Hi All,

I have infrastructure as below and its working fine.

I have installed the NAP with IPSec inforcement method in my environment. I have installed Subordinate Standalone CA for NAP on One Server (CA1) and NPS + HRA Role on another Server (NPS1) . I have installed Configuration Manager SHV on the NPS1 Server. Everything is perfectly fine/working from NAP architecture.

Now I have to extend the NAP infra to cater High Availability and Load Balancing. How can I do that one? I would like to know how can I put NPS1 Server Roles into HA/NLB?

Any supported Links? How many more servers do I will require (minimum) and how can I do configuration for the IPSec enforcement method.

Thanks & Regards, Kedar

Hi,

I am trying to use domain account in a one way forest trust setup for wireless network access. Please comment on this design, thank you!

I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers).  I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer Authentication.  However, when authentication mode is set to "User or Computer" or just "User" it fails.  I get a "certificate is required to connect" pop up and it's unable to connect.

No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see.  It seems as if there is a problem with the client certificate:

[236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
[236] 06-04 09:26:35:720:  Self Signed Certificates will not be selected.
[236] 06-04 09:26:35:720: EAP-TLS will accept the  All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
[236] 06-04 09:26:35:720: PEAP will accept the  All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
[236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
[236] 06-04 09:26:35:720: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.

Also, in the event viewer I get the following:

Wireless 802.1x authentication failed.

Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
Local MAC Address: C4:17:FE:48:F2:79
Network SSID: *****
BSS Type: Infrastructure
Peer MAC Address: 00:12:17:01:F7:2F
Identity: NULL
User: presentation
Domain: ****
Reason: Explicit Eap failure received
Error: 0x80420014
EAP Reason: 0x80420100
EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.

I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS.  I modified the "Subject Name" to "Build from Active Directory information".  "Subject Name Format" is set to "Fully Distinguished Name" and "User Principal Name (UPN) is checked.  All other boxes are cleared.  I verified that certificates for both user, computer , and root CA are all correctly auto enrolled.  I also verified that the user certificate exists in the "Personal" user certificate store on the client.

There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything.  Please help!

Hi,

I have problem with NETLOGON service. If I enabled 802.1x on my computer then I receive NETLOGON 5719 error after start OS. I receive another Time-Service 129 and WMI 10 error. Is there any posibilities to delay start NETLOGON service?

I tried change NETLOGON dependences, regedit parameters but nothing work, still same error.

Hi All,

I have installed and configured NAP with IPSec enforcement on Windows Server 2012 (NPS1) with separate subordinate CA Server on CA1 Server which is also Windows Server 2012.

With these Two Servers, Everything is working fine as per NAP terminology.

Now I need to Enable or to view the Reports for NAP. I have configured Windows SHV and ConfigMgr SHV on my NPS+HRA Server (NPS1). 

I have followed the following Steps on NPS1 Server:

1. I have downloaded ‘Microsoft® SQL Server® 2012 Express‘ (ENU\x64\SQLEXPRADV_x64_ENU.exe) from http://www.microsoft.com/en-in/download/details.aspx?id=29062 website.

2. I have install DB, SRS & Tools features of ENU\x64\SQLEXPRADV_x64_ENU.exe.

3. I have configured the Accounting for SQL Server Logging using web-siteNAP Reporting http://technet.microsoft.com/en-us/library/dd125332(v=ws.10).aspx

I am able to browse the SQL SRS Website Home page but there are no NAP reports available. I am able to find some data in the table dbo.accounting in SQL Management Studio.

Need Clarity on the below points:

1. What are the different tables/Views are created in SQL Database for NAP so that we can use it for reporting. Any link/article is there to refer?

2. Are there any default reports are available in SRS when we enable SQL Server logging.

3. Do we require seperate SQL Server Reporting Service to host the Reports or SQL Express Reporting Service will suffice the requirement.

4. With reference to the TechNet Article Track Compliance with Security Policies http://technet.microsoft.com/en-us/library/dd125365(v=ws.10).aspx, I need to create these sample Reports. Are these reports are available out-of-box or do we need to create it manually.

