Configured a Enterprise CA which issues certificates for Direct Access client and health certificates. The enterprise CA, HRA and NPS roles are configured on one server (Server  2008 R2 standard ), Direct Access is configured on a separate 2012 server.

Sidenote : certificates for Direct Access are being issued by the same CA, no issues accessing the network using Direct Access.

According to the Network Policy and Access server the client is granted full access because it met the configured health policies

I searched and tried several solutions, but i'm confused, in the client eventlog a HRA error appears, in the Network Policy and Access services on the server itself there's no HRA error. 

NPS configuration

1 connection request policy named : - NAP IPsec with HRA

2 network policies named : - NPA IPsec with HRA compliant 
                                        - NAP IPsec with HRA Noncompliant

Connection and network policies are configured as (Type of network access server) : Healt registration authority

CA configuration

Added the network service account to the security of the CA, permissions are : Issue and Manage Certificates / Request Certificates / Read / Manage CA (Gave it all the permissions for testing purposes)

certificate template configuration

Issued a template named Health authentication Direct Access Clients. The network service has Read/Enroll/Autoenroll permissions for this template. Application policy extensions : Client Authentication and System Health Authentication

HRA configuration

Added the CA to the HRA

Server eventlog

Network Policy Server granted full access to a user because the host met the defined health policy.

User:
Security ID:NULL SID
Account Name:-
Account Domain:-
Fully Qualified Account Name:-

Client Machine:
Security ID:Domain\computername
Account Name:computername.domain.local
Fully Qualified Account Name:Domain\computername$
OS-Version:6.1.7601 1.0 x64 Workstation
Called Station Identifier:-
Calling Station Identifier:-

NAS:
NAS IPv4 Address:Ipadres
NAS IPv6 Address:-
NAS Identifier:server.domain.local
NAS Port-Type:Ethernet
NAS Port:-

RADIUS Client:
Client Friendly Name:-
Client IP Address:-

Authentication Details:
Connection Request Policy Name:NAP IPsec with HRA
Network Policy Name:NAP IPsec with HRA Compliant
Authentication Provider:Windows
Authentication Server:server.domain.local
Authentication Type:Unauthenticated
EAP Type:-
Account Session Identifier:SESSION IDENTIFIER

Quarantine Information:
Result:Full Access
Extended-Result:-
Session Identifier:SESSION IDENTIFIER
Help URL:-
System Health Validator Result(s):
Windows Security Health Validator

Client eventlog

The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {AD43EFEA-A663-4EE8-BCF7-28699DFC9AAC} - 2013-10-23 12:21:01.726Z fromhttps://CASERVER.DOMAIN.LOCAL/DomainHRA/HCSRVEXT.DLL.<o:p></o:p>

The request failed with the error code (500). This server will not be tried again for 10 minutes.<o:p></o:p>

Contact the HRA administrator for more information.

The strange thing is, i don't see any failed request on the CA or any failed request with the same correlation-id appear in the Network Policy and Access Services event log which tells me that the client didn't connect to the HRA. If i try to open the url https://CASERVER.DOMAIN.LOCAL/DomainHRA/HCSRVEXT.DLL.a popup appears asking me for a username and password. If i enter the password another page opens with internal error 500. No SSL errors. 
(Auditing is enabled, checked it with the auditpol command)

Show config output

Show state output

Hi There,

I have the most strangest issue I have seen in terms of NPS Authentication. I hope you might be able to help.

I have two NPS servers that were originally configured up for use with Direct Access. They were working fine with no issues whatsoever. Our Direct Access is using Two Factor Authentication for user login.

Recently, we introduced a 802.1x Policy to the NPS servers and have got this working successfully also. The authentication mechanism here is using a Certificate that has been issued from our Internal CA server.

My laptop is configured to use both Direct Access and the Wireless network and so will attempt to connect to the NPS server to authenticate for either system, depending on if I am inside my network or outside my network. I am running Windows 8 Enterprise edition with all the latest updates.

Before Wireless was set up, I could authenticate for Direct Access when I was outside the network with no issue. When the wireless was configured, I could authenticate for the Wireless network when I am inside the network.

Now though, with both policies in place, when I am outside the network and connected to the Internet, Direct Access attempts to connect but needs my OTP to authenticate me, at this point though I see a pop up on my laptop saying that "Windows needs by current credentials" at this point Active Directory reports my account to be locked out. If I wait the timeout period, or unlock my account, I will be fine to log in to Direct Access, until the next time I start up my laptop and connect to the internet. The weird thing about this too, is that it doesn't always happen. Sometimes I can start up my laptop and it will not happen at all.

