Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

NPS Discarding RADIUS request from Cisco switch (802.1x)

July 11, 2014, 5:56 am
$
0
0

Last few weeks I've been busy to get the following to work:

- Cisco 2960 switch as the suppliant
- Another Cisco 2960 as the authenticator switch
- The supplicant is only able to send MS-EAP MS-ChapV2 requests
- The NPS server is Windows 2008 R2 (and also tested on 2012 R2)

This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html) but I'd like to get it to work with Windows NPS.

Within NPS I've setup the following Connection Request policy:
- NAS Port Type: Ethernet

I'm using the following Network Policy:
- User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
- NAS Port Type: Ethernet
- Autehntcation Type: EAP

Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):

User:
	Account Name:			Rotterdam-Switch-8-1
	Account Domain:			DOMAIN

Authentication Details:
	Connection Request Policy Name:	Secure Wired Connections
	Network Policy Name:		Switches Allowed
	Authentication Provider:	Windows
	Authentication Server:		SERVER.DOMAIN.local
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:	-
	Reason Code:			1
	Reason:				An internal error occurred. Check the system event log for additional information.

Wireshark on the NPS server shows:
1. The RADIUS Access-Request (1) being received by the NPS Server
2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
3. Another RADIUS Access-Request (1) is beging received by the NPS Server

Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)

I've also tried the following:
- I've also tested with an invalid username/password. The request is correctly denied
- I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.

Any help would be greatly appriciated ofcourse.

Kind regards,
Peter

Search

WPA2-Enterprise Radius Authentication Windows Server 2008 R2

August 19, 2013, 6:39 pm
$
0
0

Hello,

I have tried a few online tutorials for providing secure wireless access.  I currently have a server running Server 2008 R2 that has RRAS, NAP, and AD CS installed on it.  My goal is to create a wireless SSID that utilizes WPA2-Entperise for users to connect.  Their AD credentials would need to belong to my "Wireless Users" group.  I have seen tutorials that involved certificates, and some tutorials that simply added the RADIUS clients along with the network/connection policies, and then added the settings to the router.  When I've tried both ways, the wireless network never connects to the network.  If I un-check the "Use Windows login credentials" a username/password field pops up.  I enter the credentials (tried both username and domain\username) of an account that is part of "Wireless Users".  When I hit OK it sits for a few moments, and then pops back up again.  When I do check "Use Windows login credentials" it says it can't connect.

I have tried different firmware on the router, and I know the router is not the issue.  This server is joined to my domain controller.  It feels like the NAP server is not reaching the domain to authenticate credentials.  Am I doing anything wrong that I should be made aware of?  In NAP if I right click the server, the "register in active directory" is greyed out, which I assume is because it's already joined to the domain.

I appreciate any help you can provide.

-Ken


The recommended number of IP addresses to block, which can be added to one rule Windows Firewall

August 19, 2014, 3:00 am
$
0
0
Good afternoon.

Interested in the question,I need to createa ruleto denyaccess the serverwith thespecified IP address.List oflarge-about 50 thousand.So howcan Iadd an IPruleblockingconnectionsfrom IP addresses.If theywill bein Rule10000does notaffectwhether it isthe speed of the serverand ofthe wholewill be anychangesin your work?

The bottom line isthat I haveadded 10,000IPrule.Through theAPI Windows Firewall, I realized thatthe maximum numberof IP addressesthatI can addis equal10000 (10001alreadyswears"array bounds are invalid").Ruleadded-theseIP-addressesare blocked.The question is-Will thefact that theruleas manyIPaddresses on theserver rate.

Is it possible tosetthis ruleremotely onmultiple servers?

HP Procurve 5412zl with Windows 2012 Radius NPS

August 19, 2014, 9:02 am
$
0
0

Hi Everyone,

I'm having some trouble with setting up 802.1x for wired conneciton. Essentially, I'm starting out by testing a mac book pro connect via the HP Procurve 5412zl switch and the switch is pointed to the Windows Radius Server 2012. 

 

Based on the user AD authenication and the group that the user belongs to the mac book pro will be configured to a different vlan and allowed access to vlan and it they are not authenicated they are sent to another vlan.

