Hello all,

I am seeking to learn about using netstat. I believe I am being hacked, or someone is monitoring my laptop.

This evening I was able to trace an IP back to the "mystery farm house" in Potwin, Kansas. And was a little startled by my readings. I do not know how to fully utilize the netstat operation to figure out who is not supposed to be on my computer.. I get foreign addresses that have lead from the mystery farm house, and then a church, and now a direct address of someone's house. I received this message in my results, net64-20-243-249:https syn_sent. I am not aware if this is malicious, or just common. Any guidance would be extremely helpful!

-Thanks!  

Hi guys,

I had created an question in the Social Technet Forum (German Language) and earned no answer on my question. Sorry for this double post.

https://social.technet.microsoft.com/Forums/de-DE/279ed38e-f131-4fca-8fbd-92ebb43ba88e/tmg-vpn-mit-nap?forum=windows_Serverde

We are using a SSTP VPN which is terminated on TMG 2010. The user-authentication are redirected to an NPS based on Windows Server 2008 R2.

This NPS should confirm access based on NAP rules and move the clients into a quarantine if they are not approved.

My Problem is that my clients cannot connect to the VPN. In the event log can I see that the client is not NAP capable. Without the NAP specific rules (check the SVH value) the clients are able to connect to the VPN.

I have configured in the local NAP configuration (NAPCLCFG) to force the Network Protection and also in the properties of the VPN connection. But in the VPN connection this option will be gone after activation.

I used this document to configure the radius VPN connection. http://www.isaserver.org/articles-tutorials/general/Configuring-Forefront-TMG-client-VPN-access-NAP.html

Did you have any idea?

Thanks and best Regards,
Henry

Hi everyone,

a customer of mine wants to deploy 802.1x wired authentication in 70+ locations. So I set up a test lab and started playing. Eventually, I had my Cisco Catalyst Switch 3560 (12.2(55) IP-Base image) and my NPS server on Windows Server 2008 R2 up and running. The test client got certificates and all ... But it did not authenticate. Instead, I got reason code 266 "The message received was unexpected or badly formatted." 

So I googled a bit and found this old kb article http://support.microsoft.com/kb/933430/en-us. In the workarounds section I used method 3 on my NPS, which modifies the behavior of the SCHANNEL provider. This was indicated by another post on this forum (sorry, lost the link). Surprisingly, it worked! - Now I wonder why?

Does this registry setting effect the security of the TLS session in a negative way? I do not want to roll out this "fix", unless I have a clear understanding of the security implications.

Any feedback is welcome!

----------------------- Greetings from Germany, Martin

Hello there,

I have been trying to configure the MAC Authentication on Windows Server Network Policy Server but no success. Details on my configuration can be find below.

I have firstly enabled the Mac Authentication on 3com switch 4400 model.

enabling  -> Mac-authentication

enabling authentication mode -> UsernameAsMacAddress

configuring a domain - mac-authentication domain abc.local.

I left the default Vlan (Vlan1)

While on my DC, I created a user

username: 00-00-00-00-00-00

password: 00-00-00-00-00-00

Lastly on the NPS Server, I configured the 802.1x Wired configuration, I configured the NAS (Radius Client) whici is the 3com Switch.

After completing the configurations, I turned on my computer with and logged on to the domain abc\00-00-00-00-00-00 with the password. But there was no success when the computer tried to connect to the network looking for DHCP services to obtain IP address.

On the NPS event service, I got:

All I could find was " Authentication failed due to the reason appeared in the reason code but I am very sure that the name and the password are the same. I hope someone can help me out. 

Thanks.

Hello,

i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.

The Problem: Tunnel is up and running, but no Ping, no traffic at all.

the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.

if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.

the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.

The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.

I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.

If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.

i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.

now, after all this time i spend today to this problem i'm a bit confused.

as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.

the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?

i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as it is no option inside the gui.

it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help to solve the problem would be great also!

now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.

Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional help out with an explanation?

Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(

Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....

Hi,

I am running an EXE to send data to a remote server, I am sending data using VC++ Socket Programming. In some PC, by using that application (EXE), I am able to send data as well as receive data to/from the remote server (Windows Server 2008).

I am facing problem in one of the PC. Socket Error 10060 is shown when i try to connect to this remote server. Using Connect() API which returns SOCKET_ERROR with WSAGetLastError as 10060..

Pls reply.

