Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

NPS Logs

June 1, 2016, 6:51 am
$
0
0

Hi Team,

I write IAS Log Viewer application and I don't understand one of thing.
When I open CSV file I can see

"CLIENTCOMP","IAS",03/07/2008,13:04:33,1,"client",,,,,,,,,9,"10.10.10.10","npsclient",,,,,,,1,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

This is the second example:

"CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/client",,,,,,,,9,"10.10.10.10","npsclient",,,,,,2,1,"Allow access if dial-in permission is enabled",0,"311 1 10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Every first row always have IAS_SUCCESS and other have correct value.

Could you please explain why we have two logs which is associate with same users?

https://technet.microsoft.com/en-us/library/cc771748(v=ws.10).aspx

Search

Network Policy Server Problem - "Domain Computers" Fail To Authenticate

June 2, 2016, 9:10 am
$
0
0

I recently implemented a new wireless system with APs that use WPA2 Enterprise Authentication via our local RADIUS server and local Certificate Authority. Currently everything works well from the users end. They log in to their computer, selected the correct SSID, and authenticate automatically.  My problem is I need to limit this authentication, to only devices on the domain. With the current configuration, anyone with network credentials can authenticate with any device. This is a major problem.

To me the obvious answer was to add the windows group "Domain Computers" to the Network Policy. The moment I do this users fail to authenticate with the below error

My current connection request policy 

Current Network Policy

If I remove the OR statement, and make this only Windows Group - Domain Computers, users will fail to authenticate.

Does anyone have an idea how I can fix this?

Windows Server 2012 Internet connectivity problem

June 3, 2016, 1:42 am
$
0
0

Can you help me forward with this connectivity problem

A couple of days Windows Server 2012 can't connect Internet. Anyway the LAN cables are OK and the server seems to be in the LAN.  I get the following message:

The has not been any big changes in the server or the LAN for a long time.

Nikorios

NPS SQL missing reason-code in Server 2012 R2

February 6, 2014, 3:09 am
$
0
0

Hi

It seems like several SQL fields in the 2012 R2 version of NPS logging has been removed.

Amongst others the Reason-Code field.

Most people only refer to log files to see why someone can't connect to the vpn server.

In previous versions we had a web front end for an sql view that gave you the reason why the server denied access so that we do not need to give helpdesk personnel access to the log files and we also filter which operations vpn sessions they can see (via multiple vpn nps policies and then filter the sql view based on their permissions).

Is there any way to restore the logging of this field to SQL as well as logging the source IP address of the request (our investors requires this and we get audited on it) with the issued IP (non DHCP). We are not allowed to run DHCP on this server since it is situated in the 3rd party datacenter.

Regards

Johan

PRINTER IS NOT RECOGNIZED

June 6, 2016, 8:23 am
$
0
0
how do I access firewall to allow my wireless Kodak printer to work? ever since I installed windows 10 I keep getting the error that the print spooler is not responding but it won't allow me to uninstall and then reinstall. now it's saying that the viper protection cannot be located. help please

Question about Identity Privacy on Windows Server 2012 R2

June 6, 2016, 1:18 pm
$
0
0

I'm attempting an NPS installation with Identity Privacy enabled and having difficulty figuring out how this is deployed on the server side. I know that on the client side, the Identity Privacy box can be checked and the faux name entered on the PEAP type itself but I am unable to find where to set up this faux name on the server itself. If I try to just set up the client with Identity Privacy, the server rejects the faux name with a message that "the specified user account does not exist."

Is there a way to set up the Windows Server 2012 environment to support the Identity Privacy option?

Thank you for your time.

Server 2012 firewall to block all incoming traffic based on available computing resources

May 17, 2016, 1:52 pm
$
0
0
I am setting up a network commander, which main role is to run heavy calculation tasks, with windows server 2012 R2 firewall turned on. There is no other computer on the network. The computer is only set up as a network commander to use windows HPC job batch manager (requirement).
This computer only needs to communicate with the rest of the world when it has finished its heavy calculation tasks.
I'd like to set up my server 2012 firewall to block all traffic when the computer is running heavy calculation.

