Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

NAP SoH

February 22, 2014, 4:49 am
$
0
0

Hi all,

I have implemented 802.1x with NAP enforcement in our network.

Things are working fine as expected. I am facing the following issue.

Everyday on first system boot, PCs are declared as NAP non-compliant by NPS server since SoH is not sent by the client.

SHAs are not initializing immediately after system boot. SoH is cached in system. Verified the following registry key before rebooting the system:  HKLM/system/currentcontrolset/services/napagent/SohCache - each SHA has its Cached SoH (79744 -WSHA / 79745 - SCCM client)

After sometime, when SHAs initialize, they trigger dot1x authentication. This time SoH is sent and PC is declared compliant by NPS

On system boot, the napagent is not sending the cached SoH to NPS server for Health validation.

How to modify the behaviour of the clients so that they send Cached SOH on firs authentication attempt immediately after system booting?

Search

"napagent" Service Not starting - Access Denied

February 22, 2014, 5:22 am
$
0
0

Hi,

I have deployed 802.1x with NAP enforcement in our network.

The required windows services are started in the domain machines through Domain group policy.Network Access Protection Agent

EapHost, dot3svc & napagent

Network Access Protection Agent (napagent) service is not starting at few PCs. Due to this the PCs are not able to send SoH for health validation to NPS server. Hence these PCs are declared NAP non-compliant. Though these PCs meet all the requirements for becoming Compliant.

Please guide me in troubleshooting / resolving this issue

Deploying NAP 802.1x Enforcement w/ 3com 4500 or 5500

November 26, 2007, 1:03 pm
$
0
0
Hi!

I try to get the 802.1x Step-by-Step Guide to work in my Test Lab. I followed the instructions and everythings seems to be OK as my switch (3Com 4500) gets RADIUS Accept-Access from NAP Server (the logs look good too). Unfortunaltey the switch sends an EAP-Failure message to the client and the port keeps down.

I know that this isn't a support forum for 3Com but I would really appreciate any help.

Here is my configuration (the client uses port 1/0/5):

====================================
4500>display current-configuration
#
 private-group-id mode standard
#
 local-server nas-ip 127.0.0.1 key 3com
#
 domain default enable ams
#
 igmp-snooping enable
#
 dot1x
 dot1x authentication-method eap
#
 undo password-control aging enable
 undo password-control length enable
 password-control login-attempt 3 exceed lock-time 360
#
radius scheme system
radius scheme radius1
 primary authentication 192.168.0.2
 accounting optional
 key authentication secret
 timer response-timeout 5
 retry 5
 user-name-format without-domain
#
domain ams
 scheme radius-scheme radius1
domain system
#
local-user admin
 service-type ssh telnet terminal
 level 3
local-user manager
 service-type ssh telnet terminal
 level 2
local-user monitor
 service-type ssh telnet terminal
 level 1
#
acl number 4999
 rule 0 deny dest 0000-0000-0000 ffff-ffff-ffff
#
vlan 1
 description DEFAULT_VLAN
 igmp-snooping enable
#
vlan 2
 description NONCOMPLIANT_VLAN
#
vlan 3
 description COMPLIANT_VLAN
#
interface Vlan-interface1
 ip address 192.168.0.3 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
 stp edged-port enable
 broadcast-suppression PPS 3000
 priority trust
 packet-filter inbound link-group 4999 rule 0
 dot1x port-method portbased

[...]

interface Ethernet1/0/5
 stp edged-port enable
 broadcast-suppression PPS 3000
 priority trust
 packet-filter inbound link-group 4999 rule 0
 dot1x port-method portbased
 dot1x

[...]

interface GigabitEthernet1/0/25
 dot1x port-method portbased
#
interface GigabitEthernet1/0/26
 dot1x port-method portbased
#
interface GigabitEthernet1/0/27
 shutdown
 dot1x port-method portbased
#
interface GigabitEthernet1/0/28
 shutdown
 dot1x port-method portbased
#
 sysname 4500
 undo xrn-fabric authentication-mode
#
interface NULL0
#
 snmp-agent
 snmp-agent local-engineid 8000002B001AC12D89C06877
 snmp-agent community read public
 snmp-agent community write private
 snmp-agent sys-info version all
#
user-interface aux 0 7
 authentication-mode scheme
user-interface vty 0 4
 authentication-mode scheme
====================================


Thanks in advance.

Wolfgang

Duplicate User ID in Multiple Domains

February 25, 2014, 6:02 pm
$
0
0

Hi all,

If I have the following scenario for a WPA2/TLS environment,

Forest A

--Domain A

-----User = DOMAINA\QW12345

--Domain B

-----User = DOMAINB\QW12345

When a wireless connection is established using TLS, the users in both domains present their fully qualified user names; including the domain. 

