Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

NPS forwarding based on username with certs

June 24, 2015, 12:04 am
$
0
0

We use NPS (on 2008R2) to authenticate 802.1x access to our wired and wireless networks using both certs and PEAP.

We are in the process of a merger and I'd like to forward radius requests for users in the remote domain to their radius server.

The local radius servers are configured as clients on the remote and I've configured a Connection Request Policy to forward requests based on user name.

If I set a username condition of ^RemoteDomain\\.*, logging on by PEAP works with the format DOMAIN\UserName.

But I can't for the life of me work out how to get it to work for PEAP (the forwarding, that is) with the user UPN, or with certs, which also use the UPN as the username (indicated ion the NPS logs).

The UPN can be either User.Name@RealDomain.com orUserName@RemoteDomain.corp (depending on the user or device)

I have tried nemerous variations on regular expressions, which when run through regex testers match things appropriately.

The docs at https://technet.microsoft.com/en-us/library/dd197583(v=ws.10).aspx suggest that ^RemoteDom\\|@RemoteDom.corp$|@realDom.com$ should work, but it I don't see a radius request traverse the firewall for anything other than DOMAIN\UserName auths and for anything else it continues through to the default 'use windows auth' CRP

Any ideas?

 

 

Search

IAS extension dll for using sql server as radius authentication

March 8, 2010, 12:39 pm
$
0
0
Hello. Im searching information about any .dll or more specifications about the "IAS extension DLL" speaked in this url:

http://technet.microsoft.com/en-us/library/cc757302(WS.10).aspx

We need some way to connect the IAS with a MS sql server, for the web Citrix (Radius).

As i saw, the only way is deploying that dll with the specifications above (there is no free dll on internet). But i think we are not enough skilled for that task, as we have never worked with radius, neither with eap or other encryptions. We are "so common" C#NET developers.

Any suggestions?

Thanks.
Paul.

NPS SQL Logging not working

March 13, 2010, 8:41 am
$
0
0

I am running NPS on a Windows 2008 enterprise server in a VM. I also installed SQLExpress 2008 w/adv tools on the same server. My goal is to have NPS log to SQL to generate reports. I ran the Accounting wizard to create the database, so I have the required stored procedure in SQL and I am using Windows Authentication in SQL. I can authenticate to my Cisco devices, wireless clients and VPN users. I have no problem when I use the local logging. When I setup NPS accounting, the data link connects successfully. After setting up SQL, I get the ReasonCode 80 in the NPS event log. I don;t know what I am missing. Any ideas?

Windows 2012 r2 802.1X MAC Address bypass configuration

February 17, 2015, 10:39 pm
$
0
0
I am setting up MAB for my environment and I want to make sure I am setting it up correctly, as I see some articles stating there is a reg edit needed and others that don't mention it at all.

I have Dell PowerConnect switch with 802.1X authentication working for my Domain Computers.

I now want to allow non-802.1x capable devices to be assigned the correct vlans (Printers, IP Phones, etc).

I have created a user account in AD for the device, using lowercase MAC Address for the username and password.  
I have set the switchport to allow MAB
I have created a NPS Network Policy for one of the devices and assigned the groups it belongs to and set Authentication Method to: Unencrypted (PAP,SPAP).

I keep receiving this error in the logs "The user attempted to use an authentication method that is not enabled on the matching network policy"

Corporate Wifi - iOS Devices prompting for cert

July 1, 2015, 5:13 am
$
0
0

Hi

We have FortiNet AP's setup for testing at the moment, which will do Radius Athentication to our Windows RAD Server

I have the following configuration:

Connection Policy: 

NAS Port Type: Wireless - IEEE 802.11

PEAP Authentication - with a cert selected which i requested recently.

Network Policies:

Unspecified Network Access Server

User Groups: Domain\WiFi

Authentication: PEAP + EAP-MSCHAP v2 + MS-CHAP-V2

This all works, so a client can connect to the WiFi and it checks for the certificate and username/password etc.

Now when i attempt to connect a mobile to the corporate WiFi, it prompts me for username and password and then prompts me to trust the certificate and it connects to the Network.

I want to stop this

I dont want mobiles connecting to the Corporate WiFi unless they are company mobiles

How can i achieve this?

