Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

verify radius authentication on IAS

January 17, 2013, 4:52 am
$
0
0
Hi Team, I have some cisco ACS to authenticate wifi users and use IAS as proxy to integrate with AD. I am going to change the order in IAS on policies and need to verify if the correct policy is excecuted. but when I used a test user in wifi to login , I found no such an entry appeared in the event log on the IAS. Though I can see other users authentication entries. Any issue caused this ? cached? Can I create a new AD account to verify? Thanks 

Thanks and best regards, -- KF

Search

Server 2012 IE 10 Internet Seurity Settings

January 17, 2013, 10:15 am
$
0
0
Installed Windows Server 2012, and having issues with IE 10 blocking some traffic. Tried to change the Security settings for Internet, and it is by default set to "High". Can I change the settings to a lower level?

network access protection

January 18, 2013, 7:56 pm
$
0
0
How do I connect network access protection,applies mr. fix it, join a home group,and update window 7 for the update won't take??????

windows 8 authenticate through IAS

January 19, 2013, 7:50 am
$
0
0
HI I have a wifi network where the users laptop use wifi then cisco ACS to authenticate with AD through IAS as proxy. now there are some users start to use windows 8 and feed back they got problem to be authenticated. it's said it's related to win8 and IAS. any advice on this? are they compatible? thanks

Thanks and best regards, -- KF

wif

January 19, 2013, 11:51 am

WEB authentication

January 20, 2013, 11:05 am
$
0
0

Hi there!!

I would like to implement web authentication for the domain user who are using ipads, mobiles and other wireless devices. could you please send the steps or guide me how to setup the web base authentication for non-domain devices.

for wireless controller open policy is enabled.

thanks in advance

Shaan

RADIUS, NPS, ACCESS POINTS

January 20, 2013, 9:38 pm
$
0
0

How Can go about configuring all my access points to use a RADIUS server without using Active Directory.

Is it possible to also use NPS without registering all the client users in Active Directory?

I have 8 access points with 80 Users. I am currently planning to Install Windows server 2008R2 to implement RADIUS or find away to secure my wireless network but I don't have enough finances to implement Domain and Join all my users to the domain.

o.k

Custom NAP SHV Criteria

January 20, 2013, 11:28 pm
$
0
0

Hi,

Is it possible to create Custom NAP SHV Criteria like Domain Computers (from AD) / Computers who are member of a specific domain (Define specific Domain) etc. I am looking for option to deploy MS NAP (2K8 r2) for DHCP where we can allow only Domain Computers to connect to LAN. Same would do for wired connections.

Also can we use MS NAP with CISCO Router DHCP pool to verify SHV criteria.

Dhiraj

Search

message-authenticator attribute that is not valid- NPS/ciscoACS

January 21, 2013, 7:38 am
$
0
0

Hi Team, we have some wifi ap authenticating AD users through cisco ACS5.3 and ACS point to IAS on win2003 servers for radius proxy, this works well. One of the sites need to setup a NPS on win2008, so I was planning  to turn the previous IAS to be backup server and new NPS to be primary. After I did the same setting on the NPS as the old IAS and changed the order on ACS, which point to NPS for primary Radius proxy, I got the error''message-authenticator attribute that is not valid'' in the event log and users authentication discarded. And it  didn't go to secondary IAS for authentication either. The settings are almost same, only thing is I couldn't find " Ignor-user-dialin-properties" in the NPS while it exists in IAS. Is this setting a must? (where is it on NPS?)I also tried to re-type the share secret, same issue. Any advice please? And why the IAS did not take effect when the authentication didn't work on the primary NPS? Thanks!

Thanks and best regards, -- KF

Why does Windows Firewall Log only log traffic on one interface?

January 21, 2013, 9:39 am
$
0
0

I've got three interfaces into different networks. All have their traffic controlled by the Windows Firewall, but the firewall log is only logging Accepted and Dropped connections from one interface. How can I get it to log for all interfaces.