Even though DOMAINB\QW12345 supplies the domain as being "B" when it connects, the NPS server uses a user account from its own domain "A", which is identical to the one in B. 

As a result, instead of authenticating the user B\QW12345, it uses A\QW12345 which is a completely different user.

This behavior only occurs on users that have identical saMAccountName's in both domains. 

Has anybody ever seen this?

TIA

IAS Policies (CISCO & JUNIPER)

February 28, 2014, 5:43 am
$
0
0

I have IAS (2003) setup to authenticate a user for login to Cisco switches with a Vendor-Specific Attribute for privilege 15. This user belongs to a particular AD group that when it matches provides login to the Cisco switch. I now have the same user who needs to login to a Juniper (JUNOS) switch which requires a Vendor-Specific Attribute for super-user access. How can I specify this in my Policy order? When my user authenticates with the Cisco policy at the top he gets the cisco login, but cannot get to the Juniper Policy because everything matches on the Cisco one first. How can I differentiate the 2?

Thanks,

Sigh

IAS certificate expired issue

March 2, 2014, 6:59 pm
$
0
0
Hi Team, can anyone advise on IAS expire issue? We are trying to renew the certificate since it has already expired.when we renew the certificate, from console root- certificate (local computer)-- personal- certificate, I got the error " the certificate request failed because of one of the following conditions; - the certificate request was submitted to a certification authority (CA) that is  not started.-- You do not have the permissions to request certificates from the available CAs.'. when I checked in IAS, Edit dial in profile,authentication,EAP type, I got error "cannot configure EAP". "A certificate could not be found that can be used with this extensible authentication protocol." any advice, where I can check to fix it? Thanks!

Thanks and best regards, -- KF

What is the best practice to give a user permission to “Join to the Domain”?

May 12, 2010, 3:29 pm
$
0
0

I am not sure what the best practice to give a user permission to join to the domain?

Is it just giving delegate permission (Take Ownership or WRITE_DAC) on the Computer Object? or some other way which is also Microsoft Best Practice?

Or is there any Security Group, other than Domain Admin, which will allow this user ability to join to the Domain?

 

NPS Policy Processing Order Automation

March 4, 2014, 12:18 am
$
0
0

Hi all,

is there any way to use powershell/cmd/keyboard shortcuts to speed up process of prioritizing policies in NPS policies hive?

It's annoying every time with a multiple policy environment to make the processing order desirable with just right-clicking and selecting move up/move down.

Thanks.

Search

Microsoft NPS Radius Server with SQL Server - need to have on SQL Server, the User-Password field.

March 6, 2014, 12:16 pm
$
0
0

Hello,

I  just  configured  a  NPS  Radius  Server  on  Windows Server 2012  with  SQL Server  for the  logs.

on SQL Server, the  XML  format  give  some fields  like  User-Name,Called-Station-ID, Packet-Type  etc. Is it  possible  to  add another  field  like  User-Password?   and  how to do  it.

Thank you in advance  for your  Help.

Limit concurrent Connections

March 6, 2014, 12:32 pm
$
0
0

Hello,
I'm not sure that this Forum is the correct one...
We have a big WLAN infrastructure authenticated by NPS / Radius (on Windows 2008 R2).
We want to allow our Users to use private devices in a special WLAN. Here we use EAP PEAP with Username and Password.
We want to limit the devices. Only one privet device per User-Account.
Is this possible with Radius and / or Accounting?

Thanks for any Help
Robert

Type of certificate for EAP-TLS certificate based authentication

March 6, 2014, 10:04 pm
$
0
0

We would like to set up both domain computers and non-domain computers to access our wireless LAN without the need for the user to enter their domain login credentials and remember to update the wireless settings every time they change their domain password.

We now use PEAP CHAPv2 and it works OK for domain computers, but it is a hassle for non-domain laptops when passwords expire, so we want to change it to EAP-TLS and import authentication certificates onto the non-domain devices.

Are you supposed to use a certificate from your internal domain CA or should you use a third party commercial certificate such as Verisign or GoDaddy etc.?
I thought I read somewhere that you are supposed to use an internal Enterprise CA, but if you did that, wouldn't the non-domain devices give warnings and errors about using a certificate from an untrusted Root CA?  Only the domain PCs could trust an internally generated certificate by default.

How are the certificates named?  Are they named to match the DNS host name of the Radius server (such as "RadiusServer2.domain.local") the way you name a SSL cert for a web server or are the certificates named a friendly name such as "Office Wireless Cert?" 

Allow Client To Change Password After It Has Expired Option

March 6, 2014, 10:30 pm
$
0
0

People who use devices not joined to our domain do not get the 14 day password expiration warnings specified in group policy that users of domain-joined PCs get, so their first indication that their password has expired is that their wireless access stops working.  Then, to change their password, they need to connect to a wired connection and change their expired password through OWA.  If they have a wireless-only tablet, they must get help desk assistance or go to a PC to change the expired password.