In troubleshooting this, I have done the following:

• Disable the Wireless Policy on the NPS and Direct Access never has any issues
• Re-ordered the NPS policies, if the Wireless Connection Request Policy is lower than the Direct access Policy and the Wireless Network Policy, Wireless will work, but Direct Access has issues. If the Wireless Policies are below the Direct Access Policies, Wireless won't work. And Direct Access still has issues. 
• I built up a separate NPS server that only has the Wireless Policy configured on it, configured the Wireless to use only that NPS server, but still Direct Access will lock my account.
• On my laptop I notice the event id 4771 - Kerberos Pre-Authentication Failed
• On the domain controller, I notice the event saying my Account has been locked out. The Caller Computer Name is our TMG Firewall and the reason is 0x18 (Bad Password) though I have not entered my password yet!

If there is anything anyone can suggest to resolve this issue, it would be greatly appreciated!

jd

We have Cisco ACS 4.2 with PEAP MSCHAPv2 running on Server 2003 which allows both automatic computer authentication of our domain joined laptops and manual user authentication via the users domain user names and passwords for devices not joined to our domain. We have a business need to allow approved, non-domain-joined computers to connect to our network, (so we absolutely cannot restrict network connections to only allow devices joined to our AD domain) but because of this, this is being abused and people are also bringing in their rogue personal laptops and smartphones and connecting to the wireless.

Support for Cisco ACS 4.2 ends this year and, before we pay for upgrading from 4.2 to 5.x, we would like to see if we could just retire ACS and Server 2003 and migrate our wireless to 802.1x managed by one of our existing Server 2008 or 2008R2 servers instead. 

One change we would like to do is make a change that prevents users from authenticating from their personal smarthphones and laptops by simply typing in their domain user name and passwords.  We would like to have more control over which devices connect and also make changes so that the users who are authorized to use outside devices not joined to our domain (such as contractors working in our office from their pre-approved company laptop) don't have their domain account get locked out every month when their domain password changes and they forget to update the saved wireless credentials on their devices.

We currently have older Cisco wireless access points which we may also replace with something else (maybe something that integrates best with Microsoft if we drop ACS).

Are there any particular types/brands of wireless access points that work well with Microsoft wireless authentication?

Can roles built into Server 2008 R2 handle migrating from Cisco ACS and also add the ability to manage authentication of approved devices that are not members of our domain either without using user credentials at all or else using user credentials, but not locking out their domain user accounts when the old/wrong password is saved in the wireless connection settings.

I suppose one option for contractor laptops would be to make a second account for the user with a non-expiring password and not give this account rights to do anything else except authenticate wireless and then have IT staff enter the credentials into the device for the user without telling the user what the password is (so they cannot add it to rogue devices), but I hope there is a better/easier option than that.

I run a standalone 2008 r2 server that acts as a dial in VPN server. The clients dialing in needs to communicate with eachother and do not need to access either the server itself or lan/wan. To do this I want each client to have a static IP.

In user settings I've set a static IP for each VPN-user and normally that works fine. But when the connection is lost (bad connection over 2G/3G) and reconnected the user gets another IP. Sometimes the new IP actually is set as static for another, not currently logged in, user account.

How can I prevent the server from assigning anything other than the correct IP?

thanks!

\\server\groups\rh\pictures

\\server\groups\rh\pictures changed

Network access: Do not allow storage of passwords and credentials for network authentication

Can the Windows System Health agent (WSHA) be disabled / prevent it from initialization?

We are using SCCM SHA and F-Secure SHA for health validation.

Frequently health state changes are also reported by WSHA which triggers dot1x authentication.

How to disable Windows SHA?

Hi

It seems like several SQL fields in the 2012 R2 version of NPS logging has been removed.

Amongst others the Reason-Code field.

Most people only refer to log files to see why someone can't connect to the vpn server.

In previous versions we had a web front end for an sql view that gave you the reason why the server denied access so that we do not need to give helpdesk personnel access to the log files and we also filter which operations vpn sessions they can see (via multiple vpn nps policies and then filter the sql view based on their permissions).

Is there any way to restore the logging of this field to SQL as well as logging the source IP address of the request (our investors requires this and we get audited on it) with the issued IP (non DHCP). We are not allowed to run DHCP on this server since it is situated in the 3rd party datacenter.

Regards

Johan

i have a server 2008 host running in a 2008 DC environment. All working fine for over a year into production.