 

Here is the switch config.  

 

radius-server host xxx.xxx.xxx.xxxx key "xxxxxxxxxxx" 
...  
aaa server-group radius "RAD" host xxx.xxx.xxx.xxx
aaa authentication port-access eap-radius server-group "RAD" 

 

I've been reading a lot about the radius configuration for windows server, but a lot of the references Windows 2008 and the documentation is very limited for Windows 2012. The closest thing I found was how to setup via the CISCO switch.

 

Any help would be greatly appreciated

 

Please note that with the following configuration, FreeRadius is working perfectly fine

Event 6273 after moving NPS from 2008r2 to 2012r2

August 19, 2014, 11:26 am
$
0
0

I exported the NPS config on our 2008r2 server and imported it into the 2012r2 server. The IP was also eventually migrated from the old server to the new server.

Now, any clients that try to authenticate using our netmotion product can't log in.

Event ID 6273 is logged in the NPS event log on the new 2012r2 server. "Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information."

Reason code is 262 "The supplied message is incomplete.  The signature was not verified."

Authentication types in the policy look fine as well as shared secrets.  Is this something to do with the cert that is used on the new server vs the old one?  What is the best way to correct this?

Problem

August 19, 2014, 12:27 pm
$
0
0
I am trying to setup Single Sign On between wireless and a network filter.  The filter requires the <Framed-IP-Address> to be in the NPS servers (Server 2012 R2) log files.  I have manually checked and the username, etc is there but not the framed-ip-address.  This server currently handles DHCP, we added the NPS server for lack of a better place, and then made it do AD CS after finding out we needed that for PEAP authentication.  What would be the likely cause of the logs not having the framed-ip-address field.  This field should be unique for each user and submit the ip address they received when connecting to the wireless.  This is what our filter company is telling us.  Thoughts?

PPTP VPN Error 619

November 30, 2013, 7:58 am
$
0
0

Ive recently been having problems with my users not being able to connect to our domain PPTP VPN (running on Server 2008 R2).

It was configured about 2 years ago and has been working great! Now for some reason its just stopped working, nothing has been changed on the server (to my knowledge) and doesnt happen on all client machines.

My macbook (just running Mac OSX) connects fine

It doesnt seem to follow any pattern (Generally all using Win 7) it seems almost 50/50 as to who can connect.

Do you have any ideas?

  • Ive tried using an online port checker and both ports 1723 and 47 are open. (I assumed they would or none of the computers would be able to connect)
  • Ive tried diabling firewalls / installing different ones too.
  • Disabled IPv6
  • Set security method to PPTP (was working on Auto before)
  • Looked in 'C:|windows\system32\logfiles' to see if the connection was being refused but only successful ones are being made.
  • No mention in the event viewer (Network Policy and Access Services) - i assume there isnt another?

As mentioned in the title they get error 619 (A connection to the remote connection couldnot be established, so the port used for this connection was closed.)

Any help would be greatly appreciated! Thanks.

NPS wireless Authentication.can't connect to domain Wi-fi using Windows 7. Windows 8 and SmartPhones can

August 18, 2014, 7:20 am
$
0
0

Server 2012 R2 (NPS)

Client: Windows 7 Ultimate

Windows 7 clients can't connect to domain wireless. The strange thing is that Windows 8-8.1 and Mobile devices can connect without problems.

GPO settings:

Maybe the problem is with NPS settings?

Conditions:

NAS port Type with value Wireless- Other OR Wireless -IEEE 802.11

Windows Groups with value All domain user group.

Constraints:

Microsoft: Protected EAP (PEAP) with Encypted Authentication (CHAP) selected.But tried all other methods with no success.

Also tried all solutions from this thread: http://social.technet.microsoft.com/Forums/windowsserver/en-US/9171b4aa-ba71-430b-935f-b27513debda4/nps-windows-7-clients-cant-connect-iphone-connects?forum=winserverNAP nothing helped. Any help would be great, thanks.