Renew Certification Authority

July 8, 2015, 5:28 am
$
0
0

Hi all, 

Perhaps you can help me in with a problem I am facing right now. 
Acutaly I am in the process of renewing a local PKI, because the old PKI is installed on old servers with a SHA1 key. 

We would like to set up a new PKI on new machines with new keys. This means, we would have two Enterprise PKI at the same time within our AD Domain. 

Our clients authenticate against our WiFi using machine certificates via a radius server. So far so good. 

Do we have to set up a new radius server, or will the old one be able to trust both certificate authorities and authenticate our clients against the old and the new CA at the same time?

We would like to stop the autoenrollment on the old CA and enable it on the new one, and within 90 days, the old certificates will not be valid anymore. 90 days is the configured validity period for our computer certificates. 
After 90 days, we would remove the old CA. 

Is this a valid scenario?

Thanks for your help in advance!

Please enter a valid certification authority

July 6, 2015, 3:27 am
$
0
0

Dears,

I have NAP with IPsec and below configuration:

in My main Site 1 NAP Server (NPS+HRA) and 1 CA Server (Enterprise Root), I configured HRA with this main site CA this is working fine

I deployed in my 2nd Site 1 NAP Server (NPS+HRA) and 1 CA Server (Enterprise Root) I configured HRA here with second site CA this is working fine

When I try to add Second Site CA to my first site HRA, I got this error: Please enter a valid certification authority

When I try to add Main Site CA to my second site HRA, I got this error: Please enter a valid certification authority

  • Please let me know where is the log file so I can know what the root coz
  • Please let me know if you find a solution for this issue

Regards


Windows Server 2012 R2

July 7, 2015, 12:50 pm
$
0
0

Dear All,

We have windows 2012R2 it has ADS , DNS , GPO it's working fine . in this morning i have installed  one of the PC windows 2012r  and added member of domain it's working fine . Now It has problem i had seen Control Panel - Windows Firewall applet  it was Active domain Networks  Subash.com  now Active domain Networknoneand switch over to Active private network also i tried from pc  ( gpupdate / force ) this policy not update  just running long time ... why this problem happened ? how can we solve this issue ?

Please dear engineers Save me .....

Yours truly Subash

Search

3rh party certificates / onfigure valid NPS servers

January 29, 2015, 6:14 am
$
0
0

We have setup a working 802.1x/Radius wired environment with MS NPS/NAP. We added a third party certificate for the NPS server to get rid of certificate warnings for non-domain clients.

We had a certificate for our mailserver since earlier (mailserver.domain.com). I do not know much about PKI but we bought something like a “subcertificate” that still is issued to mailserver.domain.com but has the FQDN:s of our NPS-servers as SAN:s.

We have imported and configured the use of the certificate. The first thing that happened was that clients got a warning when connecting:

The server “<Authentication server>” presented a valid certificate issued by “<CA name>”, but “<CA name>” is not configured as a valid trust anchor for this profile. Further, the server “<Authentication server>” is not configured as a valid NPS server to connect to this profile.

We corrected this error following the KB: http://support.microsoft.com/kb/2518158 and adding checking the CA in the NPS authentication configuration.

Now the part regarding “valid trust anchor” of the error message has disappeared and is now looking like this:

http://www.chicagotech.net/images/ssl34.gif (with radius server: mailhost.domain.com).

Viewing hour mailsever/NPS certificate, the certificate chain appears to be perfectly in order (we have imported intermediate certificates etc.).

The last part of the error message:

The server “mailhost.domain.com” is not configured as a valid NPS server to connect to for this profile.  

And that is correct, since that is our mailserver.

We have tried to register our mailserver as nps server (which it isn't) (netsh ras add registeredserver) and also issuing a NPS certificate to the mailserver without luck.

Any suggestions?

Server Name Invocation with TLS

July 14, 2015, 2:14 am
$
0
0

Hi

I have a .Net client programm running on Windows Server 2008. The programm communicates with a third party server using TLS. The owner of the server gives us a new requirement that the client has to use TLS withServer Name Invocation (SNI). I have checked that Winserver 2008 doesn't support SNI. 

I would like to install a library (for example OpenSSL) that supports SNI and then allow all communication from my server over OpenSSL. Is it possible? If yes what steps should I make?

If it is not possible to use OpenSSL instead of build-in functionallity of TLS in Win Server I need to make changes directly in the programm code to use OpenSSL for each client programm separately. This requires much more work. 