One day the NLA service just went down, and server stopped servicing clients.

I managed to start it back by 

Run the commands 

net localgroup administrators localservice /add
net localgroup administrators networkservice /add

But I would like to know why the service went down just like that. No changes to the system permission wise, was made. Or am i missing something here?

I can see just this event in log "The Network Location Awareness service terminated with service-specific error %%-1073741288.

Thanks

Hi All,

I have a SBS 2011 on which I'm running the NAP role with an external firewall. The external firewall terminates PPTP connections, and uses the SBS 2011 NAP as a RADIUS authentication source. Due to a network reshuffle I had to change the IP address of the SBS. All services are now up & running great (AD, Exchange etc)  except for NAP.

I used NTRadPing to test if the server is even responding to auth requests by passing a username in, and it looks like it doesn't respond at all. There are no erros shown in the Event viewer under "Network Policy Server". Further, nothing shows in the "Security" event log either. I'd have expected to see some audit failures at the very least.

On the computer that I'm connecting from, I see error 718. It appears the problem is that the SBS isn't responding to auth requests.

How can I further troubleshoot this, there are no errors in the event log!

I have exhausted every avenue to get VPN access to the domain without the dreaded Not-NAP Capable remote access condition.

The set up inclues:

• Single DC which has these roles:
• Active Directory Certificate Services
• Active Directory Domain Services
• DHCP Server
• DNS Sever
• File Services
• Network Policy and Access Services
• Print Services

Features:

• Group Policy Management

Radius, WINS and IPv6 not implemented.

RAS:

• DHCP IPv 4 address assignment
• Enable Broadcast Name Resolution
• No inbound or outbound filters
• PPP: Multilink, LCP and software compression
• IPv4 Router – LAN and demand dial routing
• IPv4 Remote access server
• Primary NIC has fixed IP address for the DC
• Dedicated NIC for VPN – Local Area Network Connection 5 with fixed IP address
• Firewall routes all traffic from its fixed WAN IP address, after NAT to Dedicated VPN NIC address
• Firewall ports enable VPN traffic
• Domain Controllers Policy
• eapqec – enabled on Client

Network Policy Server

Connection Request Policies

• Microsoft Routing and Remote Access Service Policy Enabled 1 – Remote Access Server (VPN-Dial-up)
• Authentication Provider – Local Computer
• Extensible Authentication Protocol Configuration – Configured
• Extensible Authentication Protocol Method – Microsoft Protected EAP (PEAP)
• Authentication Method – EAP
• Override Authentication – Enabled

Network Policies

• Microsoft Routing and Remote Access Service Policy Enabled 1 – Remote Access Server (VPN-Dial-up)
• Condition
• MS-RAS Vendor ID 311$
• User Groups – DOMAIN\Domain Users
• Widows Groups – DOMAIN\JohnGroup
• Windows Groups – DOMAIN\Domain Admins
• Settings
• Extensible Authentication Protocol Configuration – Configured
• Extended State - <blank>
• Access Permission – Grant Access
• Extensible Authentication Protocol Method – Microsoft EAP (PEAP)
• Configure Protected EAP Properties – check Enable Fast Reconnect & Enable Quarantine Checks
• NAP Port Type – Virtual (VPN)
• Authentication Method – EAP
• NAP Enforcement – Allow full network access
• Update Noncompliant Clients – False
• Framed Protocol – PPP
• Service Type – Framed
• BAP Percentage of Capacity – Reduce Multilink if server reaches 50% for 2 minutes
• IPv4 Filters – configured
• Encryption Policy – configured
• Encryption – Basic Encryption, Strong, Strongest

Health Policies

• SHV Health Check – Client passes all SHV checks
• Fails one SHV Check – Client fails one or more SHV checks

Network Access Protection

• System Health Validation
• Windows Vista – NONE are checked
• Error Code Resolution – all are set to compliant
• This was done to enable the LEAST restrictive condition on the client and allow NAP compliant connection. Other conditions have been tried.

No error reporting on NAP compliance

Client – Windows 7 Professional

• napagent – Service running
• Logon Network Service
• Netsh nap client show state
• Network Access Protection Client – 1.0 – Enabled
• Not Restricted
• GroupPolicy = Not Configured
• EAP Quarantine Enforcement Client
• 1.0
• Initialized = Yes
• System Health Agent
• ID = 79744
• Initialized = Yes
• Failure Category = None
• Remediation State = Success
• Remediation percentage = 0
• Compliance results; Remediation results; ok

When tunnel connects:

• VPN is established with:
• Connect to Miniport
• Authentication of user
• Register on Network
• Client reports
• Domain.local 5
• Access type: Internet
• Connections: DOMAIN

When network is shown only the Client is seen on the network on the client network view – no other parts of the domain can be seen

Unable to ping the address of the DOMAIN controller

RRAS when showing Remote Access Clients always reports Not NAP-capable.

