Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

RADIUS \ NPS - Connection Issues - Help greatly appreciated.

July 27, 2014, 12:36 pm
$
0
0

Hello,

I have been banging my head on this issue, and would greatly appreciate some assistance getting this worked out. My goal here is to authenticate both domain & non-domain devices (laptops, smart phones, tablets, etc) to my network. I'll followed several tutorials without much luck - and I feel my lack of knowledge on this particular topic weighing on me. 

I am currently working in a lab environment, which consists of a Server 2012 VM with Active Directory installed and configure. I've also setup and configured my Wireless Access Point, which i've confirmed works just fine using WPA-Personal. I've installed NPS, as well as AD CS using all of the defaults.

I'd like to know the opinions of anyone here as to the best way to set up this environment for my needs. As mentioned above, I want to be authenticating both Domain and non-domain devices. Should I have to be setting up certificates of some sort for this goal? Or can I stick with just plain AD user/pw access? 

I've configured my WAP for WPA-Enterprise, specified the RADIUS server IP, and entered the shared secret. I've configured NPS w/ my RADIUS client (that being my WAP). My Wireless Policy consists of the following:

Overview:

Policy Enabled
Grant Access
Ignore User account dial-in properties checked.
Type of network access server: Unspecified.

Conditions:

NAS Port Type - Wireless - Other OR wireless - IEEE 802.11
Windows Group - DomainName\Wireless Users (I created the Wireless Users security group and added one newly created user to the group)

Constraints:

EAP Types: Microsoft: Secured Password (EAP-MSCHAP v2)
Less Secure Auth. methods selected: MS-CHAP-V2, MS-CHAP

Everything else in the network policy is set as its default, and i've registered the NPS server in AD. 

My attempts to connect fail, and the only relevant Event Log that is being processed is in the Network Policy and Server Log is what i've copied below. Please ask for any information that may help me work this out, i'm all ears! 

Thank you.

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:Domain\Daniel
Account Name:Domain\Daniel
Account Domain:Domain
Fully Qualified Account Name:Domain\Daniel

Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
OS-Version:-
Called Station Identifier:2A-A4-3C-99-FE-CA:DomainWIFI
Calling Station Identifier:00-24-D6-A4-C8-8A

NAS:
NAS IPv4 Address:192.168.1.100
NAS IPv6 Address:-
NAS Identifier:24a43c98feca
NAS Port-Type:Wireless - IEEE 802.11
NAS Port:0

RADIUS Client:
Client Friendly Name:UniFi
Client IP Address:192.168.1.100

Authentication Details:
Connection Request Policy Name:Wireless Policy
Network Policy Name:Wireless Policy
Authentication Provider:Windows
Authentication Server:WIN-PBL42GEIH4E.Domain.local
Authentication Type:EAP
EAP Type:-
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code:22
Reason:The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Search

Can't login with any account locally or remotly to my server runniing windows server 2003 R2

July 28, 2014, 4:36 pm
$
0
0

Hello!

We have an AD server running windos server 2003 r2, it was fine las friday but this monday I cannot login remotly to the server. I mean, it does log in, but session does not start, it says configuring desktop, and the suddenly, closing session, and the remote desktop closes. Then i decide to go to the datacenter and login locally, but the i found the same problem. What is going on? Nothing changed in hardware or software between friday and monday, tried manually restarting the server but the same problem once windos starts.

Thank you for your help.

Connection Manager Administration Kit - How to prevent users from caching password

July 29, 2014, 12:40 am
$
0
0

On the connection dialog box, is there a way to prevent users from:-

Checking the dialog box on the Save Password field?

Removing or ghosting out the Login domain field?

Stepped through the CMAK wizard and did not see an option anywhere.

By the way, are there any useful technical guides out there I could reference as well?

NPS Calling Station ID field limit #2

June 17, 2014, 12:34 am
$
0
0
This refers to a too early closed question: http://social.technet.microsoft.com/Forums/windowsserver/en-US/1b92513d-5a41-4c14-9e3e-f35eebccd4d3/nps-calling-station-id-field-limit?forum=winserverNAP

I'm sorry, but regex does not help.
We need to authenticate per mac, and even we cut them in half per regex (remove the vendor string), it would still exceed the 256 chars limit.
Currently we are using the method stated in the tip from http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx and the result is a Calling Station ID of 1080 chars and growing.