Thank you



Non Domain User Auth with Certificates

July 13, 2015, 3:54 am
$
0
0

Hello All,

Need some suggestion from your side on my below requirement :-

Required Setup :-

Need to authenticate our Guest Users who are non domain users/system with certificate.

Current Setup :-

We have two Windows Server 2012 Enterprise running with AD, DHCP, CA, NPS Roles on same server as active standby.

We have configured 802.1x user auth for all our domain users and its working fine without any issue. We have installed the Domain certificate that we got from CA.

Could you please suggest how can i get a certificate generated from our domain CA for NON Domain users.

Thanks

Rohit Sood

Windows Server 2012R2 - Network Location Awareness keeps changing from Domain to Public after reboot

July 15, 2015, 10:19 am
$
0
0

I also have this issue but I have domain controllers that are NOT part of this Hyper-V host.  If I restart the Network Location Awareness (which

also restarts the Network List Service) It goes back to domain as it should.  Now when I reboot this server it will once again put the interface /

network back to public even though this Hyper-V server has been successfully joined to the domain with a static IP.

Now for clarification.  This Hyper-V server does NOT have any virtuals configured yet.  The only thing that has been configured is a NIC team with

two onboard NICs (LAN ports 3 & 4) and two NICs from an add-in four port card (ports 3 & 4) .  The Local LAN connection is dedicated to LAN

Port #1.  We also have a dedicated IMM port for out of band access.

Now the ONLY time I can get this server to reboot and STAY in the "Domain" location is if I have PORTFAST enabled on the switch port it is

connected to.  Yes, we use STP here in our enterprise.  This is not the first time I have had to do this but it doesn't seem right as a co-worker

claims he does NOT need to do this and his Hyper-V server reboots just fine.  I have had him check it out and he cannot see any differences

between his servers and mine.  Yet mine will always reboot to "public" unless I have portfast enabled.  Any thoughts??

Network Admin

Server 2012 r2 Radius

July 15, 2015, 7:58 am
$
0
0
Looking for information on how to configure Radius to be able to authenticate to external network devices.

Health Policy doesn't work

July 13, 2015, 4:36 am
$
0
0

NPS server running Win 2012 R2.

I am testing wired 802.1x policies in a test lab.  Switch has been configured accordingly and client authentication works perfectly when using domain membership (via 'Domain Computers' group) as the condition.

The problem I have is if I try to extend the condition to include or even solely contain a health policy.  It doesn't matter what the health policy conditions are (check for windows firewall or antivirus is on etc) but an authenticating wired client never works.

The NPS server event log shows the client was denied access and what is strange is the network policy mentioned in the event log is not the policy containing the compliant or non-compliant health policies.  It's actually a separate network policy used for an 802.1x wireless implementation.  So it seems the NPS server skips past the wired network access policies when a health policy is used within them.

I have Network Access Policy agent running on the client, EAP enforcement client is enabled on the client, 802.1x authentication settings are valid on the client.  I have been through many online 802.1x setup guides and I am sure every setting has been configured and nothing has been missed.

This issue applies to both Windows 7 and Windows Vista clients.

Do you have any suggestions on what may be causing this problem?

Error: 'Connecting to remote registry failed with: The network path was not found. (error 53)

July 19, 2015, 9:32 pm
$
0
0
Could not read the remote registry: Error 53: The network path was not found.  When I do a seek test it locates the machine. 
Search

Certificate or Certificate Import

July 20, 2015, 11:33 am
$
0
0

Hello !

We just purchased a Sharp MX-M565N All in one copier/printer and i am trying to connect it to our wireless access point which is connected to Cisco WLC and the WLC is directing to RADIUS which is Windows 2012 Server. If i am not mistaken i need to configure IEEE 802.1x settings on the Sharp Printer and when try to do that it asks for Certificate. How can i import the authentication certificate from RADIUS Server to install it on the Sharp All in One. 

Any help or suggestions would be much appreciated !

NPS-Wirless Radius Authentication

July 21, 2015, 11:20 am
$
0
0

Dear Support.

We have enabled wireless radius authentication on entire client machine's so user can access wireless network through windows authentication but this prevent logon script (for mapping drive) to run on client machine which is configured through group policy.