Search

Setting 802.1x with window 2008, switch 2950 and client

December 16, 2010, 8:16 am
$
0
0
My company intend implement a system with follow diagram:

Client --- Cisco catalyst Switch 2950 (support 802.1x)--- window server 2008 (RADIUS server)

or

Client ---- Access Point (support 802.1x) --- window server 2008 (RADIUS server)

And i not have any document to Reference and implement it...

Do you have a document about my problem above. Please share with me...

Thanks All ...

configuring wired 802.1x with Cisco 2950 and NPS 2012 problem

August 21, 2014, 11:12 pm
$
0
0

Hi,

I am trying to setup wired authentication on my corporate network. For testing purposes, I have setup a Cisco 2950 switch for RADIUS authentication.

On the first day of the test, access messages were appearing on the event log of the 2012 Server and  we were trying to address the issues with EAP and policy.(Network Policy and Access services)

Then, suddenly no events are written to the event log for the wired authentication. Accounting data is written to the log file at c:\windows\system32\logfiles, but nothing happens on the event log as if the NPS is not answering. We are using the same server for wireless 802.1x and all is working fine.

Checking the wired autoconfig log on the client, Restart Reason : Onex Auth Timeout appears.

Really need help on this,

Kind regards,

Onur

802.1X EAP-TLS User Certificate Errors

June 4, 2012, 8:51 am
$
0
0

I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers).  I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer Authentication.  However, when authentication mode is set to "User or Computer" or just "User" it fails.  I get a "certificate is required to connect" pop up and it's unable to connect.

No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see.  It seems as if there is a problem with the client certificate:

[236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
[236] 06-04 09:26:35:720:  Self Signed Certificates will not be selected.
[236] 06-04 09:26:35:720: EAP-TLS will accept the  All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
[236] 06-04 09:26:35:720: PEAP will accept the  All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
[236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
[236] 06-04 09:26:35:720: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.

Also, in the event viewer I get the following:

Wireless 802.1x authentication failed.

Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
Local MAC Address: C4:17:FE:48:F2:79
Network SSID: *****
BSS Type: Infrastructure
Peer MAC Address: 00:12:17:01:F7:2F
Identity: NULL
User: presentation
Domain: ****
Reason: Explicit Eap failure received
Error: 0x80420014
EAP Reason: 0x80420100
EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.

I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS.  I modified the "Subject Name" to "Build from Active Directory information".  "Subject Name Format" is set to "Fully Distinguished Name" and "User Principal Name (UPN) is checkedAll other boxes are cleared.  I verified that certificates for both user, computer , and root CA are all correctly auto enrolled.  I also verified that the user certificate exists in the "Personal" user certificate store on the client.

There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything.  Please help!

Giving Non-Admin users acces to Network Device Management

August 22, 2014, 8:19 am
$
0
0

Not really sure that this is the proper place to post this since, MS has made the Forum selection kind of limited and confusing in my honest opinion.

As the Title implies, I am looking to give rights to users to configure their network adapters.

Only with one catch, I only want to give the users access to manage the Ethernet Device not the Wireless Device.

The reasons why is because we have users that connect to many different network devices and they need a large amount of IP Address associated to their Ethernet ports in order to connect to these devices.

As for why I don't want to give them access to the wireless device, it's rather simple, they should not have access to see the wireless password/passphrase.

As it stands, we don't have a means of preventing people from connecting to our wireless if the password/passphrase gets leaked out.  We have not been able to settle down and find an option for it since we've upgraded our wireless network.

And if the suggestion of let "let the users have admin rights from the admin group..." I'll shoot that down right now and say where is the security in that, and it's also company policy to have no normal user be a local admin to the whole machine. 

Any hints of what I can do would be a good help.  At this point I'm just at a loss.

DS

Mac Authentication Bypass suddenly fails

August 21, 2014, 4:42 pm
$
0
0

Hello all,

I am having an issue with MAB failing all of a sudden. When I look at the logs, I see that it's due to an invalid auth type (I see IAS_INVALID_AUTH_TYPE in the logs). MAB used to work, and user and computer authentication still work fine. I can't figure out what has changed since then - the only change I can see is the fact that our DCs were issued a new cert by our CA recently, but if that makes a difference, wouldn't that affect user and computer authentication as well? 

