Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

There are currently no logon server available to service the logon request

December 27, 2012, 4:50 pm
$
0
0

I have 3  2003 Server R2 running in a real corp, Those 3 is a  AD domain controller, I created 2 new Users, in Exchange 2007 andimmediately is replicated in AD, I tested the 2 account inside of the network they can logging without any issues, This 2 new users are sales, so I tested everything outside in a different network, I then logged in to same laptop as a Admin, and am able to access the laptop fine. But if I try to logging as a one of the new users if give the error:  There are currently no logon server available to service the logon request. Also I created other users before in the same environment they can log and use the resources  with out any issues.

Any Ideas, Please

Search

802.1x and new users

December 31, 2012, 12:46 am
$
0
0

I have set up dot1x with NPS . my client machin  is windows xp sp3 and win 7. If I add a new user to the Domain or if an existing user logs onto a PC that they have never logged on before they receive an error "The system cannot log you on because the % there are currently no logon servers available to service the log on request. in windows 7 I configured user or computer authentication and enable single sign on perform immediately after user logon  but also I have problem.

have you any idea for help me?

NLA (nlasvc) issue Windows 2008

December 31, 2012, 12:26 pm
$
0
0

Got a customer that for whatever reason has two NIC's both residing on the same subnet and both have the same gateway defined (Yes, windows warns you about this but it does "work" for lack of a better term). They have this setup so OWA and other protocols coming from the inside can have one NIC while inside clients hit the other NIC. I'm not saying it's best practices and I'm not saying I'd configure it like that, but it is what it is.

The problem is that when the server boots, Network Location Awareness changes the profile from a "domain" to a "Private" network  category and when it's private a lot of resources are cut off at the local firewall level (ie: RDP, Exchange features, HTTP, etc.) I've looked around and have messed with local policy, GPO's, etc. and cannot make this quit reverting to that private network. Any ideas aside from telling the customer that he's best to just use one NIC?

We are currently going to try disabling NLA altogether and see what happens. Any thoughts at all?

dt

NPS as Radius Server for 802.1x - Mac Filtering

December 15, 2010, 5:26 pm
$
0
0

I have sucessfully deployed a DHCP with mac filtering, how ever still open security since, Access Points doesnt have any security.

Just putting a static ip will give access to the network.

The wireless lan clients are windows and non windows devices such as laptops, desktops and handhelds.

So the idea is to implement NPS and to configure the Radius server creating a policy just for filtering the mac address of the device.

Is this possible using NPS?

How can i specify the Mac address list of all devices?

all this will be for windows and non windows devices

Hope the requirement is clear.

lovalles

lovalles

Explicit EAP failure received

January 26, 2012, 1:07 pm
$
0
0

Solution of NPS works on all ten desktops. All able to succesfully authenticate using dot1.x and get into proper VLAN. However a new desktop batch of three machine, newly installed two days back are unable to go through dot1.x authentication.

Instead it ends at explicit EAP failure with red question mark on network adapter. Client is Windows 7 ultimate.

Any ideas what can be the difference factor between these windows 7 machines, causing few to pass and these new ones to fail.

Services of NAPAgent and dot3svc are also started, same NAP settings through GP on all machines.

Also executed sc config dot3svc depends = napagent.

Switch is 3COM model 4210 working perfectly with all other windows 7 desktops.

Any idea ?

Shahid Roofi

NPS using PEAP and PAP for MAC Authorization

January 5, 2013, 8:22 am
$
0
0

I have some questions dealing with MAC authorization, PAP, and PEAP. At my company our current wireless configuration is using a Win2k3 IAS server with certificate based EAP-PEAP authentication using MSCHAPV2 but also unencrypted authentication via PAP. The individual responsible for this configuration has long since left the company and I am responsible for implementing a new wireless network using a similar config, which leads me to posting on this forum.

In this config we have two factors of authentication. The first would be mac authorization, which requires unencrypted authentication using PAP and the other is AD authenticated using PEAP-MSCHAPv2. I can actually check the logs and see the clients authenticating with the AD user account and AD MAC account. Here are the questions.

PAP is selected as the authentication method and PEAP as the EAP type in the same policy to hopefully force both forms of authentication. The first question is which form of authentication is actually being implemented, PAP, PEAP-MSCHAPv2, or both? Second if it is PAP my concern is that will the AD authentication be sent across in plain text as the mac authorization is? And is the MAC authorization accompanying the AD authentication providing further security at all or is it superfluous?

If you need me to clarify the situation further let me know.

On another note I couldn't verify my account to upload images or include any links.