What are the requirements and options available to allow users of non-domain devices to change their domain passwords on wireless after their password has already expired?

Does the option "Allow Client To Change Password After It Has Expired" only work if the user is logged into a PC that is joined to our domain or can they change their expired password from a non-domain laptop on wireless or even a device that doesn't run Windows at all such as an iPad etc.?





NPS User Authentication Policy WIndows 2012

March 6, 2014, 11:25 am
$
0
0

Ok, I'm having some difficulty getting NPS working when I've setup the client computer to use user authentication. I've got my Radius Client(s) setup and working, same for my Connection Request Policy(s).  In testing I've setup Network Policies, one for authenticating based on the computer account, one for authentication based on the user account.  If I set my Windows 7 client to use computer authentication, the client authenticates right away, immediately after bootup.  If I change the Win7 client to use user authentication, there is a 15-20 minute delay before it finally authenticates.  If I examine my server's Security event log (for simplicity I setup NPS on my DC) I can see for both authentication types that the correct policies end up being used.  So this leads me to believe that my policies are setup correctly.

I've noticed that if I first start my Win7 client with Computer authentication selected and then switch to User authentication, it re-authenticates using my correct user Network Policy with NO delay.  I can confirm via Security event log that this takes place.  But I've yet to get it where based solely on a user Network Policy there is no delay similar to the computer Network Policy. 

NPS SQL missing reason-code in Server 2012 R2

February 6, 2014, 3:09 am
$
0
0

Hi

It seems like several SQL fields in the 2012 R2 version of NPS logging has been removed.

Amongst others the Reason-Code field.

Most people only refer to log files to see why someone can't connect to the vpn server.

In previous versions we had a web front end for an sql view that gave you the reason why the server denied access so that we do not need to give helpdesk personnel access to the log files and we also filter which operations vpn sessions they can see (via multiple vpn nps policies and then filter the sql view based on their permissions).

Is there any way to restore the logging of this field to SQL as well as logging the source IP address of the request (our investors requires this and we get audited on it) with the issued IP (non DHCP). We are not allowed to run DHCP on this server since it is situated in the 3rd party datacenter.

Regards

Johan

Cannot add CA server to HRA

March 7, 2014, 1:05 am
$
0
0

Hi,

I am trying to configure HRA role service on W2K8 R2. I try to add a certificate authority server but I receive an error "Please enter a valid cerificate authority". I select Browse... so I can choose the CA without having to enter the name manually. Yet, I get this error with 2 out of total 4 CA servers. As if the name was not correct - I get the same message when I put an incorrect name manually. HRA is in subdomain.mydomain.int while CA servers are in mydomain.int. It works ok with two of CA servers.

This is what I chcked:

- 135 and >1024 ports open from HRA to CA;

- HRA server added permission on CA servers to Issue and Manage Certificates, Manage CA, and Request Certificates.

Any help would be appreciated.

Pawel

Cheers, Pawel Lakomski

Search

Migrate from Cisco ACS to Microsoft Equivalent for Wireless 802.1x?

January 31, 2014, 8:53 pm
$
0
0

We have Cisco ACS 4.2 with PEAP MSCHAPv2 running on Server 2003 which allows both automatic computer authentication of our domain joined laptops and manual user authentication via the users domain user names and passwords for devices not joined to our domain. We have a business need to allow approved, non-domain-joined computers to connect to our network, (so we absolutely cannot restrict network connections to only allow devices joined to our AD domain) but because of this, this is being abused and people are also bringing in their rogue personal laptops and smartphones and connecting to the wireless.

Support for Cisco ACS 4.2 ends this year and, before we pay for upgrading from 4.2 to 5.x, we would like to see if we could just retire ACS and Server 2003 and migrate our wireless to 802.1x managed by one of our existing Server 2008 or 2008R2 servers instead. 

One change we would like to do is make a change that prevents users from authenticating from their personal smarthphones and laptops by simply typing in their domain user name and passwords.  We would like to have more control over which devices connect and also make changes so that the users who are authorized to use outside devices not joined to our domain (such as contractors working in our office from their pre-approved company laptop) don't have their domain account get locked out every month when their domain password changes and they forget to update the saved wireless credentials on their devices.

We currently have older Cisco wireless access points which we may also replace with something else (maybe something that integrates best with Microsoft if we drop ACS).

Are there any particular types/brands of wireless access points that work well with Microsoft wireless authentication?

Can roles built into Server 2008 R2 handle migrating from Cisco ACS and also add the ability to manage authentication of approved devices that are not members of our domain either without using user credentials at all or else using user credentials, but not locking out their domain user accounts when the old/wrong password is saved in the wireless connection settings.