If there really is no other solution, this is a huge step back from server 2003 ias.
As mentioned, NPS service itself accepts more than 256 chars, but the GUI does not => why was this implemented?!?

NPS + Domain Controller

August 7, 2008, 1:08 am
$
0
0
Hello

Can i install NPS with RADIUS on a Domain Controller?

tks for answering

Marc

Where are the logs for NPS stored?

August 1, 2014, 9:30 am
$
0
0

I have the following setup:-

Windows Server 2012 R2 with RRAS and NPS on the same box.

I am using secondary authentication via a product called Duo Security.

Initially I had this configured with RRAS authenticating via Duo Security RADIUS which works fine.

I have now installed NPS as mentioned, and it seems that the Radius client is now the Duo Security and the Remote Radius server is the RRAS box.

Everything seems to work as before but I cannot see any of my rules (such as deny login) working.

The user account is set to use NPS.

Where can I find the logs that will help me troubleshoot my setup?


DHCP enforcement of NAP: Want only domain PCs to get IP addresses

August 2, 2014, 12:12 am
$
0
0

Hi,

I would like for the DHCP server to only issue IP addresses to computers that are members of the domain. According to the info I read from Microsoft, it should be possible to check the computer group in the DHCP enforcement.

I created a policy in NPS to grant access to computers which are members of the Domain Computers group. However, it doesn't seem to work. It doesn't recognize that the computers are in the group.

When I look at the event logs it appears that the computers are not doing any authentication. Do I need to set up some kind of authentication for this to work? I am not concerned with the health of the computers; I always want DHCP to provide an IP address as long as the computer is part of the domain.

Thanks in advance for any suggestions.

How to limit number of connection on spacific port

August 2, 2014, 11:43 am
$
0
0

Hi,

I installed  an application and it run on port 1935

on windows server 2008 R2 SP1

kindly advice how to limit number of connection on this port ?

Ramy

Search

Some Radius wifi clients cannot logon

August 4, 2014, 5:11 pm
$
0
0

We are retiring a Server 2003 Radius server and moving to NPS on Windows 2012 R2.

I chose to build a new root certificate authority rather than migrate the old one.  The new NPS server is also the PDC FSMO role master.  We use user certificates for wifi authentication.

Wireless clients can logon if they are Windows 8 or iOS devices.  Windows XP and 7 clients all fail.  If I un-check validate server certificate, then some clients can then logon.

I have verified the CA root certificate, the user certificate with private key, the NPS certificate.  Everything seems to be correct.  The user certificate is in the Personal/Certificates store.  The CA cert is in the Trusted Root Certification Authorities store.

The NPS policy is "smart card" with the proper NPS certificate presented.

What's crazy is on iPads, you can see the iPad download the correct CA certificate and ask if you accept it.  So I know all the shared secrets and access point stuff is correct.  But when XP or 7 tries to connect, it fails.

NPS log shows return-code 16, but the certificate is the correct one, and its a valid account, (mine).  I've run out of ideas.  Any suggestions?

<Event>
<Timestamp data_type="4">08/04/2014 20:02:22.067</Timestamp>
<Computer-Name data_type="1">MEGATRON</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 192.168.0.7 08/04/2014 21:36:55 70</Class>
<EAP-Friendly-Name data_type="1">Microsoft: Smart Card or other certificate</EAP-Friendly-Name>
<Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
<Client-IP-Address data_type="3">192.168.0.5</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">sophos</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">NAP 802.1X (Wireless)</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">DOMAIN\user</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">DOMAIN\user</Fully-Qualifed-User-Name>
<Authentication-Type data_type="0">5</Authentication-Type>
<NP-Policy-Name data_type="1">Wifi</NP-Policy-Name>
<Packet-Type data_type="0">3</Packet-Type>
<Reason-Code data_type="0">16</Reason-Code>
</Event>

Help With NPS Configuration + User Session Disconnection

August 5, 2014, 4:38 am
$
0
0

Hi All,

We have recently implemented Ruckus Wireless in our Infra. We have two SSID - Corp and Guest.

