Corporate 802.1x wont auto-connect, says "Action Needed"

December 4, 2017, 8:44 am

≫ Next: RADIUS packets seeming to be ignored on Server 2016 with Network Policy Server installed and configured for Radius

≪ Previous: Network Discovery on Windows 10

Hi all,

I have a corporate wifi that I've setup for my company that utilizes RADIUS 802.1x "Computer based" authentication. I have also pushed out a GPO that adds this wireless network to all endpoints and sets it as the preferred network and to automatically connect when the network is available.

The endpoints are able to connect to the network just fine (and endpoints that are *not* part of our enterprise domain cannot, which is the correct behavior). However, I have multiple endpoints, all Windows 10 machines, that are not connecting automatically. When I open the list of wireless networks, it says "Action Needed" underneath the SSID for the enterprise network. When I click on the network and hit "Connect" - a web browser opens and it connects just fine without any other prompts.

I thought it might be that we have a web proxy that users must authenticate to, but this doesn't happen on all machines and doesn't appear to happen to any of my Windows 8.1 devices (at least not yet).

Any idea what might be going on here?

↧

RADIUS packets seeming to be ignored on Server 2016 with Network Policy Server installed and configured for Radius

August 10, 2018, 2:25 am

≫ Next: VPN interface metrich modify

≪ Previous: Corporate 802.1x wont auto-connect, says "Action Needed"

Just as whats on the tin: Radius packets seeming to be ignored on Server 2016 with Network Policy Server installed and configured for RADIUS. I have a AP setup to use RADIUS to authenticate clients and a Server 2016 setup as a DC with network policy server configured with a policy for Radius wireless clients, In Wireshark the initial access request packet it sent several times with a delay in between each, and with the server not responding. In the Security event log there is nothing involving network policy server and appears to be a firewall issue however the firewall has the allow rules for RADIUS in it.

Feel no hesitation to ask be to send specific screenshots for more info, I thank you for your answer in advanced.

↧

VPN interface metrich modify

August 15, 2018, 7:20 am

≫ Next: Blocking all wireless ssids except ours while in office

≪ Previous: RADIUS packets seeming to be ignored on Server 2016 with Network Policy Server installed and configured for Radius

Dear all!

We are using ikev2 VPN, and our dns resolving are not working. The clients getting their vpn set up with via cmak installer. I need to find a way to modify the installer, to lower the vpn connection interface metric or add some high random number to the ethernet interface metric property.

Thank you

↧

Blocking all wireless ssids except ours while in office

August 15, 2018, 3:07 pm

≫ Next: Network Policies Processing Order

≪ Previous: VPN interface metrich modify

I'm wondering if anyone knows of a way to block all ssid's except ssid x while in the office otherwise don't block any ssid.

I started looking at starting a wmi filter for a gpo and found MSNdis_80211_ServiceSetIdentifier. However that option is not available any longer.

I'm running windows 10 and server 2016 AD. The "Domain functional" level is currently 2008.

If anyone has any ideas I'm open to anything at this point.

Thanks for taking the time!

↧

Network Policies Processing Order

May 3, 2016, 2:53 am

≫ Next: Public Certificate for NPS/NAP?

≪ Previous: Blocking all wireless ssids except ours while in office

Setup:

Unifi AP's connected to NPS running on Server 2012 R2.

Goal:

1. Laptop users to be able to connect to the production wireless network simply by having their computer accounts in an authorized group egCompany/Laptops

2. If your device is not in the said group (not an AD object in essence), promote for credentials from eg.Company/Authorized Users.

What so far:

I created a Network Policy with one of its conditions being that you have to be a member ofCompany/Laptops to be granted access to the wireless network. This works fine as laptop connect directly if authorized.

A second policy was created where the condition was you have to be a member ofCompany/Authorized Users.

Problem:

1. After implementing the second policy, which is 2nd in the processing order, even authorized laptop are prompted for credentials.

2. Devices not in the Company/Laptops group are not granted access at all.

↧

Public Certificate for NPS/NAP?

December 9, 2011, 2:45 pm

≫ Next: IKEv2 not working with NPS 2012 Radius Server

≪ Previous: Network Policies Processing Order

Ok I am trying to get NPS setup that will be used for guests to access the Internet but still require a login on our network using PEAP. I got a trial certificate from GeoTrust/RapidSSL/FreeSSL and it only offers "Digital Signature, Key Encipherment (a0)" but NPS requires a certificate with "Data Encipherment". I have not found ANY public CA that issue this type of certificate so if Microsoft requires this for PEAP where am I to get a valid certificate for this?

I have check Verisign, and GoDaddy and all of them only offer "Key Encipherment".

↧

IKEv2 not working with NPS 2012 Radius Server

August 3, 2015, 11:12 am

≫ Next: Access Point authentication with remote captive portal, SQL Server and Radius

≪ Previous: Public Certificate for NPS/NAP?