5. For these Reports, sample SQL Queries are available (I am not SQL expert to write queries) Please share the link.

Thanks & Regards, Kedar

Hi,

We have created vitual machine which related with server.

But we feel that there is problem between virtual machine and server...Virtual machine loss data or internet connection.

How can we check connection durability between server and VM?

I think ping or tracert commands not usefull in this situation.

Thank's in advance.

I had my 2008 R2 Server working well after configuring it for wireless authentication.  But it has suddenly stopped working.  From the logs, I can see the connection failing with Reason Code 22, which seems to indicate "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. "  I can see that there is no "EAP-Friendly-Name" in the failed connection log, but I do not understand why that is.

Here are two events from a failed connection attempt:
<Event>
<Timestamp data_type="4">02/11/2010 08:32:27.591</Timestamp>
<Computer-Name data_type="1">{My NPS Server}</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<User-Name data_type="1">host/HSLAPLABA-05.my.domain</User-Name>
<NAS-IP-Address data_type="3">{IP Address of my RADIUS Client}</NAS-IP-Address>
<Called-Station-Id data_type="1">00-20-a6-7f-90-4e:MYDOMAIN</Called-Station-Id>
<Calling-Station-Id data_type="1">00-26-5e-63-99-d4;MYDOMAIN</Calling-Station-Id>
<NAS-Identifier data_type="1">Wireless01</NAS-Identifier>
<Framed-MTU data_type="0">1400</Framed-MTU>
<NAS-Port data_type="0">9</NAS-Port>
<NAS-Port-Type data_type="0">19</NAS-Port-Type>
<Client-IP-Address data_type="3">{IP Address of my RADIUS Client}</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">Wireless01</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">MYDOMAIN\HSLAPLABA-05$</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">MYDOMAIN\HSLAPLABA-05$</Fully-Qualifed-User-Name>
<Class data_type="1">311 1 {IP Address of IAS Server} 02/03/2010 15:01:36 2</Class>
<Authentication-Type data_type="0">5</Authentication-Type>
<NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name>
<EAP-Friendly-Name data_type="1"></EAP-Friendly-Name>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<Packet-Type data_type="0">1</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>

<Event><Timestamp data_type="4">02/11/2010 08:32:27.591</Timestamp>
<Computer-Name data_type="1">{My NPS Server}</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 {IP Address of my IAS Server} 02/03/2010 15:01:36 2</Class>
<EAP-Friendly-Name data_type="1"></EAP-Friendly-Name>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<Client-IP-Address data_type="3">{IP Address of my RADIUS Client}</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">Wireless01</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">MYDOMAIN\HSLAPLABA-05$</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">MYDOMAIN\HSLAPLABA-05$</Fully-Qualifed-User-Name>
<NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name>
<Authentication-Type data_type="0">5</Authentication-Type>
<Packet-Type data_type="0">3</Packet-Type>
<Reason-Code data_type="0">22</Reason-Code>
</Event>

And here are two events from a working connection attempt.
<Event>
<Timestamp data_type="4">01/06/2010 11:27:59.996</Timestamp>
<Computer-Name data_type="1">{My NPS Server}</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<NAS-IP-Address data_type="3">{IP Address of my RADIUS Client}</NAS-IP-Address>
<Called-Station-Id data_type="1">00-20-a6-bd-56-ff:MYDOMAIN</Called-Station-Id>
<Calling-Station-Id data_type="1">00-26-5e-63-99-d4</Calling-Station-Id>
<NAS-Identifier data_type="1">LHSMobileAP01</NAS-Identifier>
<Framed-MTU data_type="0">1400</Framed-MTU>
<NAS-Port data_type="0">2</NAS-Port>
<NAS-Port-Type data_type="0">19</NAS-Port-Type>
<Client-IP-Address data_type="3">{IP Address of my RADIUS Client}</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">LHSMobileAP01</Client-Friendly-Name>
<User-Name data_type="1">host/HSLAPLABA-05.my.domain</User-Name>
<Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">MYDOMAIN\HSLAPLABA-05$</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">MYDOMAIN\HSLAPLABA-05$</Fully-Qualifed-User-Name>
<NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name>
<Class data_type="1">311 1 {IP Address of my IAS Server} 12/30/2009 17:05:35 1326</Class>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name>
<Authentication-Type data_type="0">11</Authentication-Type>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
<MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
<Packet-Type data_type="0">1</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>

