I am using radius server in windows server 2008 R2. I want to Authenticate the device via radius server by using SQL server 2008 R2.need to know HOW to configure radius server to authenticate the device(MAC Address) by using SQL server? Is it using ODBC? If yes then HOW?
Any help will be highly appreciated.
Hi,
I am not entirely sure if the NPS and NAP thing can address this scenario, so please forgive me if I have posted in the wrong forum.
we have a requirement to create two separate networks, we have a corporate network, and would like to introduce a training and development network. we have a small number of virtual servers all hosted on one physical server. everything we have goes through the same switches (but these do not have a web interface and cant set any kind of VLAN stuff on them), we have a draytek router which connects to the internet and this has 4 wired ports which we could configure in VLAN. I am wondering if it is possible to use NPS (or what would I use???) to allow us to create a secondary network which is completely isolated from our corporate servers. we currently use AD, DNS, DHCP and all the rest of it, and we would like to have another server which has those roles on it, but configured for the training network, using a completely fictitious domain name, like contoso.com or whatever.
can someone please advise how I would best be able to implement this without the purchase of new hardware, is it possible to create this scenario purely by installing more windows servers and configuring them?
many thanks
Steve
Good morning everyone, Just a small question on which I can't find a good valid answer. Can anyone confirm that if I buy a switch with the following description: SSH, SSL/TLS, 802.1x RADIUS, HTTPS |
Andre
Dear, Buds
how is life been treating you
i need some help from your side
i installed NPS on Server 2008 R2 to manage wireless connection (RADIUS) i need to disable the connection request from Mobile supports WiFi or make it getting IP from another DHCP server how can i do it
Thanks in advance
In most cases, DHCP is used in network environment. DHCP server sends out Lease Expiration Time to DHCP client when assigning DHCP IP. If the lease time expires when the PC is in sleep mode, ARP offload seems still working
and will respond to DHCP server’s ARP request wrongly, because the original IP of the PC has expired and been marked as available at DHCP server.
Question: how could a PC and who in the PC should change the ARP offload settings in this case?
Thanks.i have NPS on server 2008 R2 can i disallow the connection requests by Mobile WiFi like Nokia ... etc
or can i assign IP to this devices ?
Ok here is the scenario
i have Domain PCs ( which manged by IT )
some work group Laptops which is not manged by IT.
some Linux and SmartPhones which need full access all the time which must use DHCP
i want to configure NAP to control the Access to my network ( must have AV and Update auto ) for domain PCs and work-group laptops only , and exclude the Linux and the smartphones from NAP.
i already used GPO to enforce DHCP in the Domain PCs and it works fine.it seems easy using NON-Capable policy but as i said i dont have access to the work group laptops so i will force the NON-Capable policy to deny access , so they apply with my security policy . and now i cant use the NON-Capable policy with the linux and smartphone as i were willing .
also i cant add new DHCP scope with reserved IPs for the linux or the smartphone as the design i am working on is critical and fixed ..
my idea was make new NAP policy enforce it to allow all the time, and add new condition to it to be based on the linux and the smartphones MAC address or the IPs ( which will got form the orginal reserved for the only scope ).
what do you think ?
Hi Everyone,
I am new to NPS. I am using Windows Server 2008 R2. I have developed an Authentication Extension DLL which is basically a MFC Extension DLL for custom authentication in NPS. (http://msdn.microsoft.com/en-us/library/windows/desktop/bb892024(v=vs.85).aspx)
Now, to apply this Extension DLL at NPS I have used following steps:-
Now, when I am restarting NPS server I am getting following error:-
"Extension Host is failed to load DLL.Path %System Root%\System32\radius.dll".
Hi,
We have 2 environments - 1 CA using SHA1 and the other using SHA2.
The one using SHA1, it's working fine i.e. NPS can authenticate the computer device certs.
However, for SHA2, it's not working. I have been troubleshooting for a few days, so before going further, I just wanted to make sure NPS supports SHA256 certificates.
Thanks.
UAG 2010/Win 7 DirectAccess with NAP enabled on the UAG servers.
I want to be able to enable NAP in monitoring mode only, and then look at the NAP log files to determine which clients are being refused access and why, before enabling full enforcement mode. I’ve found the logs located in C:\Windows\System32\LogFiles\IN*.log, but I am unsure as to what all the fields are? Are they fully documented anywhere? Or is there a tool that analyses the files to give something a little more user friendly and meaningful for the customer?
running into an issue migrating from 2003 IAS to 2012 NPS for authentication users, hope some one can help.
My setup is 2 independant forests, users connect through a wireless access point in DOMAIN-B and either authenticate to DOMAIN-B or DOMAIN-A.
per the NPS connection requests policy if the user does not specify a domain the authenticate to DOMAIN-B, however if in the username it specifies a specific domain, i use a regex to rewrite it and pass it along to NPS on DOMAIN-A.
here is the isssue, users currently use their e-mail address as the login, someone@domain.com, the IAS server in DOMAIN-B takes this and rewrites it as DOMAINNAME\username. This however does not apear to work in NPS for some reason.