I suppose one option for contractor laptops would be to make a second account for the user with a non-expiring password and not give this account rights to do anything else except authenticate wireless and then have IT staff enter the credentials into the device for the user without telling the user what the password is (so they cannot add it to rogue devices), but I hope there is a better/easier option than that.





How to provide detailed QuarantineSystemHealthResult's for audit events

January 23, 2014, 1:38 am
$
0
0

Hi!

I've written a SHV and SHA component based on the SDK code.

Everything is working find, but on the server side I get no detailed error information included in audit events (e.g. event 6278).
In the "Quarantine Information" only the resultcodes provided by the SHV are logged, but no detailed text as for the Windows SHV:

Network Policy Server granted full access to a user because the host met the defined health policy.

...........
Quarantine Information:
	Result:				Full Access
	Extended-Result:			-
	Session Identifier:			{D8927B8A-43C4-4552-8DE4-842B1017BDF7} - 2014-01-23 08:43:29.951Z
	Help URL:			-
	System Health Validator Result(s):	
My Health Validator
	1
	Patchlevel
	Compliant
	No Data
	None[]
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
My Health Validator
	3
	My client healthy WLAN
	NonCompliant
	No Data
	None[]
	(0x0 - )
	(0xc0ff0002 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
Windows Security Health Validator
	2
	Firewall
	Compliant
	No Data
	None[]
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
Windows Security Health Validator
	3
	sNICE client healthy WLAN
	NonCompliant
	No Data
	None[]
	(0x0 - )
	(0xc0ff0047 - A third-party system health component is not enabled. ..)
	(0x0 - )
	(0xc0ff0001 - A system health component is not enabled. ..)
	(0xc0ff0004 - The signatures for a particular system health component are not up to date...)
	(0x0 - )
	(0x0 - )
	(0x0 - )

I've already implemented the and registered the INapComponentInfo Interface for this SHV, I can see only some calls forGetFriendlyName,GetDescription, ... andGetLocalizedString while using the NAP MMC, butConvertErrorCodeToMessageId() is never called!

What is the right way to provide this information to get it logged !

Thanks

Franz

NAP "Reporting Mode" Still Blocks DHCP

March 9, 2014, 10:13 pm
$
0
0

I am testing out NAP for DHCP an I am trying to set up "reporting mode."

I see tons of references to suggesting use of reporting mode, but I don't see exactly how that is set up.

I am assuming it is set up by creating polices and setting it to grant access for both compliant and non-compliant computers.

However, despite no deny rules, whenever I enable NAP on the DHCP scope, the client is not able to contact DHCP.

There is no NAP compliance message on the workstation.  DHCP simply becomes not available until I remove NAP from the scope.

What causes this?

Exactly how is reporting mode set up and were do you read the reports on which systems pass and fail?

NPS PEAP MSChapv2 Access-Challange Problem

March 10, 2014, 4:43 am
$
0
0

Hi,

i hope you can help me.
We have a wlan infrastructure with PEAP and MSCHAPv2authentication. That still works fine internally.
As we participate in the Eduroam, you can log in at other academic institutions.To February it all worked perfectly. But since March, I get Access-Challenge messages from the NPS sent to the Radiusproxy and the authentification fail.
In the NPS Logs are no entries for the user that try to connect.

you have any ideas?

RadiusProxy Logs

Mar 10 08:47:38 2014: Access-Request with username: aduser@local.domain.de
Mar 10 08:47:38 2014: found matching realm: /@local\.domain\.de$
Mar 10 08:47:38 2014: found matching conf: NPS
Mar 10 08:47:38 2014: sendrq: inserting packet with id 171 in queue for NPS
Mar 10 08:47:38 2014: sendrq: signalling client writer
Mar 10 08:47:38 2014: clientwr: got new request
Mar 10 08:47:38 2014: clienradputudp: sent UDP of length 307 to NPSIPAddress port 1812
Mar 10 08:47:38 2014: freerealm: called with refcount 4
Mar 10 08:47:38 2014: radudpget: got 94 bytes from NPSIPAddress
Mar 10 08:47:38 2014: buf2radmsg: message auth ok
Mar 10 08:47:38 2014: got Access-Challenge message with id 171

regards

Micha

Server 2012 Built-In IPSec VPN & RAS & HyperV-Switch & Netgear Pro Safe Router, Tunnel Ok, but no Traffic

June 22, 2013, 4:30 pm
$
0
0

Hello,

i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.

The Problem: Tunnel is up and running, but no Ping, no traffic at all.

the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.

if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.

the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.

The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.

I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.

If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.

i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.

now, after all this time i spend today to this problem i'm a bit confused.

as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.

the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?

i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as it is no option inside the gui.

it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help to solve the problem would be great also!

now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.

Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional help out with an explanation?

Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(

Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>