Thanks,

Adi

Hello,

i guess this problem is not rare but found so far no solution for it.

I need my desktop pc to connect to a customer server which accepts only incoming connections with static IP.

For various reasons, i can't have such static IP for my router.

I have a small hosted server in the internet and my idea is to route the desktop client over this server

to the customer server, so the customer server recognizes a static IP.

What is the general approach for this ?

Can i do this by a VPN tunnel to my hosted server ? If yes, how to route from this hosted server to custom server.

Many thanks !

I'm trying to create a locked-down file-moving system on our AD network.  I want to do the following:

- Create a service application that will run on Server A.  It should have little or no privileges on Server A.  Nothing else on Server A should have any permissions on the other shares listed below.

- It will read a share on Server B.  It should have permissions to read and delete from that share.  (Nothing else on the network will/can have delete permission on that share.)  It should have no other permissions on Server B.

- It will write to a share on Server C.  It will need permissions to read and write (not modify or delete) from that share.  (Nothing else on the network can/will have write permission on that share.)  It should have no other permissions on Server C.

- In logs on the respective machines, actions the service takes should show up in a way that's directly attributable to that service.  No anonymous or 'NT_Authority' logs that aren't clearly from that service.  Our auditors go nuts when they see anonymous and non-descript access.

So what account do I install that service under?  Local system and local service seem to clearly be out.  'NetworkService' seems to have quite a lot of Greek in the description - not recognized by the local security subsystem?  Presents the computer's credentials to remote servers?  Everything I read about NetworkService says the same phrases, without defining them, but searches for those phrases mostly come back to descriptions of NetworkService.  And what's to prevent someone installing four other different services on that same server (A) so that all four services then have inappropriate access to these shares?

Hey all,

We have 2 Certificate servers (CA) on our domain, lets call them A server and B server.

We also have one NPS server which which we would like it to accept and connect via EAP certificate only the clients that have a valid certificate issued by A server and NOT B server.

How can I force the NPS server policy (or the whole NPS server) to accept only certificates issued by A server (Currently it accepts both).

Thank you! 

Hello,

I have been trying to add a Bluecoat AV equipment in my test Radius Server (NPS) running on Windows 2008 Enterprise R2. My problem is this, my test user does not authenticate and the generated log is this:

Reason Code: 65

Reason: "The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission."

Now I have double checked the Dial-in Tab of my test user in the active directory and under the Network Access Permission, the "Control access through NPS Network Policy" is selected.

I have even ticked the option "Ignore user account dial-in properties" in my NMS policy but still the same error.

Any help will be much appreciated!

Regards,

Toad

I'm trying to test with NPS being radius for my wifi. Everything is working fine if i ignore the certificate warning.

I then wanted to try to add a public certificate to the NPS, then i ran in to the problem that our local AD domain is a .local. Is there anyway to get around this? Maybe split DNS and use a public name for the NPS server?

I don't want to use a internal CA because it's not only domain joined clients that need to connect.

Hi All,

I am looking for help in creating pattern matching syntax for 8 IP addresses in Network Policies. Want to add condition of NAS IPv4 Address in a single policy. Ip Addresses are:

10.110.7.38

10.110.7.39

10.110.23.38

10.110.23.39

10.110.43.36

10.110.43.37

192.194.135.152

192.194.135.153

all ip addresses in a single NAS condition. Please assist me as pattern matching syntax guide is confusing for me.

Trying to set up a VPN connection however when I go to the roles to add "Network Policy and Access Services" I do not have it in the list - see the snapshot below:

Does it mean that I have to insert a System Installation Disk and do it or there is another way?

How do I proceed from here?

Hi

I have a concern about the log entry's in my NAP Log files

My logs show when users login to the network, there IP Address and bits of other information, my concern is this....Iv noticed that there has been multi login attemps to the vpn server using different user names, these all originat from an ip address that is unknown to me, iam trying to figure out if this is an attack on my network to gain access or is this the server its self adding these entry's into the logs.

Any light that can be cast on this problem will be greatly appreciated, Ive noticed the same user names before, they happen at any time of day or night, ive posted part of my log below but ive removed some detals about my server.

