I write to ask about granting permissions for a Subnet(10.5.2.X) to access Folders on another Subnet(10.5.1.X).
I need 10.5.2.X to have access to a Group Policy location on a Windows Server 2008 Domain Controller(For both 10.5.2.X and 10.5.1.X). But with the current configurations 10.5.2.X cannot see machines on 10.5.1.X
I have ensured the Firewall/Router is not blocking access.
Any help will be appreciated
hi
i config AAA on cisco Devices(Router/Switch Layer2 &3) which connect to microsoftNPS(as Radius) for Authentication and Authorization..all work properly and fine!
in NPS which use for Radius Server i create group for privilege Level
so
assume i have 10 Switches(SW-1 through SW-10)
i have one special user in Active Directory e.g MR.X
i want user:MR.X can only telnet to SW-4 & SW-5 and can't connect via telnet or ssh to others(others except SW-4 & SW-5)
Note*:i should deny MR.X only with username because MR.X can changing IP address so i can't use access-list to deny for example X.Y.Z.W ip :(
so what is best solution?
1-is(are) there any USERBase Access-list on cisco IOS which define MR.X from AD server 2008 that prohibit(Deny) to coonect to Switches or Routers?
--------------------------------------------------------------
2-should i change something in GPO server ?are there any policy can define user MR.X can telnet only to speciall IP or...and deny other?
---------------------------------
3-or is there way to prevent user from special IP(i knw there is IP filter but assume we have 100 Switches and more)
so it takes too much time to add all of them
thanks
Hi,
I would like to konw if i can use NPS to authenticate mobile phones using IMEI number ?
I want to set to IMEI number in custom arttibute under the user object in the AD.
Thank you
Dear all,
I have configured a VPN server by installing both RRAS and NPS role on it. My question regards the authentication methods available from RRAS properties (https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/46/91/metablogapi/clip_image004_thumb_2E6AEC77.png) and from NPS configuration (https://www.freeccnaworkbook.com/images/nps_policy_auth_methods.png): which ones are used, the ones defined by using RRAS properties, the ones defined from NPS, both or do they need to match?
Thank you for your help.
Hi,
This is my first time i configured NPS server & NPS policy.
I asked to configure NPS serve to check if a specific user have custom attribute in his user object and if so to send this value back to the radius client.
Is it possible ?
If yes, How can i do it ?
Thanks.
Hi,
all my Wifi-devices (Windows 10-PCs, Windows 10 mobile, Android Smartphones...) cannot connect to my WPA2-Enterprise wlan if i checked "Check Server Identity with Certificate" (freehand Translation :) )
If i uncheck this, i can connect without problems.
If i check this or use my Windows 10 mobile-Phone, i get the errormessage "Connection not possible".
On my Windows 10 mobile-Phone i can set "Server certificate checking" => None, then i can connect.
I use a public, valid Wildcard Certificate (example: *.mydomain.com)
My Windows 10 PCs trust this CAs (GeoTrust\RapidSSL), i have no Problem with this certificate with my vpn (sstp).
But maybe Wildcard certificate not work with WPA-Enterprise? Or i have to configure something?
Any idea?
Best regards,
Coyo
Hi,
Here i have a NAS in place and i would like your suggestion on the Shadow copy option if there is any way available to configure on it. Please assist.
Thanks,
Ravindra
Hello - hope someone can explain this to me. This is a general question about NPS and Radius and I think I am simply missing something obvious. I have set a Windows 2012R2 server up as a Domain controller, a CA and a Radius server authenticating connection requests using NPS. The setup is pretty simple. Clients connect via Wireless and an Aruba networks controller and establish a VPN. The Aruba controller passes off the authentication requests to the 2012 radius server. The clients use Certificates to authenticate mapped to AD accounts.
We generate certs on the Windows CA.
We create an AD user and use name mappings to map the cert to the user.
We install the certificate, private key and root cert on the client machine and use the client cert to authenticate the client when it tries to establish the VPN tunnel.
OK so far so good and this is all working. However, the request then came in to connect Android clients. However, I can't seem to get the Android clients to work. When they connect I can see an IAS_Success message on the Radius server but the connection is never established and the tunnel is not formed. I never get a full network access granted event in the event log either.