Network protection problem Windows Server 2012

January 21, 2013, 9:46 am
$
0
0
Hello,
I have a Windows Server 2012 installed and when i go to command center and type: netsh wlan> hosted network   the created network always asks for a password, so i was wondering how do i create that network without that protection

NPS unable to authenticate clients when CR Server is Down.

January 21, 2013, 7:27 pm
$
0
0

Hi,

We came across an issue where one of our CRL server was down and NPS was unable to authenticate clients given the

Error Code: 259
Reason:The revocation function was unable to check revocation because the revocation server was offline

Then, I read in this link http://technet.microsoft.com/en-us/library/cc770602(v=ws.10).aspx that says (below)

"By default, the NPS server uses the CRL distribution points in the certificates.However, it is also possible to store a local copy of the CRL on the NPS server."


I would like to know, how do i verify this settings or where do i configure this settings? I would like to ensure my NPS will still be able to authenticate clients even when the CRL servers are down. Am i right to say that when these settings are set, even when CR is down, my NPS will still be able to authenticate clients?

Thanks in advance.

Rgds
HLJ

hanglj

2008 NPS PEAP Issue (Cisco Aironet 1200)

August 8, 2012, 8:41 am
$
0
0

Hello All,

I am trying to set up 802.1x authentication in my test environment eventually to be set up in the live environment.

When PEAP is configured using a self issued AD Certificate authentication fails without having an event log entry put in the log.

In the IAS log file I see a pair of entries for each attempt.

Example (trunvcated):

"SRV1","IAS",08/08/2012,16:05:51,1,"user",".net/Users/Firstname Lastname","0018.bac9.2500","001f.3b2a.59e1",,,"ciscoap","192.168.1.3",559,0,"192.168.1.5"
"SRV1","IAS",08/08/2012,16:05:51,11,,".net/Users/Firstname Lastname",,,,,,,,0,"192.168.1.5"

For each Access-Request (packet-type 1) there is an Access-Challenge (packet-type 11) but that's where it ends. The challenge doesn't seem to reach the device.

I have even put a freeradius serevr in the chain as a proxy just to see what happening and I can see the incoming Access-Requests and then silence.

Any help would be appreciated.

Bertalan

NPS Windows 7 clients can't connect | iPhone connects!

January 4, 2012, 3:07 pm
$
0
0

Server 2008 R2 (RDS, NPS)
Access point: WRT54GL
Using a wildcard certificate

Ironically, my iPhone 4 connects to the wireless network just fine! I logged in w/ my domain credentials and then I had to accept the wildcard certificate we use, and bam, in on the corporate network using domain credentials.

However, I can't get our Windows 7 machines to connect.

With the current settings, the connection request generates 2 error messages in the Event Viewer - 1 for the computer and 1 for the user attempting to authenticate - both of which say: "Network Policy Server denied access to a user... The message received was unexpected or badly formatted."

I've tried creating a wireless profile on the laptop - and not validating certificates = no go.

The EAP service is running on the laptop.

The NAP service was NOT running on the laptop. I started it. Didn't affect anything.

I read that import certifcates on the client might be necessary... That doesn't sound right. I don't want to have to touch each client - or even apply through GPO.. Is this even relevant?

I have received other error messages in the past when I was tinkering with different connection and network policy settings. But this is where I’m at now.

Help!? Thanks!


HeldPeriod in Windows Supplicant not working as expected

January 24, 2013, 2:44 am
$
0
0

I am importing below XML to authenticate to network. The authentication working as expected. But in case of failures, the re-authentication is happening after 20 minutes(1200s). It seems to be default. It is not honoring the setting that I defined in XML file with HELDPERIOD tag. However, the re-authentication period is working perfectly if I push the settings via GPO(using UI option in security part of computer configuration).

Any one experienced this issue? How do I make my machine honor the settings I am passing through XML?

