Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

Need help with using NAP DHCP for Domain Computers only

June 23, 2016, 1:21 pm
$
0
0

I was wondering if anyone could help me accomplish with what I thought would be a pretty simple task after reading about NPS and NAP.

Environment: Two Windows Server 2012r2 with AD, DNS, DHCP (with one scope that has failover load balancing), NPS and one of the servers has WDS/MDT (this server has DHCP option 60 to accomodate the DHCP ports)

What I would like to accomplish is to create two for sure, maybe a third if necessary:

1) When a PC on my network that is in the \Domain Computer group it NAP and NPS would authenticate it so DHCP would hand it a lease.

2) If  a device that is NON NAP-Compatible then it would still be given a lease based upon its mac address (this is for our IP phones and printers).

3) (if this needs to be a policy) Any device that does not meet those policies are denied.

The network cannot support 802.1x at this time. 

I followed this: http://www.technig.com/configure-network-access-protection-server-2012-r2/ article to get the ball rolling and this: https://blogs.technet.microsoft.com/teamdhcp/2008/06/15/nap-enforcement-exemption-for-printers-and-other-network-appliances/ article for the IP phones and Printers Network Policy. 

The conditions that I put in for the domain computers Network Policy was Machine Group: \Domain Computers 

Under constraints > Authentication, I have tried MS-CHAP-v2 and MS-CHAP and when that did not work, I switched it to Perform machine health check only. 

For the SHV, I have deselected all the options.

My issue is when NAP is turned on, the computers will not receive a lease from DHCP. The Telephones work. I have ensured Failover is working and both servers are distributing a lease when NAP is turned off by deactivating one of the scopes and renewing the lease to see which DHCP server the lease was obtained from. 

Thank you for your time and please let me know if I need to include any other information.


Search

NPS on DHCP for multiple-vlans

July 1, 2016, 11:46 pm
$
0
0

Hello,

On our network

172.16.125.0/24 - User Segment

172.16.128.0/24 - Server segment (DHCP/NPS servers)

We setup our DHCP and NPS to 128 network and clients are 125 network. How can the NPS work in such a way the clients can authenticate to the NPS server

I found this solution https://technet.microsoft.com/en-us/library/cc772124(v=ws.10).aspx

But need you advise if I have to configure A RADIUS Server and do I have to configure our Switches as well?

Regards,

Miguel

802.1x authentication for non domain joined devices

July 1, 2016, 8:06 am
$
0
0

Hi,

 Currently we authenticate network devices - printers, scanners, etc using 802.1x with MAC address bypass whereby we enter usernames against MAC addresses in AD for each device. This is clunky and not ideal. I'm looking for a solution which can roll out certificates to printers, scanners, thin clients, etc in a secure and manageable way.

What's the recommended way of achieving this?

Thanks

NPS 802.x using the same certificate

July 11, 2016, 4:11 am
$
0
0

Hi,

 Is it possible to use a single certificate for multiple devices to be authenticated by 802.1x, e.g. can I assign 1 certificate to 100 printers and have them authenticated using the same certificate or do I need a cert for each individual device?

Thanks

IT Support/Everything

Multiple NPS configuration merge

July 8, 2016, 5:46 am
$
0
0

Hello,
Currently, I have something like 80+ radius in my scope and I would like to create one server to backup all of them.
I have some questions:
If I import multiple configurations on this server, a merge will be done or each time crushing will process?
If a local group already exists will it be crushed or merge or nothing will happen?
Thank and regards,

Jeremy

how do i activate network discovery?

July 15, 2016, 9:44 am
$
0
0

my network discovery function is "off" -- i have tried turning on network discovery prompt but it will not work.

our home router works and i can get onto the internet through my laptop but not my desktop, nor can i access my printer.

would be so grateful for support.

thanks, nb

Configure EAP As Authentication

July 18, 2016, 10:41 pm
$
0
0

Hi all,

Recently we configured NPS for wireless access on domain controllers when we installed on first dc it doesn't ask for any certificates and it works smoothly, in the second dc we created the same NPS settings which is same as DC1 but here we are getting error as " A certificate could not be found that can be used with this EAP" my query is how it works on first dc and same settings not worked on second dc .