Configuring 802.1x computer authentication in higher priority than user authentication

January 7, 2013, 12:56 am
$
0
0

Hi guys,

I have a question - I want to implement 802.1x-based authentication and i'd like to configure it according to the following scenerio:

1. Computer is turned on

2. If the computer is a part of my domain - it will be granted with full access to the network.

3. If it is not a part of the domain - the user will be prompted to enter his credentials.

Switches and NPS server are already configured and it works perfectly, but I have an issue with the client (Win7) configuration -

seems like if i'm configuring in the "Authentication" tab of the connection settings to use user or computer authentication, the priority of user authentication is higher that the computer authentication because i'm being prompted for user credentials instead of getting full network access even when my computer is a part of the domain.

Does the priority of the user authentication really higher than the computer authentication? Is there a way to change it to meet my wanted scenerio?

Thanks guys,

Lena.


Android and Windows server

January 7, 2013, 6:51 am
$
0
0

Hi,

I have a NPS server for my WIFI.

Actually i use authentication User + machine. it works great.

But we have to integrate a fleet of android tablet and we wanted to have the same authentication User + machine.

How could we do this ?

Thanks,

Search

WPA2-Enterprise WIFI TKIP PEAP authentication and expiring domain user passwords?

March 22, 2012, 7:28 pm
$
0
0

How do people deal with users passwords expiring when their user account is what authenticates to WIFI?

A user takes a laptop out of the office and their domain user password expires while they are logging in with cached expired credentials.

They bring the laptop back to the office days later, the laptop connects to WIFI with the old password and promptly locks out their user domain account and they have to plug in the laptop to a hard wire to get their cached credentials synced with the network.

Doesn't even a computer account password expire every 30 days and would cause the same expired password issue if the WIFI was set up for computer-only authentication?

To get around this, we manually set up laptop WIFI authentication with a dedicated user account that has a non-expiring password instead of having the WIFI use their Windows login.  This is also a lot of work because there is no way to specify the dedicated user name and password via Group Policy, so it has to be typed into each laptop by hand by an IT tech.

Is there a better/easier way to do this that will not lock out the user accounts when they bring laptops in that have cached expired passwords?

"OR" condition in Policies ! where is it ?

January 7, 2013, 11:53 am
$
0
0

Hi there !

a very simple issue bu t i cannot find the solution

i have several network different policies and in some of them i want "or" but i cannot do that !

for example i want to add a condition when windows group is "test" and client ip4 address is 1.1.1.1 or 2.2.2.2 but this does not work

when i add two client ipv4 address it gets them as AND at does not work

and typing any combination of 1.1.1.1 OR 2.2.2.2 - 1.1.1.1,2.2.2.2 - 1.1.1.1;2.2.2.2 did not do the trick !

so where is it ?

simply i like to say if client ip4 address is one of these Access points

tx

preparing network connections!!!

January 7, 2013, 1:14 pm
$
0
0

what can i do to make it faster and also to make my server faster

windows 2003

thanks

Is there such a device?

January 8, 2013, 10:11 am
$
0
0

I need to do a demo of NAP and wondering if there is a switch/wireless router that supports all the features needed for NAP in a small form factor that will fit into my laptop bag at a reasonable (?) price?  I would like to demonstrate Windows 7 clients using wireless and being placed into the non-compliant VLAN as one example.  I just need to meet the basic requirements for this device and keep the cost down if possible.  I would be willing to consider used devices.  Posts about supported devices all appear to be out of date.

Here are the requirements I have gathered:

Required - 802.1X authentication
Required - EAP authentication pass through to RADIUS
Required - Traffic segmentation (for example, VLAN or ACL)
Required - Assignment of port characteristics based on RADIUS attributes
Recommended - Fallback behavior for clients that do not support 802.1X authentication
Recommended - Fallback behavior for clients that fail authentication

Thanks

IAS CA cert expires soon and use order to change to new cert

January 9, 2013, 7:40 am
$
0
0
Hi team, we are having an IAS on win2003 server as ACS's proxy for AD integration. The certificate issued to the IAS expires in a few days and it will cause WLAN authentication issue. we tried to renew the cert but failed. So I created new new certificate on the IAS server after installed a CA . and in IAS I created a new access policy using the new certificate. I plan to remove the old policy so the authentication will use the new one with new certificte but not sure if it works. So I am wondering if I can change the "order" of the old policy from 1 to 2, and new policy to 1, so that the authentication will use the new certificate with new cert. Will this work? because I want a backup in case it failed, so that I can easily change the order back to use the old policy. ANy advice please? thanks