Scenario 1-I use Windows System Resource Manager to give priority to the computing tasks
During a calculation task, what will happen when the firewall doesn't have sufficient computing resources allocated to it:
-Does it simply block all traffic until compute resources are available again?
-Does this lack of resources create a security risk? or is security actually enhanced?

scenario 2-I automaticaly STOP the windows firewall service  when using the computer for heavy calculation task. I understand this is an unsupported state.
http://www.dell.com/support/article/au/en/aubsd1/SLN156677 says that the computer "will appear to other machines as though the server has been disconnected from the network", which is exactly the behavior I am seeking. I understand it doesn't get safer than this.
but https://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx in CAUTION at the bottom of the page says that TURNING OFF the firewall service exposes my network to  "attacks that employ network fingerprinting". Is this also the case if I STOP the service?

Should I just try the above scenarios and run intrusion testing for both scenarios and see what happens?


NAP seperate DHCP Server

June 7, 2016, 11:04 pm
$
0
0

Hi All,

I recently setup a 2 Server :

  1. DC1 - AD, DNS, DHCP, NPS(As per forum and articles suggested on separate NAP DHCP setup)
  2. NPS1 - NAP

What I've done here is I already created a GPO based on the step by step guide for DHCP Enforcement, I also configure the shared secret based on this post

https://social.technet.microsoft.com/Forums/en-US/9f1b5d60-bf1e-40d0-8b8b-11338adf4ffe/nap-dhcp-shared-secret?forum=winserverNAP , I also configure the Scope Policy for my DHCP Scope on DC1, since I'm using WS2012R2 but when I enabled DHCP Scope for NAP clients are getting the APIPA IP Address instead of the IP on DHCP Server, this is experienced for both Compliant and Non-Compliant units.

Any workaround or solution here?

Thank you!



Search

trouble with private vpn connectivity in Windows 10

June 10, 2016, 11:05 am
$
0
0

Hello

I'm trying to install a vpn - private internet access - on my desktop PC running Windows 10. I followed their instructions entering their address, username, password  in the Network settings but when I try to connect, the message says "A connection to the remote computer could not be established, so the port used for this connection was closed."

Any ideas on how to fix this problem? Is PIA not windows 10 compatible? Any suggestions what vpns are?

Thanks so much.

Brooklyn

NPS as Radius Server for 802.1x - Mac Filtering

December 15, 2010, 5:26 pm
$
0
0

I have sucessfully deployed a DHCP with mac filtering, how ever still open security since, Access Points doesnt have any security.

Just putting a static ip will give access to the network.

The wireless lan clients are windows and non windows devices such as laptops, desktops and handhelds.

So the idea is to implement NPS and to configure the Radius server creating a policy just for filtering the mac address of the device.

Is this possible using NPS?

How can i specify the Mac address list of all devices?

all this will be for windows and non windows devices

Hope the requirement is clear.

lovalles

lovalles

Will Backup DC authenticate for NPS/Radius 802.1x with PDC is down?

June 12, 2016, 3:23 pm
$
0
0

I am looking to deploy a WPA Enterprise radius solution using NPS.  I have successfully setup a DC and NPS and it works great.  My only problem is I need a fault tolerant solution.  This would require a second server.

I understand that NPS cannot replicate so I will have to use a script to export and import the configuration for NPS which is easy and I do not expect many changes in the config.

My concern is authenticating users.  If I have only have 2 DC's, 1 PDC and 1 BDC and the PDC goes down, will the BDC continue to authenticate users or will I have to transfer all the roles over before it will authenticate users connecting using WPA enterprise.  

To be clear this is for non-domain connected computers.  I am using this as a cloud based WPA enterprise solution for non-connected wireless client machines.

Re-register NPS Server

June 13, 2016, 8:26 am
$
0
0

I get this error every time.

Before you ask, I have used all possible accounts and all have the same result.