Security issues, changing the url of web access and logging at the same time

July 20, 2016, 12:28 am
$
0
0

Hello, I would like to ask several questions about Windows server 2008. I have a software developped in Windev and I would like to put it on a server in order to be a saas. This software allows to print some charts. When we print a document, the windows window opens. And it is possible to access the network with the network button. Is it possible to hide this button in some way so that people wo'nt access the network ?

Also, I would like to change the url of the web access. For now on it's https://ip-adress/rdweb, I would like it to be a more user friendly adress, with the name of the domain for example. I tried but it didn't work, how could I do that ?

And another issue is the problem of the logging at the same time. For now on, when someone logs on, and a different personn logs on with the same id, it stops the session of the first personn. It is dangerous because the first personn will lose his work. Is it possible that the second personn can't log on if the first personn is already logged ?

Thank you for your help !

Search

Radius Sever with two factor authentication

July 20, 2016, 12:50 am
$
0
0

Hi all,

  Is that possible that I setup a radius server with a separate domain forest to act as a second factor authentication server in a two-factor authentication configuration?

Thanks

Best Regards,

Elroy

Trouble on admin sharing

July 20, 2016, 7:45 pm
$
0
0

hi....

Im new here, please help my trouble on win server 2008 x64.

I Have a server 2008 as DNS, DC + backup data user. Local IP 172.21.1.2.

Why can I access \\172.21.1.2\d$ from user PC which login as user without prompt username and password admin. 

I have tried to search solution, still no result.

Please help me.

Regards,

Anton

No.of RADIUS Clients supported by various editions of Windows Server 2012

July 22, 2016, 1:22 am
$
0
0

Dear Friends,

Like Windows Server 2008 Standard Editions which supports upto 50 RADIUS Clients, I would like to know the no. of supported RADIUS Clients for various Windows Server 2012 editions (Standard and Standard R2).

Thanks,

Amit Jogi

How do I return the normalised, inner identity of a user in the User-Name AVP of an Access-Accept?

April 29, 2013, 7:40 am
$
0
0

Is it possible to configure NPS to return the normalised, inner identity of a client in the User-Name AVP of an Access-Accept to cope with anonymous outer identities?

Where 802.1X authentication takes place and an anonymous outer identity is used (meaning that it differs from the inner identity) with a TLS based EAP, such as PEAP, it should be possible to return the inner identity in the Access-Accept so that the NAS has the ability to work with the 'real' identity of the user. Can NPS do this? How would this be configured?

The User-Name AVP of an Access-Accept also provides a RADIUS server the ability to return a users' identity normalised. (For example, where domain\user is supplied by a user, the RADIUS server can always respond with user@fqdn.) Can NPS do this? How would this be configured?

Increasing numbers of features are being implemented in switches and access points, such as L7 application visibility and control, so it is a significant operational concern that such devices work with an accurate identity, one that cannot be spoofed with an anonymous outer identity and is consistent for a discrete user.

If this is not possible today, how would one go about making a design change request to Microsoft to accomplish this or talk to the development team? Is this an oversight? Competing RADIUS servers such as FreeRADIUS and Radiator have this ability when configured.

For reference, this is RADIUS standard behaviour.

RFC 2865 states in Section 5.1:

[The User-Name AVP] MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session.

RFC 3579 states in Section 3:

The User-Name attribute within the Access-Accept packet need not be the same as the User-Name attribute in the Access-Request.

Furthermore, where federated authentication has taken place, such as in eduroam, and a User-Name AVP has not been returned in the Access-Accept yet a Chargeable-User-Identity has after being requested, it should be possible to configure the RADIUS implementation to add a User-Name AVP set to cui@realm to the Access-Accept it sends on to the NAS so that it gets an identity that identifies the user with a constant identifier.

Is support for Chargeable-User-Identity (RFC 4372) support ever planned for NPS?

See:

https://community.ja.net/library/janet-services-documentation/chargeable-user-identity-eduroam-freeradius-implementation

Thanks!

Nick

Microsoft Radius Server 2012 R2, Local Client Authinthication and Linux Server Authinthication

July 28, 2016, 12:02 am
$
0
0

WE have MS Radius Server 2012 R2, Active Directory Clients are working properly with EAP(PEAP) Wireless Networks.

