domain does not exist or could not be contacted.

November 21, 2013, 10:42 pm
$
0
0
WindowsServer2008 R2 Standard.domain controller,NPS.Attempts toconfigure network securityforDynamic Host Configuration ProtocolDHCP.Whenyou try to add"Windows Group"in the "Terms and Conditions""Principles ofnetwork" after selectingthe appropriate security groupspops upthe message "Windows can notprocess theobject namedxxxwith the following error: The specifieddomain does not existor could not becontacted".Please help me.

Certificate Disappears from NAP's Constraints

November 21, 2013, 11:38 pm
$
0
0

Good evening all, I've successfully got the NPS setup with my Draytek 2920 router for 802.1x authentication for wireless clients. Only problem is that the certificate that I created keeps disappearing from the "Certificate issued" list for the"Microsoft Protected EAP (PEAP)" and have to issue new certificates for it to show it again. The certificate is good for 1 year but keeps disappearing after 1 day. The kicker? It's still shows my old certificates in what's been issued. So I've been banging my head over this for some time. Any tips or clues of where I can find out why this keeps happening?

Thank you for all your help.

Windows Server 2008 R2 Enterprise SP1
Roles Installed: AD CS (as Enterprise), AD DC, DNS Server (standard for AD DC), File Services, and NPS

The Windows Security Health Agent could not be initialized. Failure Code: 0x80070005

December 2, 2010, 5:20 am
$
0
0

Hi!

I've confugured NAP DHCP Enforcement and apply user nap settings throw GPO (Enable enforcement and start nap and wscsvc).

All Windows XP PCs works fine after applying GP. All agents initialized well.

But all Vista and Seven couldnt initialize WSHA(this solution is useless: technet.microsoft.com/en-us/library/cc735495(WS.10).aspx)

Group Policy are the same everywhere.

Maybe someone came across this?

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>