<Event>
<Timestamp data_type="4">01/06/2010 11:27:59.996</Timestamp>
<Computer-Name data_type="1">VM-UTILITY02</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 {IP Address of my IAS Server} 12/30/2009 17:05:35 1326</Class>
<EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name>
<Authentication-Type data_type="0">11</Authentication-Type>
<PEAP-Fast-Roamed-Session data_type="0">0</PEAP-Fast-Roamed-Session>
<Client-IP-Address data_type="3">{IP Address of my RADIUS Client}</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">LHSMobileAP01</Client-Friendly-Name>
<MS-CHAP-Domain data_type="2">014C5053</MS-CHAP-Domain>
<Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">MYDOMAIN\HSLAPLABA-05$</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">MYDOMAIN\HSLAPLABA-05$</Fully-Qualifed-User-Name>
<NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<Framed-Protocol data_type="0">1</Framed-Protocol>
<Service-Type data_type="0">2</Service-Type>
<MS-Link-Utilization-Threshold data_type="0">50</MS-Link-Utilization-Threshold>
<MS-Link-Drop-Time-Limit data_type="0">120</MS-Link-Drop-Time-Limit>
<MS-MPPE-Encryption-Policy data_type="0">2</MS-MPPE-Encryption-Policy>
<MS-MPPE-Encryption-Types data_type="0">4</MS-MPPE-Encryption-Types>
<MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
<Packet-Type data_type="0">2</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>

Any idea why the Server can no longer negotiate an EAP type or the EAP Friendly Name isn't coming through?

Hello,

i have a well working Radius environment.

Only one 1 cliënt can still not connect to the Accespoints (also after reïnstall)

Eventlog on NPS-Server:

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name:   domain\user

Account Domain:   domain

Fully Qualified Account Name: domain\user

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 00-02-6F-9A-B2-C4

Calling Station Identifier: 24-77-03-5E-62-90

NAS:

NAS IPv4 Address: 10.31.10.122

NAS IPv6 Address: -

NAS Identifier: -

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 0

RADIUS Client:

Client Friendly Name: FDLab1

Client IP Address: 10.31.10.122

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections

Network Policy Name: -

Authentication Provider: Windows

Authentication Server:  Server.local

Authentication Type: -

EAP Type: -

Account Session Identifier: -

Reason Code: 22

Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Have tried differtent options...but still no fix.

Anybody with a option?

Greetings,

System setup:  Server 2008 R2 with "Network Policy and Access Services" role configured to hand out wireless machine certificates to Windows 7 workstations.

This has been set up for a year and has been working well. We have a groups policy which allows for auto-enrollment and all our workstations which are in the correct OU receive a certificate when thye connect to the network.

The machine certs are good for a year.

We are now approaching the end of the first year since we implemented this system and we are starting to see some of our workstations failing to connect to the wireless network.  When we look at the certificates on the workstation we see 2 certificates now (as opposed to the one that was there previously).  One of these is expired and one is current with an expiration date a year from now.  When we manually delete the expired certificate, we are able to connect to the wireless.

Apparently when the certificate is renewed, a new certificate is dropped down, but the old certificate is not removed.  When the machine tries to connect the old cert is found and the connection fails.

What I think should be happening is that the certs should be renewed not replaced, but I can't see anyway to enforce this.

I know that when I manually renew the certificate on the workstation I have 4 choices:

Request Certificate with new key.

Request NEW Certificate with the same key

Renew certificate with new key

Renew this certificate with the same key

What appears to be happening is that the workstations are doing a request, not a renew.

I have been through my Radius config and the GPO and can't find anything that should affect this.  I know that the GPO is being applied to the machines, and I'm about 99% sure that the GPO is correct.

Any ideas where I should be looking?

Thanks,

John Morgan

Hello,

I have Setup NAP, and my client able to Access Network.