I have tried many variations on the set up and nothing allows full access to the domain.

Hello
i am about to create around 700,000 network policy using netsh nps  , can NAP handle such load?? , the console slowed down Dramatically after only 1000 rule !!!!!!

Regards ,

Ahmed

It was suggested I ask my question in this forum.

We are trying to log into laptops wirelessly.  The users can only log into laptops that they have cached credentials on, but we need them to be able to login for the first time while only connected via wireless.  Any suggestions are appreciated.

We are using:

Windows 7

Microsoft Radius Server

Cisco WAPs

WPA2-Ent MS-PEAP

We are pushing out the wireless settings for our WPA-Ent SSID via group policy with the following settings for 802.1x settings:

Hi,

NPS stooped working so I tough ill remove the feature and add it again and for my supine  I get an error

PS C:\Windows\system32> add-windowsfeature NPAS-Policy-Server
add-windowsfeature : The request to add or remove features on the specified server failed.
Installation of one or more roles, role services, or features failed. Error: 0x800f0922
At line:1 char:1
+ add-windowsfeature NPAS-Policy-Server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (@{Vhd=; Credent...Name=localhost}:PSObject) [Install-WindowsFeature],
    Exception
    + FullyQualifiedErrorId : DISMAPI_Error__Failed_To_Enable_Updates,Microsoft.Windows.ServerManager.Commands.AddWind
   owsFeatureCommand

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
False   No             Failed         {}

some cmd I tried:

add-windowsfeature NPAS-Policy-Server -Source E:\sources\sxs

Dism /Online /Cleanup-Image /ScanHealth
Dism /Online /Cleanup-Image /CheckHealth

Hi

I am running a NAP DHCP test in a lab environment but cannot seem to get a client computer to respond to the settings properly. My setup is as follows:

1 x Server 2012 R2 Domain controller with ADDS, DNS, DHCP and NPS roles installed

1 x Windows 8.1 Client

The client is joined to the domain.

I have configured NAP in NPS for DHCP with the remediation server as the DC. The health setting is set to firewall only for Windows 8 machines. I have enabled NAP for the DHCP scope (there is only one scope) and created a GPO to enable NAP DCHP on all domain computers. 

I have done a gpupdate /force on the client, restarted it, released and renewed the ip but for some reason when I turn the firewall off, NAP doesn't seem to kick in. If I restart the client with the firewall off I will get restricted access but then even if I turn the firewall back on it will not register and give me network access. I have seen a training video with this same kind of setup and it worked fine, and NAP worked instantly (as soon as the firewall was turned off/on) but I cannot work out why this particular configuration will not work as it should. Any help is much appreciated. Alex

hi, i know a lot topic related to my issue created ,but none of them solved my problem completely , so I decided to ask for better solution.

Scenario: I have small domain network with windows server 2008 enterprise x64 r2 and 6 client with os windows 7.i install Route and remote access on server for some reason. so clients used internet by server not anything else.

Question: I want to restrict my user  to use of internet.

1.specific speed limitation

2.limit size (MB) specified for download/upload.

3.some site and application Blocked on client.

4.monitor used internet traffic on every client and saved report and log file on server.

I don't want to install isa server or forefront. what is your suggestion for my situation.

By Regard FarbodKain 

Carl Webster

Hi ,

I do not understande in the secpol.msc the usage of the source ip , the destination ip and mirror .

I want protect my 25 port drop any  ip connect to my 25 port and permit my 25 port connect any ip.

so I set the source ip = any ip address and the destination ip = my ip,protoclol =TCP SOURCE PORT=ANY, DESTINATION =25.

FILTER ACTION= DROP.

Then I find my 25 port can not communication with other computer.

The secpol support  this function?

If not why set the source ip and destination ip and mirror?

If support how to set?

Please help me?

Hello All,

I have a connection request policy for MAC filtering with calling station id in the Condition tab such as follow:

Image may be NSFW.
Clik here to view.

The problem is that only the first entry (00bb*) actually works. It seems that the other three conditions are not checked against.

Could you please advise?
Thank you in advance

beppe

giuseppe