We are using MS-CHAP v2 for authentication, and MAC addresses are stored as user accounts in AD (user name and password are set as the MAC address). The clients are Windows 7 PCs, and they are authenticating against our 2008 R2 NPS server. Any help on this would be much appreciated. Thank you.

Regards,

Nikita

NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

May 2, 2012, 2:40 am
$
0
0

Hi everyone,

Hoping someone can help please.

We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.

We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.

What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.

Has anyone implemented this before and if so, are there any guides available please?

Many Thanks,
Dean.

Cisco asa 5505 with nps

September 18, 2009, 6:29 am
$
0
0
I'm trying to setup our new cisco asa vpn device with nps authentication.  Is there a guide on how to do this, I can't seem to get it setup.  We do have 2003 setup this way already, but it was done by a previous network admin.  Anyhelp would be appreciated.
Search

NAP DHCP not getting IP and "netsh nap client show group" shows no results

August 27, 2014, 8:48 am
$
0
0

Hey guys, 

I have just set up DHCP basen NPSand I get no IP address on my machine, which should be compliant (just firewall is being checked). I have on both enforcement client up. Logs on NPS shows that the connection request did not match any configures network policy, but I have configured 3 of them - compliant, non compliant and non-nap-compliant. It should serve all of cases. Authentication SType is Unathenticated, maybe this is the case?

Thanks for any feedback

Cheers

Aggie

How to pass two rule names in netsh firewall set rule command

August 27, 2014, 4:54 pm
$
0
0

Hi All, how can I use set rule to perform an action on two rules i.e. how can I disable two firewall rules with just one command, I want to pass both rule names in Name parameter in the command, 

my requirement is to run:

netsh advfirewall firewall set rule name="Rule1 Rule2" new enable=yes

please suggest

Control Panel Firewall GUI and Netsh Return Different Firewall States

August 27, 2014, 7:04 am
$
0
0

I am seeing an issue on some of our machines relating to DirectAccess and the firewall. For DA to work, the public and private firewall profiles must be set to on. Group Policy enforces this for us and sets up all the appropriate DA settings.

However, I am seeing an issue where the DA connectivity status shows "Action needed: the firewall must be turned on". Checking the Control Panel GUI shows that both the public and private are on and that public is connected. Running "Netsh adv show all" shows all 3 profiles off. Setting the state of these to on via Netsh seemed like the appropriate thing to do, but doesn't seem to fix the problem.

This article explains the difference in the GUI vs. what Netsh returns:

http://social.technet.microsoft.com/Forums/en-US/4d8678e2-5653-4fd2-b275-62e0e7008ff9/conflicting-display-of-windows-firewall-setting-from-gui-and-netsh-advfirewall?forum=winserverGP

but doesn't explain why DA was seeing the firewall as off while the Control Panel said it was on. Has anyone seen an issue like this before? Thanks!

Advanced Firewall. Multiple entries for remoteip cannot be defined in "netsh advfirewall firewall set rule" command

January 23, 2011, 8:43 am
$
0
0
<!-- [if gte mso 10]> <mce:style>

The online "netsh advfirewall firewall" manual reads as follows: “Multiple entries can be specified forremoteip by separating them with a comma.”

In both Windows 7 Professional Version 6.1 (Build 7600) and Windows Server 2008R2  Enterprise Version 6.1 (Build 7600) the following command executes correctly:

netsh advfirewall firewall set rule name =  "RuleName" new remoteip = IPAddress1

But the following command

netsh advfirewall firewall set rule name =  "RuleName" new remoteip = IPAddress1, IPAddress2

Gives the following error:“A specified value is not valid.”

In the usage information of " netsh advfirewall firewall set rule" I find the following:

[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|

   <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]

How can a list of IP addresses be submitted to the command?

Encryption type with SSTP

August 30, 2014, 7:59 am
$
0
0

I have windows server 2012 R2 with RRAS role. I've set up VPN with IKEv2 and SSTP.

When client connects with IKEv2 I can see his status in RRAS snap-in and his encryption status in "IPSec: AES 256". But with SSTP connection encryption is always "Unknown". Is this normal behavior?

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>