"MYSERVERNAMEHERE","RAS",02/24/2015,15:35:38,1,"anyuser","MYDOMAINNAMEHERE\anyuser","192.168.0.14","63.95.247.2",,,"DC1","192.168.0.14",129,,"192.168.0.14","DC1",,,5,,1,2,4,,0,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 5",,,,,,,,,,,,,,,,,,1,1,"63.95.247.2","192.168.0.14",,,,,,,"MSRASV5.20",311,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS",02/24/2015,15:35:38,1,"anyuser","MYDOMAINNAMEHERE\anyuser","192.168.0.14","63.95.247.2",,,"DC1","192.168.0.14",130,,"192.168.0.14","DC1",,,5,,1,2,4,,0,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 6",,,,,,,,,,,,,,,,,,1,1,"63.95.247.2","192.168.0.14",,,,,,,"MSRASV5.20",311,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS",02/24/2015,15:35:38,3,,"MYDOMAINNAMEHERE\anyuser",,,,,,,,,,,,,,,,,4,,16,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 6",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS",02/24/2015,15:35:39,1,"infouser","MYDOMAINNAMEHERE\infouser","192.168.0.14","63.95.247.2",,,"DC1","192.168.0.14",129,,"192.168.0.14","DC1",,,5,,1,2,4,,0,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 7",,,,,,,,,,,,,,,,,,1,1,"63.95.247.2","192.168.0.14",,,,,,,"MSRASV5.20",311,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS",02/24/2015,15:35:39,3,,"MYDOMAINNAMEHERE\infouser",,,,,,,,,,,,,,,,,4,,16,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 7",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS",02/24/2015,15:35:39,1,"infouser","MYDOMAINNAMEHERE\infouser","192.168.0.14","63.95.247.2",,,"DC1","192.168.0.14",130,,"192.168.0.14","DC1",,,5,,1,2,4,,0,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 8",,,,,,,,,,,,,,,,,,1,1,"63.95.247.2","192.168.0.14",,,,,,,"MSRASV5.20",311,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS",02/24/2015,15:35:39,3,,"MYDOMAINNAMEHERE\infouser",,,,,,,,,,,,,,,,,4,,16,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 8",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS",02/24/2015,15:35:39,1,"infouser","MYDOMAINNAMEHERE\infouser","192.168.0.14","63.95.247.2",,,"DC1","192.168.0.14",129,,"192.168.0.14","DC1",,,5,,1,2,4,,0,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 9",,,,,,,,,,,,,,,,,,1,1,"63.95.247.2","192.168.0.14",,,,,,,"MSRASV5.20",311,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS",02/24/2015,15:35:39,3,,"MYDOMAINNAMEHERE\infouser",,,,,,,,,,,,,,,,,4,,16,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 9",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS""RAS",02/24/2015,15:35:39,3,,"MYDOMAINNAMEHERE\infouser",,,,,,,,,,,,,,,,,4,,16,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 10",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
"MYSERVERNAMEHERE","RAS""RAS",02/24/2015,15:35:40,1,"posuser","MYDOMAINNAMEHERE\posuser","192.168.0.14","63.95.247.2",,,"DC1","192.168.0.14",129,,"192.168.0.14","DC1",,,5,,1,2,4,,0,"311 1 fe80::8c42:6da9:65b:43cd 02/21/2015 15:50:45 11",,,,,,,,,,,,,,,,,,1,1,"63.95.247.2","192.168.0.14",,,,,,,"MSRASV5.20",311,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,

Other usernames used are

opencourse
ostec
hotelsystems
helpdesk
mfs

and about 100 more

Thanks in advance Paul

I having issues on authentication by Mac Based Authentication where as through system name authentication is working fine. i am using extension as authentication type as this is for non nap capable devices. kindly help

Remote Authentication Dial-In User Service(RADIUS) attributes are containers that include a type, a length, and a value that hold information that is sent in RADIUS messages between RADIUS clients and RADIUS servers.

One RADIUS message can include multiple RADIUS attributes, each of which holds a specific type of information for which the attribute was designed.

Network Policy Server (NPS) allows you to add vendor-specific attributes (VSAs) to individual network policies, providing you with the ability to deploy new RADIUS client products that have proprietary functionality that are not defined in Request for Comments (RFC) 2865.

If we have configured local file logging, NPS records accounting information in log files on the local hard drive.

When we meet some authenticate issue on NPS server, to find why the request is rejected, we can check the NPS accounting log.

If the NPS accounting log that is configured in IAS format, we will find that the RADIUS attributes have been logged as numbers like 8132, 8136, 8158 etc. (See Figure 1)

Figure 1.

However, this log file doesn’t provide the meaning of these numbers.