For Corp we have implemented 802.1x with Radius- NPS configured on Windows 2012 Server. Our AD,CA is also configured on the same server. The whole setup is working properly like we wanted it to work, only issue is with the Client Session timeout.

We want that out clients session should end after 24 hours but its not working. A user connected to Corp  SSID  remains connected even if we have specified the value under session timeout.

NPS -> Policies (Network Policies) -> My Policy -> Constraints (Session Timeout - Set 60 Mins )

Would really appreciate if someone could help me get this resolved.

Thanks in advance.

Rohit Sood

Error code 265: The certificate chain was issued by an authority that is not trusted.

August 5, 2014, 2:23 pm
$
0
0

We are in the process of trying to set up a wireless network that uses NPS servers to authenticate domain users with computers that are not on our domain (BYOD).

We are using a valid, wildcard SSL (with intermediate certificates) to authenticate via PEAP.  The certificate was issued by Godaddy.

When trying to connect, we are getting the authentication request.

The result of a connection attempt is no connection with an event log error code of - “265: The certificate chain was issued by an authority that is not trusted.”

We have tried ensuring that the certificates are in the correct containers on the respective NPS servers: “Certificates\Personal\Certificates” With the intermediate certificates located: “Certificates/Intermediate Certification Authorities”

All these attempts have proven fruitless.  Any assistance or direction would be very much appreciated.

NPS: Override User-Name and User Identity Attribute

July 15, 2011, 6:12 am
$
0
0

After configuring NPS and using http://technet.microsoft.com/en-us/library/dd197535%28WS.10%29.aspx it's possible to authenticate based on MAC Addresses.

Is it by design that all authentication requests handled, are changed to MAC Address Authentication?

 

We want to have three Network Access Policies, two based on Active Directory Account, one based on MAC Address.

After entering the registry values and rebooting the server, it's only possible to authenticate based on MAC Address.

 

Do we need seperate NPS servers, one for MAC based authentication and one for A.D. account authentication?

 

Thank you in advance.

VPN error 809 windows 7 client

May 8, 2013, 12:39 pm
$
0
0
First off I would like to thank everyone in advance for helping me with this problem. I usually am able to read through forums and usually am lucky to find solutions but this problem has no solution that I have found.
 
Here is my situation. I have Windows Server 2008 R2. I have added the role, network policy and access in order to run VPN server. My windows 7 clients are able to connect locally to the server. When I connect through the internet using a windows 7 client I get the error 809 (The network connection between your computer and the VPN server could not be established because the remote server is not responding). I checked the configuration in my router to allow the following ports: 500, 1701, and 4500. I have disabled the firewalls on both my server, client, and router with no luck (I am also able to ping server from windows 7 clients). So I then decided to try a different client. I am able to connect using my android through the internet with no issues. Only when I try to connect my windows 7 clients I receive this error. It seems that it was configured correctly but maybe I missed something. If anyone has any other thoughts or ideas I would greatly appreciative the help.

Server 2008 R2 

The authentication method is EAP and MS-CHAP v2 with shared key bother server and client.

I have the server set up as IPv4 remote access server not IPv6.

DHCP server is running and assigns IPv4 address to clients.

In NPS I have added a network police to allow group VPN users access to connect.

I have logging enabled on server, but have no logs in tracing directory.

No events in event viewer under Network Policy and Access Services

Thanks in advance.

NPS Configuration

August 7, 2014, 1:41 pm
$
0
0

I have been trying to figure out a resolution to this problem and keep going around in circles.

I currently have an NPS server working with AD.   This works great.  I used GPO to distribute the CA and once configured the clients connect using their windows login.

The issue I am having is that we have a number of clients that use our networks.  They are setup on their own vlans.   Since they are not logging in to our DC I need a way to configure the NPS to use username/password or something similar for these users and assign them the correct vlan to connect to.  It seems since I have already configured the NPS to use AD it won't let me use anything else.