So I would like to begin from the begin. So is it possible to COMPLETELY uninstall NPS, re-register and all? 

Problem with reauthentication W2012 Server R2 + HP Procurve + NPS +AD

June 14, 2016, 2:47 am
$
0
0

Hello:

I´m using NPS with AD to control the access of my network.

When I change the password of an user (for example, user1), I ´m able to access to the network. How ever if I disable the account, I don´t access the netwok in a minute  (thias is what I want).

The computer is attached to port 26:

This is my config --> aaa port-access authenticator ethernet 26 reauth-period 60

Is there any way to force the user to reauthenticate when a change of password happends without disabling the account?

Best Regards.

Tools for analysing NAP log files?

March 4, 2013, 12:25 pm
$
0
0

UAG 2010/Win 7 DirectAccess with NAP enabled on the UAG servers. 

I want to be able to enable NAP in monitoring mode only, and then look at the NAP log files to determine which clients are being refused access and why, before enabling full enforcement mode.  I’ve found the logs located in C:\Windows\System32\LogFiles\IN*.log, but I am unsure as to what all the fields are? Are they fully documented anywhere?  Or is there a tool that analyses the files to give something a little more user friendly and meaningful for the customer? 

opening ports in Window Server 2012 R2

June 15, 2016, 2:40 pm
$
0
0

I cannot open port 27000-27009.

Tried all the straight forward options, and window firewall.

even turned off firewall.  NO LUCK.

Help

Search

8021.x certificate based authentication with Cisco Switches

June 20, 2016, 1:35 am
$
0
0

Hi

I am looking to implement 802.1x using NPS and Cisco switches and looking for some help. We have CA setup and all computers are getting certificates automatically. We want to use computer authentication via certificate so machines can be connected to network before users logs in.

Can do with User authentication but not sure if that will cause issue with user logins as authentication will happen after user logged in.

Would appreciate if someone can point to some tutorial or instruction on NPS side and Cisco switch side.

Thanks in advance

Network Policy server question

June 21, 2016, 4:06 am
$
0
0

We currently have an internal wifi for our notebooks to use. We are currently going to setup a public wifi and we need to block our existing work notebooks from connecting to it. We currently use a network policy server to control our existing internal wifi as we use certificates. If you do not have the certificate based on the RADIUS policy your notebook will not connect to the internal wifi.

For the public wifi, we would like to create a rule that says if your PC is joined to the domain deny access but if your pc is not joined to a domain such as a personal computer, you may join the public wifi.

If this can be accomplished, what is the best way to set this up.

Network Policy Server - RADIUS issues

June 21, 2016, 1:01 pm
$
0
0

Hi,

I'm trying to configure an NPS as a RADIUS server for a customer, I've never set one up before and after a week of troubleshooting from where I am to where the customer is (Across the country) we are finally getting rejected instead of no response from the server at all (yay).

The issue I have now is event ID 4401 Domain controller for "domain" DIR is not responsive. NPS switches to another DC.

Then I get event ID 4400 There is an LDAP connection for domain controller "domain" is established. Each time it hops between different domain controllers. This is a large domain with many DC's...

The NPS server is a member of the RAS and IAS group in activate directory and is on the domain...

Any ideas?

EDIT:

I would also like to add that I am getting access-request and access-challenge and access-reject while watching wireshark when someone tries to connect. The users are added to the security group that is added to the network policy conditions.

MS CHAP with DHCP

June 22, 2016, 10:52 am
$
0
0

I have successfully installed (fingers crossed) NAP on my network (192.168.1.0/24) on wireless connectivity. The DHCP server server issues a subnet of addresses in this range.

Problem arising that I am running out of usable addresses and would like to segregate the wireless network to 192.168.2.0/24.

Would someone point in the right direction on how to implement this especially on the DHCP side.

File in use

June 24, 2016, 3:04 am
$
0
0

Gets a "File in Use" dialog indicating the file is already open, which is false.

Windows server 2012

Viewing all 1875 articles
Browse latest View live
Search