For standard RADIUS attributes, we can interpret the attribute id by RFC document.

How can we interpret the Microsoft vendor-specific attributes? Actually, we can find the MS VSAs and the corresponding attribute id inATTRIBUTEID enumeration type.

For detailed information about ATTRIBUTEID enumeration type, please refer to the link below:

https://msdn.microsoft.com/en-us/library/bb960612(v=vs.85).aspx

For example, if we want to know the meaning of the attribute id 8132, we can search it in theATTRIBUTEID enumeration type, then we will find that it means “MS_ATTRIBUTE_NETWORK_ACCESS_SERVER_TYPE”.

Figure 2.

Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

Availability of NPS is critical because it's absence would cause all machines to remain in quarantine zone. So for that what are the best practices for high availability ? for 802.1X approach.

NLB of two servers and backups sent to DR ?

Supplying IP address of two NPS servers on all switches so that in case of unavailability of one NPS another is taken up automatically ?

Setup on Clustered HyperV with NPS as high available virtual machine ?

What would be the best DR for this ?

Hello all,

i am trying to configure Windows 2012 NPS for EAP-AKA authentication to build an hotspot 2.0 (802.11u).

I am searching documentation about NPS EAP-AKA configuration.

someone can help me please?

Thanks

Michele

Hi,

We are planning to enforce wired 802.1x in our network.  I have been testing it for couple of weeks and Everything works fine.

But there is one question i don´t found an answer on. The GPO takes care of the wired configuration settings. But when i try to take one of the computers to another network that don´t use 802.1x, they get a authentication failure. I most have missed some basic information or can´t you connect to other networks when wired config is enabled? 

Regards

Martin

I've been attempting to set up RADIUS services for my Ubiquiti Unifi APs on Server 2008R2 following the tutorial here. It seems to be working but my Windows 7 laptops don't authenticate on the network; they see the network and attempt to connect but entering my (or any) Windows username and password returns "Windows was unable to connect to <SSID>"

I've added all my Access Points as RADIUS Clients, tried setting the network up manually and through GP  but am getting nowhere. When I attempt connection manually, I get entries in the log suggesting it's connecting - any ideas how I interpret this to figure out where I'm going wrong?

"SERVERNAME","IAS",03/20/2015,10:17:09,1,"username","UK\username","0E-18-D6-29-66-67:SSID","68-5D-43-A2-F2-79",,,"0418d6286667","172.19.8.45",0,0,"172.19.8.45","Main Office",,,19,"CONNECT 0Mbps 802.11b",,,5,"Secure Wireless Connections",0,"311 1 172.19.7.233 03/19/2015 20:19:44 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,"SERVERNAME","IAS",03/20/2015,10:17:09,11,,"UK\username",,,,,,,,0,"172.19.8.45","Main Office",,,,,,,5,"Secure Wireless Connections",0,"311 1 172.19.7.233 03/19/2015 20:19:44 1",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,"SERVERNAME","IAS",03/20/2015,10:17:10,1,"username","UK\username","0E-18-D6-29-66-67:SSID","68-5D-43-A2-F2-79",,,"0418d6286667","172.19.8.45",0,0,"172.19.8.45","Main Office",,,19,"CONNECT 0Mbps 802.11b",,,5,"Secure Wireless Connections",0,"311 1 172.19.7.233 03/19/2015 20:19:44 2",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,"SERVERNAME","IAS",03/20/2015,10:17:10,11,,"UK\username",,,,,,,,0,"172.19.8.45","Main Office",,,,,,,5,"Secure Wireless Connections",0,"311 1 172.19.7.233 03/19/2015 20:19:44 2",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,"SERVERNAME","IAS",03/20/2015,10:17:10,1,"username","UK\username","0E-18-D6-29-66-67:SSID","68-5D-43-A2-F2-79",,,"0418d6286667","172.19.8.45",0,0,"172.19.8.45","Main Office",,,19,"CONNECT 0Mbps 802.11b",,,11,"Secure Wireless Connections",0,"311 1 172.19.7.233 03/19/2015 20:19:44 3",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,"SERVERNAME","IAS",03/20/2015,10:17:10,3,,"UK\username",,,,,,,,0,"172.19.8.45","Main Office",,,,,,,11,"Secure Wireless Connections",266,"311 1 172.19.7.233 03/19/2015 20:19:44 3",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

Anyone any ideas what I'm getting wrong please?

Calum