Please let us know what step we are missing in our current setup and how to wireless radius authentication & login script work simultaneously.

Regards,

Hakim. B

Hakim.B Sr.System Administrator

Does NPS support SHA256 certificates?

March 5, 2013, 7:11 am
$
0
0

Hi,

We have 2 environments - 1 CA using SHA1 and the other using SHA2.

The one using SHA1, it's working fine i.e. NPS can authenticate the computer device certs.

However, for SHA2, it's not working. I have been troubleshooting for a few days, so before going further, I just wanted to make sure NPS supports SHA256 certificates.

Thanks.

Server trying to access unrocognised IP address

July 24, 2015, 9:43 am
$
0
0
Hi, we have a windows 2008 r2 server connected to a hardware firewall. our firewall is blocking the server from sending data packets to 232.108.116.118. We unable to determine what on the server is trying to send to this ip address. it is not an internal ip address. Any help would be great. many thanks.

توكيل فريجيدير | صيانة فريجيدير 01068982008 – 01112225250 خدمة فريجيدير frigidaire

July 25, 2015, 3:48 am
$
0
0
توكيل فريجيدير 26712611 / 02 – 01068982008 FRIGIDAIRE صيانة فريجيدير مدينة نصر - صيانة فريجيدير مصر الجديدة - صيانة فريجيدير الرحاب 
صيانة فريجيدير فى شيراتون والمطار , صيانة فريجيدير فى القاهرة الجديدة 
صيانة فريجيدير التجمع الخامس صيانة فريجيدير التجمع الاول صيانة فريجيدير التجمع الثالث – صيانة فريجيدير شيراتون والمطار ,
صيانة فريجيدير فى المقطم - صيانة فريجيدير فى المعادى
صيانة فريجيدير فى العجوزة صيانة فريجيدير فى حدائق الاهرام
صيانة فريجيدير مركز صيانة فريجيدير توكيل ثلاجات فريجيدير-
صيانة فريجيدير فى التجمع الاول - صيانة فريجيدير فى التجمع الثالث - صيانة فريجيدير فى التجمع الخامس –
- صيانة فريجيدير فى الزمالك - صيانة فريجيدير فى المهندسين
صيانة فريجيدير فى الدقى - صيانة فريجيدير فى روض الفرج - صيانة فريجيدير فى الهرم - صيانة فريجيدير فى فيصل
صيانة فريجيدير فى المنيل صيانة فريجيدير فى الشيخ زايد صيانة فريجيدير فى بولاق
توكيل فريجيدير فى مدينة نصر فريجيدير فى مصر الجديدة FRIGIDAIRE
صيانة فريجيدير فى المنيل صيانة فريجيدير فى الشيخ زايد 
صيانة ثلاجات فريجيدير صيانة غسالات فريجيدير توكيل فريجيدير العجوزة توكيل فريجيدير المهندسين شركة توكيل فريجيدير
 توكيل فريجيدير فى الزمالك, توكيل فريجيدير فى شارع شهاب توكيل فريجيدير فى روكسى
صيانة فريجيدير فى العجوزة صيانة فريجيدير فى حدائق الاهرام - صيانة فريجيدير فى الجيزة - توكيل فريجيدير فى مصر الجديدة توكيل فريجيدير فى مدينة نصر 
صيانة فريجيدير فى المنيل صيانة فريجيدير فى الشيخ زايد صيانة فريجيدير فى بولاق
صيانة فريجيدير فى العجوزة صيانة فريجيدير فى حدائق الاهرام - صيانة فريجيدير فى الجيزة - صيانة فريجيدير فى 6 اكتوبر
 صيانة فريجيدير فى الدقى - صيانة فريجيدير فى روض الفرج - صيانة فريجيدير فى الهرم - صيانة فريجيدير فى فيصل
صيانة فريجيدير فى المقطم - صيانة فريجيدير فى المعادى - صيانة فريجيدير فى الزمالك - صيانة فريجيدير فى المهندسين