But i have setup Network Policy and Health policy as well.

as they setup , without turned on Firewall , user will not able go Access our Network.

but our user still call access our network.

i want to know, ethier my Client computer are compliant computer or Non compliant.

how do i know.

please advice. Thank you

www.aniyanetworks.net

Hi,

Is there a version of Sharepoint Services 3.0 that works with Windows Server 2012?

Cheers,

Has anyone else been able to determine what is generating event ID 4625?  I have seen other event 4625 but not for this specific status code:                  0xc00002ee

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4625</EventID><Version>0</Version><Level>Information</Level><Task>Logon</Task><Opcode>Info</Opcode><Keywords>Audit Failure</Keywords><TimeCreated SystemTime='2013-12-19T20:34:59.710849800Z'/><EventRecordID>258716371</EventRecordID><Correlation/><Execution ProcessID='600' ThreadID='688'/><Channel>Security</Channel><Computer>xxx.xxx.com</Computer><Security/></System><EventData>An account failed to log on.

Subject:

               Security ID:                        NULL SID
               Account Name:                 -
               Account Domain:                             -
               Logon ID:                           0x0
Logon Type:                                      3
Account For Which Logon Failed:
               Security ID:                        NULL SID
               Account Name:                 XXX
               Account Domain:                             XXXXXX
Failure Information:
               Failure Reason:                 An Error occured during Logon.
               Status:                                 0xc00002ee
               Sub Status:                         0x0

Process Information:
               Caller Process ID:             0x0
               Caller Process

ALARM ID:                17592

bc

I am tying to create a VPN connection in order to access my files at home. I am trying to use SSTP but unfortunately with no success. The error that I am getting is this;

Error 0x8007274D: No connection could be made because the target machine actively refuse it.

Can anyone tell me what can I do to avoid this error and connect successfully to my home network?

I have a Meraki wireless network that I have configured to use Radius authentication and it works great.  However, when a domain user tries to authenticate to the wireless network on a non domain computer, I always get Event ID 6274 - Reason There are not sufficient access rights to process the request.  The user is set up in the correct radius group as if they authenticate on a computer on the domain, they do not have problems.  Any thoughts.

Thanks

Hello,

I'm intending to create ACL in a Layer3 Switch to project our network resources and enhancing the security of our network resources.

Instead of creating plenty of ACLs in the switch, is it possible to use NAP/NAC to protect these resources and allow only certain resources available to our users?

Regards,

A little back ground,

I am using Server 2012 for Radius authentication of my wireless clients.

This server running NPS (Radius) is not the Domain Controller just a member server on the network.

DHCP is running on another server on my network.

The problem I am having is the Radius logs do not contain the client device ip address only the AD user names.

The logs do contain the Radius server IP address, and the Access point IP address leaving out the client IP address.

This is a School District and we have to filter the internet content for all clients.

Radius is a great authentication method but without the ip address of the clients in the logs I can not apply the proper policies to the different groups. So what happens is everyone get the default most restrictive policy students, and staff.

Bottom line how do I configure the Radius server to insert the IP address in the logs?

Thanks,

Good Day,

My Old DC crashed, I still have 2 GC servers I am now trying to add another DC, but when I try and setup the DNS role on one of the exsiting servers, I get access denied.

Any assistance would be appreciated.

I've setup a server with DHCP and NPS and configured NAP
DHCP with 1 scope and the default scope options 003 router, 005 DNS server and 015 Domain Name (domain.com)
NPS/NAP DHCP is working (all is setup health, shv, gpo etc..) so when i connect a client with firewall i get a normal IP and when i disable the firewall i get an IP but no gateway and subnet 255.255.255.255 so all works well.

Now in DHCP i created a DHCP policy so i can assign a different DNS server and Domain Name (restricted.domain.com) to non-compliant clients.
Policy i created is as per --> http://social.technet.microsoft.com/Forums/getfile/257005 because User Class option on advanced tab in scope option is not available in 2012)

But when i connect a non-compliant client i still get the DNS Domain Name domain.com instead of restricted.domain.com

ipconfig /all shows its restricted but i dont get the DHCP policy i setup for it