2012 Server NPS w/ PEAP-Audit Failure 5061

August 8, 2014, 9:48 am
$
0
0

Hi,

Attempting to setup NPS Server 2012 to use 802.1x PEAP.

Client is distributed the certificate and the certificate shows the trust as having the appropriate chain.

Thanks

Logon Attempts are receiving this error message:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/8/2014 12:33:35 PM
Event ID:      5061
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SERVER01.domain.lan
Description:
Cryptographic operation.

Subject:
Security ID: SYSTEM
Account Name: SERVER01$
Account Domain:DOMAIN
Logon ID: 0x3E7

Cryptographic Parameters:
Provider Name:Microsoft Software Key Storage Provider
Algorithm Name:RSA
Key Name: KEYNAME
Key Type: Machine key.

Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010



Search

Cryptographic Operation: Operation: Decrypt. Return Code: 0x80090010

August 8, 2014, 9:48 am
$
0
0

Hi,

Attempting to setup NPS Server 2012 to use 802.1x PEAP.

Client is distributed the certificate and the certificate shows the trust as having the appropriate chain.

Thanks

Logon Attempts are receiving this error message:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/8/2014 12:33:35 PM
Event ID:      5061
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SERVER01.domain.lan
Description:
Cryptographic operation.

Subject:
Security ID: SYSTEM
Account Name: SERVER01$
Account Domain:DOMAIN
Logon ID: 0x3E7

Cryptographic Parameters:
Provider Name:Microsoft Software Key Storage Provider
Algorithm Name:RSA
Key Name: KEYNAME
Key Type: Machine key.

Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010




NPS on Domain Controller but it says There is no domain controller available for domain

August 11, 2014, 9:21 am
$
0
0

Hello,

I tried to find solution for my problem, but I used all solutions I knew or could find on the web.

I am running two DC's main one and secondary in second office.

DC on both sites acts also as DHCP, DNS and NPS.

On main site I started to having a problem with accessing the AD. In my log files I found continuously errors

Error 4401

Domain controller contoso.com for domain contosois not responsive. NPS switches to other DCs.

4400

it switches to dc2 but then again domain controller is not responsive...

In that moment I got each times errors:

6274

The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.

On secocond DC - DC2 everything works well. I checked and the server is not registered in AD (added to the security group RAS and IAS servers, but even I added domain controller to that group it didn't change anything.

Any idea?

or backup NPS, uninstall NPS and install again and import settings?

thanks for any advice

Andrew

The Windows Security Health Agent could not be initialized. Failure Code: 0x80070005

December 2, 2010, 5:20 am
$
0
0

Hi!

I've confugured NAP DHCP Enforcement and apply user nap settings throw GPO (Enable enforcement and start nap and wscsvc).

All Windows XP PCs works fine after applying GP. All agents initialized well.

But all Vista and Seven couldnt initialize WSHA(this solution is useless: technet.microsoft.com/en-us/library/cc735495(WS.10).aspx)

Group Policy are the same everywhere.

Maybe someone came across this?

MAC ADDRESS FILTERING WITH WINDOWS SERVER 2008 r2

January 27, 2012, 11:11 pm
$
0
0
I'm very beginner to the Windows server 2008 r2. I need some tutorials how to achieve MAC ADDRESS FILTERING in windows server 2008 r2. I tried configuring it with DHCP server but i couldn't able to configure it. so kindly help me with some tutorials how to do MAC ADDRESS FILTERING.... i need tutorials for baby..thank you in advance.

Network Policy Server Event ID 6272 not being forwarded to Event Collector.

August 15, 2014, 3:03 am
$
0
0

Hi there

I have configured an Event Subscription to collect events from 2 DCs that run RADIUS for network switches. It appears the events are being forwarded okay, I am getting the Security events (Logon and Logoff) on the event collector PC. However I am not getting any of the Network Policy Server security events (specifically Event IDs 6272), to centrally audit RADIUS logins to switches.

The subscription is collector initiated, and I have added Network Service to the Event Log Readers Group. Is there something I am missing in the setup requirements for these events to be forwarded?

Thank you,

Kind regards

Hylton

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>