Thanks and best regards, -- KF

Migrate IAS on win203 to NPS on win2008r2

January 9, 2013, 7:33 am
$
0
0

Hi team we are migrating win2003 to 2008 and so the IAS need to migrate to NPS. can I just import the policy to NPS or I need manually reconfigure the policy? Now our WLAN using Cisco ACS5.3 to authenticate, it point to IAS as proxy for AD authentication. any advice on the migration ? Thanks

Thanks and best regards, -- KF


NPS, Public Cert and Multiple Servers

January 8, 2013, 10:20 pm
$
0
0

hi,

we have two nps proxy and 4 nps servers behind them

the proxies are servicing many WIFI AP's for dynamic vlan using dot1x and authentication using PEAP/MSCHAPv2

i found some related posts but none of them was totally completed

the main question is : has anyone bought public cert for NPS which is working ! i chatted with godaddy and geotrust and thawte but they never gave me a total solution or a definite YES or NO

they just say if it is that way or this way .. yes we can otherwise no so i cannot reach a final decision

and after that the question is : can i install one cert on all nps servers ?

tx all

Search

NAP Question

January 9, 2013, 2:48 am
$
0
0

friends,

I need help, I'mtrying to deploytheNAP,in my environmentI haveWindowsServer2008R2and SymantecEndpoint Protection.

So Ineed a signatureto be able to include inNAP,staffsymanteccouldnotinform me aboutthis signing.

I wonderhow I should proceed?

MCP - MCTS

NPS - client (computer) certificate use SHA512

January 10, 2013, 4:48 am
$
0
0

Hi,

I've a question concerning the certificate requirements for NPS.
We are in a mixed environment, using XP and W7 clients. Both clients use PEAP-EAP-TLS for wireless authentication (computer certificates).

I know the NPS server (RADIUS) cannot handle certificates generated with the new Cryptographic API from a 2008 CA, however what about the client (computer) certificates.

The plan is that our clients, XP and W7 will both get certificates signed with a SHA512 hash, the NPS server certificate is based upon the 2003 (v2) template and uses a SHA1 hash.

Would they be able to authenticate to the NPS server using PEAP-EAP-TLS. Has anyone tested this configuration?
Regards, Armand

Dynamic VLAN switching not working correctly

January 11, 2013, 2:11 am
$
0
0

Hi

I'm having hard times configuring wired 802.1x test lab. Everything went ok on the server side, but I'm getting some weird results when it comes to vlan switching: every time a client authenticates it ends up in a "healthy" vlan, meaning that it succeeded to authenticate. When I disable the 802.1x service on a client computer and it cannot authenticate it still moves to vlan 3 although it should be moved to vlan 2.  

-----

Environment:
NAP server: 192.168.0.10
Switch: 192.168.0.3
Client: 192.168.0.100 (static ip)

----- 

Policies on NPS:

I've ran a wizard to create wired 802.1x policies including the settings concerning VLAN's. My "Compliant" policy has following settings:
Tunnel-Medium-Type: 802 (includes all 802...)
Tunnel-Pvt-Group-IP: 3
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Tag: 1
Health policy: Compliant

"Noncompliant" policy:
Tunnel-Medium-Type: 802 (includes all 802...)
Tunnel-Pvt-Group-IP: 2
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Tag: 1
Health policy: Noncompliant

"Non NAP-Capable" policy:
Tunnel-Medium-Type: 802 (includes all 802...)
Tunnel-Pvt-Group-IP: 2
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Tag: 1

In Windows Security Health Validator i've only ticked the "firewall on" box, nothing else.

------

Switch config:

aaa authentication dot1x default group radius
aaa authorization network default group radius 
authentication mac-move permit
ip subnet-zero
dot1x system-auth-control

 

vlan internal allocation policy ascending
vlan 2
 name non-compliant
vlan 3
 name compliant

interface GigabitEthernet2/0/1//this is the Client interface
 switchport mode access
 dot1x pae authenticator
 spanning-tree portfast

interface GigabitEthernet2/0/24//this is the NAP server interface
 switchport mode access
 spanning-tree portfast 

interface Vlan1
 ip address 192.168.0.3 255.255.255.0
 no ip route-cache

-----



Configure Trend Micro 10 AV for NAP

December 2, 2009, 1:55 am
$
0
0
Hi,

We are working on NAP poc/testing. One of the item to be validated by NAP is Trend Micro AV updates.
Is there any guide/documentation on how to configure Trend Micro with NAP?

Thanks

How can I restrict devices (Android + Iphone) on RRAS VPN

January 17, 2013, 1:11 am
$
0
0

Hi,

I have configure RRAS with NPS authentication on Windows server 2008 R2, I have facing a problem VPN client connect via MS OS but some clients are dial my VPN trough Android and Iphone, How can I restrict authentication of these devices on VPN server through NPS.

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>