OK - so I set up a Windows machine and an Android machine in an identical setup and I even used the same Certificate (which was generated independently and imported with the private key and root as a pfx file) to make sure the test was identical. Windows connects and Android doesn't.
Now I understand the common name on the cert has to match the AD user the certificate is matched to on the NPS side but that's it isn't it. What am I missing???
If anyone can help point out the obvious to me I would be very grateful.
Thank you
I need to be able to create folders on servers remotely via a script. In testing this, I tried using the PowerShell commands:
$Servers='<server.domain.xxx>'
$NewFolder = '<folder_name>'
$Servers | foreach { New-Item "\\$($_)\c$\users\$NewFolder" -ItemType Dir }
I get access denied. BUT the same account that I ran PS with is a local admin on the remote Windows 2008 R2 server. Is there a setting or policy that could limit my ability to do this remotely?
Thanks
2012 R2 NPS Server
Set up WPA2-Ent to connect to NPS server for validation
It works fine if I use - User Group member of grp_Secure_Wireless and it works fine if I use Machine Group - Domain Computers
but wont work if I use both in same policy?
I only want company owned laptops (verified as part of the domain computers) and users that are a member of Secure Wireless to be able to connect.
Need the both to be valid - so need them in same policy
Any thoughts are appreciated
Thanks
John
Hi,
We have a NPS server configured running on Server 2008 R2. All our existing Windows 7 clients are working without any issues. We started putting up Windows 10 and started seeing that when the user tries to RDP to the device, it gets disconnected. Looking under NPS event logs, we found that Event ID 6273. It says the following
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
DomainName\DeviceName$
Account Name:
host/Hostname with FQDN
Account Domain:Domain Name
Fully Qualified Account Name:Domain/Computers/Windows 10/Hostname
Client Machine:
Security ID:
NULL SID
Account Name:
-
Fully Qualified Account Name:-
OS-Version:
-
Called Station Identifier:18-8b-9d-f4-d6-b0:BPAccess
Calling Station Identifier:f0-d5-bf-aa-4d-99
NAS:
NAS IPv4 Address:xxx.xxx.xxx.xxx
NAS IPv6 Address:-
NAS Identifier:Cisco_9b:7a:e4
NAS Port-Type:Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:Wireless-LAN-Controller-1
Client IP Address:xx.xx.xx.xx
Authentication Details:
Connection Request Policy Name:Secure Wireless Connections
Network Policy Name:Connections to other access servers
Authentication Provider:Windows
Authentication Server:Server Name
Authentication Type:EAP
EAP Type:
-
Account Session Identifier:35383534306265312F66303A64353A62663A61613A34643A39392F333137323538
Logging Results:Accounting information was written to the local log file.
Reason Code:
65
Reason:
The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy,
obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Even though my Wifi Profile through GPO is configured PEAP for Authentication type, but the logs shows as EAP.
Can someone please help me
Regards,V
Hi,
I'm currently converting a wifi setup with PEAP (client auth using MSCHAPv2) to TLS-EAP and I'm wondering how exactly the server verifies the client certificate.
I have a private CA, which I selected in the wireless profile pushed to clients. So the client won't accept a server certificate issued by any other CA, even if it matches.
All domain computers autoenroll for a computer certificate and the wireless profile is setup so the computer certificate is used.
The NPS server has as condition in its policy that the client is in the "Domain Computers" group to be granted access.
Now, how does the server verify the certificate sent by the client? I don't see an option to "lock" the accepted certificate to an issuing CA like the one present in the client profile. So I came up with the following possibilities:
1. The server only accepts certificates from the same CA its own certificate was issued by, and then either uses the username sent by the client, the one in the certificate, or both (if so, which does it use/check?).
2. The server trusts any certificate that is issued by any locally trusted root CA (including the commercial ones). This seems unlikely, since in the past commercial CA's would issue certificates for *.local DNS names. So in that case anyone could just procure a certificate from a commercial CA that matches one of my domain computers.
3. The domain computer's certificate is published in AD, and the NPS server matches the certificate it gets from the client to the one in AD.
Option 3 makes the most sense to me, since that way the server will only accept the one certificate that was issued to the computer/client and nothing else. However, I can't seem to find any details in the documentation, only that "if the server trusts the client certificate the client is granted access" with no elaboration on what "trusts" means exactly.
Can someone tell me which of the options is correct, or whatever other option I didn't think about?