I can authenticate using the full domain like this someone@corp.domain.com, it authenticates just fine. however if i try to use a regex and changesomeone@domain.com to someone@corp.domain.com it fails with
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Even though what shows in the event log is identical.any thoughts?
http://jeramythompson.blogspot.com/
I have asked one question in windows 7 forum. but I found here maybe can solve my problem.
------------------------------------------------------------------------------------------------------------
Before, we used a self-sign certificate, and we used the GPO to deploy the certificate to "trusted root certification authorities".win7 client can pass the validation,and can use the wifi.
now we get an GeoTrust certificate,then we replaced the self-sign certificate,
and changed "validate server certificate" to "Geotrust global CA":
win7 client can not pass the validation,can not used the wifi.
0
IAS error:
event ID: 2
computer: 106
description:
user CN\xadsnw deny。
Fully-Qualified-User-Name = tt.aa.org/IT/xadsnwNAS-IP-Address = 10.113.0.50 NAS-Identifier = MC-01 Called-Station-Identifier = 203a.0797.e840 Calling-Station-Identifier = 0811.9613.999c Client-Friendly-Name = MC-01 Client-IP-Address = 10.113.0.50 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 23785 Proxy-Policy-Name =for all user
Authentication-Provider = Windows
Authentication-Server = <na>
Policy-Name = wireless
Authentication-Type = PEAP
EAP-Type = <na>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password.。
http://go.microsoft.com/fwlink/events.asp。
data:
0000: 0c 03 09 80
-------------------------------------------------------------------------------------------------------
0
we searched the solution from bing and google. we got one solution:disselect"validate server certificate",we test it, yes it works.
0
ias information:
event ID: 1
computer: 106
description:
user CN\xadsnw ..
Fully-Qualified-User-Name = tt.aa.org/IT/xadsnw
NAS-IP-Address = 10.113.0.50
NAS-Identifier = MC-01
Client-Friendly-Name = MC-01
Client-IP-Address = 10.113.0.50
Calling-Station-Identifier = 0811.9613.999c
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 23794
Proxy-Policy-Name =forall users
Authentication-Provider = Windows
Authentication-Server = <na>
Policy-Name = wireless
Authentication-Type = PEAP
EAP-Type =受保护的密码(EAP-MSCHAP v2)
http://go.microsoft.com/fwlink/events.asp
0000: 00 00 00 00
---------------------------------------------------------------------------------
question:
1,if we disselect"validate server certificate",will the data transmissionbetween client and AP continue be encrypted?
2,if we have to select "validate server certificate", how to do?
3,Geotrust global CA should be the root certification authorities of our certificate, we test the certificate with IIS, this certificate works well from outsite. maybe we need add the selection "connect to these servers:"?but which is these servers?
adsnow
hi everyone, I've deployed NAP+IPSec and everything is working good, now I want that my NAP+IPSec isolate the Computers that does not accomplish with the policys, how I can achieve this, ?
Regards
Carlos
i go
I got a server 2008 R2 SP1 with NAP wireles 802.1x installed with an access point. Latops, iPad's, smarthphones are conecting without problem but BB 9360.
The error in IAS Log to this BB is
The message received was unexpected or badly formatted
We did some test with a Server 2008 R2 without Service pack and is working fine for all devices, the problem is only with the SP1.
Exist a hotfix to solve this issue?
Our enviroment is:
Active Directory Windows Server 2008 R2
Primary NPS in Server 2008 R2 Enterprise
Secondary NPS in server 2008 R2 Enterprise
both NPS servers have NPS and AD CS roles [Radius is using Enterprise Certificate which it's Subordinate from DC CA )
NPS is set up to use PEAP-EAP-MSCHAP v2 and The client (Controller MSM765) is set up to use WPA (WPA OR WPA2).
All Domain Machines PC,Laptop,Macbook work fine with radius Server but for non domain machines we have to install the certificate manually to Trusted Root location for Windows machines only to get Radius to works and i'd able to made a connection to my Radius server, using auth method MS-CHAP v2,how it works with iPad ,iPhone and macbook as the cert is popping up after i entered my credentials, and just click to continue of the certificate,
Now suddenly all non domain Windows machines stopped working with Radius and the logs shows this code reason 265
but i have Installed the trusted root certification authority on the client computer as usual and i have checked that the radius cert if it's exist in trused
the root using mmc and i found it there.
these are the logs for windows user that i have installed the cert in trusted root folder:
@@Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: domain\Tim
Account Name: tim
Account Domain: domain
Fully Qualified Account Name: domain1\tim
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-24-A8-9B-1C-81
Calling Station Identifier: 24-77-03-6C-6B-28
NAS:
NAS IPv4 Address: 172.26.4.38
NAS IPv6 Address: -
NAS Identifier: SG0299L160
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 153
RADIUS Client:
Client Friendly Name: Controller1
Client IP Address: 172.26.4.38
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Trusted Machine and Users
Authentication Provider: Windows
Authentication Server: domain
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: 39613065373830302D3030303030306136
Logging Results: Accounting information was written to the local log file.
Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.
2nd log @@Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: PC
Account Domain: Domain
Fully Qualified Account Name: Domain\pc
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-24-A8-9B-1C-81
Calling Station Identifier: 24-77-03-6C-6B-28
NAS:
NAS IPv4 Address: 172.26.4.38
NAS IPv6 Address: -
NAS Identifier: SG0299L160
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 154
RADIUS Client:
Client Friendly Name: Controller1
Client IP Address: 172.26.4.38
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: Domain
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 39613065373830302D3030303030306137
Logging Results: Accounting information was written to the local log file.
Reason Code: 8
Reason: The specified user account does not exist.
But i have found this temporary solution by creating a wireless profile in the user PC and remove validate server cerificate from security tab and enable 802.1x
setting to use user or copmuter authintication in adanaced security then anyone have AD aacount and memeber in wireless group
can authinticate without need to install the Radius cert manually and that is very bad as i need
student to validate cert so after one year this cert will be expired then the students need to come over again next year to get a new cert from IT and this is the
@@this is the log for the user (without need any cert) erver granted full access to a user because the host met the defined health policy.
User:
Security ID: domain\tim
Account Name: 1337
Account Domain: domain
Fully Qualified Account Name: domain\tim
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-24-A8-9B-1C-81
Calling Station Identifier: 24-77-03-6C-6B-28
NAS:
NAS IPv4 Address: 172.26.4.38
NAS IPv6 Address: -
NAS Identifier: SG0299L160
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 124
RADIUS Client:
Client Friendly Name: Controller1
Client IP Address: 172.26.4.38
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Trusted Machine and Users
Authentication Provider: Windows
Authentication Server: domain
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: 37656134383634372D3030303030303839
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
2011IT
I have two Connection Request Policies
The condition for the first policy is to apply to all usernames that contain "@domain.com" (this is not the AD-domain). This policy will rewrite the user-name attribute to be just whats left of the @ (Find: (.*)@(.*) Replace with: $1), and then authenticate it.
The the second processed Connection Request Policy will not rewrite anything and just authenticate the user.
I have a Network Policy that have specified PEAP with a trusted certificate, MS-CHAP-v2 and MS-CHAP.
When I try to authenticate the user "username@ company.com" the username gets rewritten to "username" but it gets rejected with the following error:
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 07.03.2013 12:25:23 Event ID: 6273 Task Category: Network Policy Server Level: Information Keywords: Audit Failure User: N/A Computer: nps-server.company.com Description: Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: DOMAIN\username Account Name: username Account Domain: DOMAIN Fully Qualified Account Name: domain.company.com/User-Accounts/username Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: - Calling Station Identifier: 02-00-00-00-00-01 NAS: NAS IPv4 Address: 127.0.0.1 NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Wireless - IEEE 802.11 NAS Port: - RADIUS Client: Client Friendly Name: testclient.company.com Client IP Address: 192.168.1.9 Authentication Details: Connection Request Policy Name: at company.com Network Policy Name: Company-Policy Authentication Provider: Windows Authentication Server: nps-server.company.com Authentication Type: PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
It clearly sees that the user exists (finds its Fully Qualified Account Name) and I know the password is correct, but it still rejects it.
Howerer when I try to authenticate the username without @company, just "username" it gets authenticated without any problems.
Why woun't it authenticate usernames after they are rewritten? Is it because i use PEAP with certificate on the server?
Hi,
we installed a Windows Server 2008 R2 as part as a domain (member server).
Either RRAS and NAP role are installed.
We would like to let user only connect when
username/password AND
client certificate
are entered.
So both should be required.
How to configure this? Any helpful hints?
Greetings/Grüße Gernot
Hi:
I am trying to update my AP's "WAP 4410"s" to the New Cisco WAP 321. i have 14 of the 4410's working fine with a policy. this error keeps on coming up. Gone through Troubleshooting with Cisco, over a 2 week period (yes, 2 weeks) no solution. So, my friends. any ideas?
thanks for your time, in advance.
The Big Lug
I am trying to implement a wireless solution and needs some help. Windows Server 2008 R2 has my radius server and Cisco wireless controller. I am using WP2 sec protocol.
Can somebody help me understand the difference between using PEAP with EAP-MS-CHAP-v2 and PEAP with certificated or EAP-TLS? I am looking for a strongest possible authentication method for my wireless network. My goal is to have ONLY laptops that are joined to the domain be able to connect to my wireless network.
I was able to setup my Radius server network policy (windows group with users that are to be granted access) , and my wireless clients are able to connect using PEAP with EAP-MS-CHAP-v2 but I am not sure if this is the most secure way.
Many thanks in advance!