صيانة فريجيدير فى الدقى - صيانة فريجيدير فى روض الفرج - صيانة فريجيدير فى الهرم - صيانة فريجيدير فى فيصل
توكيل فريجيدير فى شارع احمد عرابى توكيل فريجيدير فى جامعة الدول العربية , توكيل فريجيدير فى جسر السويس , صيانة فريجيدير فى حلمية الزيتون
توكيل فريجيدير فى 6 اكتوبر صيانة فريجيدير فى الشيخ زايد صيانة فريجيدير فى الاسكندرية توكيل فريجيدير فى المنصورة
,
فريجيدير , مركز توكيل ثلاجات فريجيدير , مركز توكيل غسالات فريجيدير , توكيل صيانة ثلاجات فريجيدير , توكيل غسالات فريجيدير ,
اصلاح فريجيدير ,صيانة فريجيدير الرحاب,صيانة فريجيدير المقطم , توكيل فريجيدير الهرم , توكيل فريجيدير المعادى , توكيل فريجيدير التجمع الاول ,
توكيل فريجيدير التجمع الخامس, صيانة توكيل فريجيدير الرحاب,صيانة فريجيدير المقطم , صيانة فريجيدير الهرم , صيانة فريجيدير المعادى , صيانة فريجيدير التجمع الاول ,
صيانة فريجيدير التجمع الخامس فريجيدير, Agent FRIGIDAIRE, Maintenance FRIGIDAIRE 
توكيل صيانة فريجيدير فى الاسكندرية توكيل صيانة فريجيدير فى المنصورة
صيانة فريجيدير الوكيل الرسمى عنوان صيانة فريجيدير رقم صيانة فريجيدير صيانة فريجيدير صيانة غسالات فريجيدير
توكيل صيانة ديب فريزر فريجيدير توكيل غسالات اطباق فريجيدير
اين اجد صيانة فريجيدير فى مصر مراكز صيانة فريجيدير المعتمد صيانة فريجيدير مصر توكيل تصليح ثلاجات فريجيدير وكيل فريجيدير
صيانة فريجيدير خدمة فريجيدير ثلاجة فريجيدير غسالة فريجيدير مركز فريجيدير اصلاح فريجيدير صيانة فريجيدير مصر الجديدة صيانة فريجيدير المهندسين
صيانة فريجيدير المعادى صيانة فريجيدير الجيزة صيانة فريجيدير الرحاب صيانة فريجيدير مدينة نصر اصلاح ثلاجات فريجيدير اصلاح غسالات فريجيدير
اصلاح فريجيدير صيانة فريجيدير المنصورة صيانة فريجيدير الاسكندرية صيانة فريجيدير التجمعات، صيانة فريجيدير داخل مصر الوكيل المعتمد لتوكيل الاجهزة المنزلية
توكيل ثلاجات فريجيدير توكيل غسالات فريجيدير توكيل ديب فريزر فريجيدير، صيانة فريجيدير المنصورة صيانة فريجيدير الاسكندرية
صيانة فريجيدير المهندسين صيانة فريجيدير المعادى صيانة فريجيدير الجيزة صيانة فريجيدير الرحاب صيانة فريجيدير المنصورة صيانة فريجيدير الاسكندرية
صيانة فريجيدير التجمعات، صيانة فريجيدير داخل مصر الوكيل المعتمد لتوكيل الاجهزة المنزلية صيانة فريجيدير (ثلاجات، غسالات ملابس، ديب فريزر، مجفف، غسالات اطباق، دراير، لاندرى).
قطع غيار فريجيدير ثلاجات فريجيدير غسالات فريجيدير ديب فريزر فريجيدير مجفف فريجيدير اصلاح فريجيدير.
صيانة فريجيدير فى العجوزة صيانة فريجيدير فى حدائق الاهرام - صيانة فريجيدير فى الجيزة - صيانة فريجيدير فى 6 اكتوبر
 Power of Attorney FRIGIDAIRE Alexandria attorney repair refrigerators FRIGIDAIRE Vice FRIGIDAIRE
maintenance FRIGIDAIRE service FRIGIDAIRE refrigerator FRIGIDAIRE Washer FRIGIDAIRE Centre FRIGIDAIRE
reform FRIGIDAIRE
توكيل فريجيدير فرع المعادي / صيانة فريجيدير فرع الهرم / صيانة فريجيدير فرع مصر الجديدة / صيانة فريج 
توكيل فريجيدير , صيانة فريجيدير يدير
توكيل فريجيدير المعتمد اتصل بنا / 01112225250 الوكيل الرسمى للصيانة
توكيل فريجيدير
Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>