How will we connect local user (User created on Radius Server NPS ) and Linux Machines clients.
Kindly help?


Network folder failed access since upgrading to Windows 10

July 29, 2016, 4:11 am
$
0
0

We have 5 hp all in one Desktop with win 10 installed, I have just updated 2 other desktops with Win 7 on with Win 10, one of them will not see a networked folder, all other computers are fine, checked driver updates in device manager but still wont give permission, this computer will see other folders on the computer that has the folder it cant see, can you help please?

 error states: You do not have permission to access \\[computer name]\c. Contact your network administrator to request access."

Configuring EAP-TLS on Windows Client (Wired)

July 28, 2016, 9:53 am
$
0
0

Hello,

I am attempting to configure Windows clients to authenticate as the machine with a computer certificate. The Mac clients authenticate just fine but Windows clients just time out. I have been up and down the config of our switches and the NPS server and still can't seem to find a solution. I see 'Onex Auth Timeout' in the Wired AutoConfig log on the client and on the NPS server I see it is hitting the server in the log in C:\Windows\System32\LogFiles but not in the Event Viewer. I have no idea what I am doing wrong. EAP-MSCHAP-V2 works fine but I want to use EAP-TLS.


Thanks!

Search

IAS/NPS 802.1x EAP-TLS Authentication Failed

July 29, 2016, 4:48 am
$
0
0

Hi,

i'm having problem with EAP-TLS and my client (iphone).

I've installed a new PKI (sha2) and since this new pki, phones (iphone) cannot authenticate. Phones have the new root certificate and new user certificate in their store.

On the NPS server, i've got ID6273 "Denied access to user xxx" An error occurred during the NPS use of the authentication protocol (EAP). Reason code 23

In the svchost_RASTLS.log:

AcceptSecurityContext returned 0x90317
State change to SentFinised. Error 0x90317
Negociation Unsuccessful
BuildPacket
Sending failure (Code:4) ....
AuthResultCode = (590615), bCode= (4)

In the IASSAM.LOG:

EAP Authentication failed

The NPS server having a certificate delivered by the new PKI.

If someone can help me!?

many thanks

Radius Authentication using MACs without user accounts

July 28, 2016, 4:24 pm
$
0
0

Hello all I am trying to configure our new Radius servers using MAC authentication for the time being so we are not required to reconfigure every phone and switch on site which includes about 3000+ phones and 200+ switches.

I am trying to configure the MAC addresses using wildcards.  We have been able to get the connection request to process but I am never able to get the Network Policy to even hit.  Most of the columns in the SQL log show NULL including the calling station id and the it is eventually rejected because no policies match.  Everything shows fine when processing the connection but does not seem to transfer over to the network policy.  Does anyone know of a guide or have any tips on getting this properly configured?

NPS Server and NAP High Availibility in Server 2012 R2

August 4, 2016, 3:22 am
$
0
0

How to implement High Availibility for NPS Server and NAP in Server 2012 R2,Failover Scenario,& How it works, can any one guide me or refer me to detail link for server 2012 R2????

Thankss......



DDOS ATTACK AND BOTNET

August 7, 2016, 7:06 am
$
0
0
Now a lot of people using ddos attack or botnet software to drop connection down , i am using windows server 2008 , and someone always attack my ports UDP , and i already close this port and still he can drop my connection at same port , that so bad , please help

Windows 10 Client Machine information in NPS due to missing NAP client

August 28, 2015, 1:49 am
$
0
0

Since Windows 10 lacks the NAP-client.

I'm wondering if there is another way to get the Client Machine information.
(The information in the red square in the screenshot below)
Something like a service or other type of default client that should be activated

And this point we need to first figure out a solution, before we can start rolling out Windows 10 in our Enterprise.

Some more background information, we use the Client Machine (Account name) for our wireless solution.

A user connects to wireless using his user credentials (sent from windows logon)
With this user login on wifi, the NAP-client used to sent de Client Machine information.
In NPS we checked on membership of a specific user group AND membership of a specific machine group.

This way we had a combination of user information that the user needed to know and a device the user needed to have.
Which resulted in a very simple but effective way of 2-factor authentication.

Something that normally couldn't be done, because of the fact that Wireless normally only uses either user OR computer authentication. NAP made this possible !

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>