<?xml version="1.0"?>
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
    <MSM>
        <security>
            <OneXEnforced>false</OneXEnforced>
            <OneXEnabled>true</OneXEnabled>
            <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                <heldPeriod>1</heldPeriod>
                <authPeriod>18</authPeriod>
                <startPeriod>5</startPeriod>
                <maxStart>3</maxStart>
                <maxAuthFailures>1</maxAuthFailures>
                <supplicantMode>compliant</supplicantMode>
                <authMode>machine</authMode>
                <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig>
            </OneX>
        </security>
    </MSM>
</LANProfile>

Thanks,

Sitaram Pamarthi

Blog : http://techibee.com

Follow on Twitter

This posting is provided AS IS with no warranties or gurentees,and confers no rights

Search

Operating System Proprietie.

January 24, 2013, 6:27 am
$
0
0

Hi,

I have attached a screenshot of NPS connection properties, which value I put on Operating System Properties for only (windows XP, Vista, 7 and 8) OR which value I put non Microsoft OS.  

Faraz Hussain,

Advanced Firewall IP exceptions Windows Server 2008/2012

January 24, 2013, 10:24 am
$
0
0

Is there a way to add exceptions to a firewall rule such as blocking all Non "US" ip ranges. (See Below) Exceptions for specific addresses instead of removing the entire range from the list?

netsh advfirewall firewall add rule name="Block non_US IPs" dir=in action=block remoteip=1.0.0.0/8,2.0.0.0/8,5.0.0.0/8,14.0.0.0/8,25.0.0.0/8,27.0.0.0/8,31.0.0.0/ etc

Thanks


Public Certificate for NPS/NAP?

December 9, 2011, 2:45 pm
$
0
0

Ok I am trying to get NPS setup that will be used for guests to access the Internet but still require a login on our network using PEAP.  I got a trial certificate from GeoTrust/RapidSSL/FreeSSL and it only offers "Digital Signature, Key Encipherment (a0)" but NPS requires a certificate with "Data Encipherment".  I have not found ANY public CA that issue this type of certificate so if Microsoft requires this for PEAP where am I to get a valid certificate for this?

I have check Verisign, and GoDaddy and all of them only offer "Key Encipherment".


Windows Server 2008 R2 Lab System -- NPS Radius Ports 1812,1813,1645,1646 unavailable

January 25, 2013, 1:08 pm
$
0
0

Before I start, here's the setup.

Freshly installed Win2k8 R2, fully updated with only AD DC, DNS and NPS roles installed. No additional software is installed, and all Microsoft firewalling and filtering is fully disabled in all locations I can find in the system.

I have attempted four or five different step-by-step walk throughs including Microsoft offerings in order to get a slew of RADIUS enabled devices to connect with no success. I've enabled logging of the NPS service for all events I can, and have used PortQry and netstat, however my problem seems to be the fact that none of the default ports are actively listening (eg, 1812-13, 1645-46). I have tried binding to the static ip, other ports, and anything else I could think of, but nothing I've attempted gets the NPS services responding. Event logs do not report any errors with services starting, and the NPS role event log filter shows zero results, so I'm sure the first problem is figuring out why the ports aren't open...

I have read multiple threads in this forum space including other sites. The common responses to this issue are "Check your firewall settings", "Disable your AV software" or any combination in between. Problem is, this never ends up correcting the issue for the original poster, and the threads end up "Still having this issue... any ideas?" or another user will ask "Did you ever get this resolved, because I'm having the same issue..." and no reply there after (even though it's been years since the last post). This leads me to believe that either the problem required a chat with an expert for money, or the solution was simple enough that the user didn't bother to post their fix at the end.

With all that said, do you guys have any recommendations of where to start? I appreciate any feedback...

-Jordan

Stop Iphone/Androids any mobile device to access my Wireless network .

January 26, 2013, 2:14 am
$
0
0

I have a corporate wireless setup but what I noticed as it allows Domain Users or Computers to connect my users are easily able to connect just by typing user name and password for the domain . This is creating lot of issues and I am not very confident how to Block it through Radius /NPS server .

I would like to see only my domain computers connect to wireless network .

Anand Shankar

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>