Lastly, I'd also like to know how I can debug the entire authentication process on a low level (eg. every step taken), so if someone knows how to do this please tell me :) Both for the server side (2012R2) and client side (Win8.1 & Win10).
Thank you in advance!
PS. I'm wondering something else, and since someone that can answer the above is likely to know this as well, I figured I'd ask it here: Currently in the NPS policy I have selected "Strongest Encryption" 128-bit MPPE on the Settings tab->Encryption. Is MPPE even used in a wireless setup such as mine? As far as I know MPPE is used for PPP connections as main encryption of data after authentication, and the wireless connection will be encrypted using AES/CCMP as setup on the access point (and not with MPPE).
However, I noticed in the latest RFC defining EAP-TLS that the Pairwise Master Key (PMK) was previously named a "MS-MPPE key", so perhaps this setting controls the entropy in the generated PMK sent to, and then used by, the access point to use for its AES/CCMP? Does this encryption setting have any bearing on a wireless authentication setting such as mine, and if so, how exactly?
If not, how does the NPS generate the PMK that the access point is to use for encryption? I know a random PMK should somehow be generated by the NPS, which is what makes WPA2-Ent so much more secure relative to WPA2-PSK (which always uses the same PMK generated from the PSK and the SSID as salt). I'd like to understand how this part works ;)
Hello has anyone come across this issue before.
I am using a 2012r2 server as a radius server. I have windows clients and android clients. When windows connects I can see via wireshark the conversation takes place using tls1.0 and the windows clients connect.
When the android clients connect they use TLS 1.2 but windows tries to reply using TLS 1.0
I found the article and patch kb2977292 which is supposed to enable TLS 1.2 on Windows 2012 r2 but when I try and install it I get a message that's says the update is not applicable to my system. The server is fully patched and the update is definitely not installed already.
Any ideas anyone?
Thanks
hi
i have a server in the web with static ip . i can install a Routing and Remote Access settings for vpn on it successfully .
now when i connect to this server with client , i can access to shared files and folders on server . but when i disconnect the vpn connection on client , i can still have access to these files and folders . it is dangerous for security !!!
i want to stop folder sharing access after disconnecting vpn connection from client .
attention : folder sharing is full control access for EveryOne .
Hello,
I am planning to introduce Windows RADIUS in our network for which, I am reading various articles and technical documents for preliminary preparedness.
As recommended in various forums, I am also planning to put a RADIUS Proxybefore my RADIUS Servers to ensure high availability for authentication and authorization.
However, I have a question regarding redundancy of RADIUS Proxy server. This is because unavailability of RADIUS Proxy will have a large impact on authentication requests.
Since I could not find any article on how to build redundancy for RADIUS Proxy server, I thought to post this matter here for getting some more idea.
Thanks,
Amit Jogi
I have Windows Server 2008 R2 running as domain controller, and I need to allow a few non-domain users with static IP address access to a shared folder on the server. Is it possible to give access to non-domain users by specifying either their IP addresses or computer name?
Can someone advise what error below might mean as I cannot get our iphones to connect to the wifi. This is the error I get. The iphone has the correct certificate and it is not expired.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: bb\bobmarcin
Account Name: bb\bobmarcin
Account Domain: bb
Fully Qualified Account Name: bb.local/finance/bobmarcin
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-23-5a-71-09-f0:bb-wifi
Calling Station Identifier: 08-74-92-a2-5e-5a
NAS:
NAS IPv4 Address: 10.2.1.11
NAS IPv6 Address: -
NAS Identifier: SUM-WLC2
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: bb-wireless
Client IP Address: 10.2.1.11
Authentication Details:
Connection Request Policy Name: wireless
Network Policy Name: bb wireless
Authentication Provider: Windows
Authentication Server: bb-dc1.bb.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: 35383676513738352F30383A37343A30323A62323A35363A35662F231233555034
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Hi, I recently installed Server 2012 r2 in my laptop for testing purpose. I also installed hyperV and made Server 2012 r2 machine.
Problem is when I connect windows server 2012 to internet through wifi mobile hotspot it works perfectly and connect to internet without an issue. But when I am trying through wifi another network wifi router it shows limited connectivity. My another laptop is working perfectly on both wifi connections.
I also checked drivers and Static IP address settings but situation remains same....
Note - AD not installed......