Hello Experts,

I am facing a weird problem in VPN infrastructure, Recently I decided to upgrade NPS Radius server from server 2008 R2 to Server 2012 R2 now what happening is that when I configure my nps server as in the radius accounting option in Routing and remote access services (RRAS) for VPN User authentication all VPN protocols work fine except IKEv2 if the server on which nps is configured in radius accounting is Server 2012 R2. on server 2008 based RRAS(VPN server) authentication for IKE works fine but on server 2012 based vpn server when my client tries to connect he got stuck at "Verifying username and password" is there some difference in the handling of IKEv in server 2012 R2 and Windows Server 2008 R2.

Please suggest a solution

Thanks

↧

Access Point authentication with remote captive portal, SQL Server and Radius

August 30, 2018, 3:13 pm

≫ Next: I want to do Change of Authorization ( CoA) with NPS

≪ Previous: IKEv2 not working with NPS 2012 Radius Server

Hi,

I'm trying to figure out the flow between a new user being registered with the authentication in RADIUS.

Today I have a remote "Captive Portal" hosted in Azure. This portal has a form with Name, Email and Password inputs.

I have this flow:

1. New user connect to my hotspot (Access Point);
2. The user is redirected to my remote captive portal;
3. User signup with the data I'm asking for;
4. User data is saved in a SQL Server Database;

I don't know what to do from this point, should I need to register this new user in my Radius server? Should I create this user in my Active Directory? How to integrate those things so my AP can authenticate the users registered in my page?

How should I integrate the Radius server with my SQL database?

I know that the solution I'm using to manage my hotspot (Tanaza https://tanaza.com) asks for my RADIUS server access but they don't talk about the integration of my database with Radius server.

Thanks,

↧

I want to do Change of Authorization ( CoA) with NPS

August 31, 2018, 1:54 am

≫ Next: Prevent non-domain joined devices from connecting to network, 802.1x with AD Authentication

≪ Previous: Access Point authentication with remote captive portal, SQL Server and Radius

I have built a Wi-Fi Hotspot service using Cisco Meraki as my infrastructure; I want to be able to automatically top-up a use session with out the user disconnecting

Basically if a user as a current existing session that is about to run out, i want to add another session to the userso the user is not disconnected from the service.

↧

Prevent non-domain joined devices from connecting to network, 802.1x with AD Authentication

September 4, 2018, 3:30 am

≫ Next: Wired autoconfig service missing

≪ Previous: I want to do Change of Authorization ( CoA) with NPS

Hi Team,

Ive recently deployed 802.1x wifi with AD authentication,

However, when a user uses their AD username and password on their personal devices, they are granted access by the NPS policy.

I need to prevent access of other devices other than AD registered devices from connecting and access network resources even if they attempt the credentials.

Kindly assist.

Travis, A+, N+, MCTS/MCP, MCSA 2008, MCSA 2012

↧

Wired autoconfig service missing

January 26, 2012, 2:43 am

≫ Next: help with RADIUS - network policy

≪ Previous: Prevent non-domain joined devices from connecting to network, 802.1x with AD Authentication

Hi,

I have a problem with Wired autoconfig service - it is not present in the list when i run services.msc.

When I try to run it from command line i get a reply about invalid service.

I found that dot3svc.dll file is in the Windows\system32 folder.

The OS is Windows XP with SP3.

Any ideas?

↧

help with RADIUS - network policy

September 13, 2018, 11:03 pm

≫ Next: a non-domain Radius (NPS) server

≪ Previous: Wired autoconfig service missing

Hi there, can anyone help me how to proper configure RADIUS to be able to authenticate supplicant switch? I am trying to succesfull authenticate supplicant switch against authenticator. I have done this by this example : https://www.cis co.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/sec-ieee-neat.pdf

on RADIUS server I tryied to configure network policy with no luck. Could someone pls assist me how to configure conditions, constraints and setting to be auth success?

↧

a non-domain Radius (NPS) server

September 14, 2018, 1:52 am

≫ Next: NPS: CHAP authentication occurring even though it isn't allowed on a policy

≪ Previous: help with RADIUS - network policy

hi ,

we deployed a non-domain windows server 2012r2, and enable radius (NPS) for the wifi client authentication via 802.1x

and after we setup everything, all the smartphones able to connect to the wifi, but the windows laptop can't.

strange!

I using same account (radius server local account) on phone and laptop, only the phone can pass the radius authenticate.

at radius side, I check the event log, shown two 6273 id event log.

the first one said the account is not exist, and the account is my computer hostname.

the second one said authentication failed... (my server's language is Chinese)

↧

NPS: CHAP authentication occurring even though it isn't allowed on a policy

September 17, 2018, 7:02 am

≫ Next: User accounts authenticate via EAP-TLS, but computer accounts do not

≪ Previous: a non-domain Radius (NPS) server

I have a Microsoft NPS policy that is designed to allow a single user account the ability to perform 802.1X authentication to a wireless SSID. This policy is configured to allow only clients that authenticate using the "Microsoft: Protected EAP (PEAP)" method. No other method (e.g. PAP, CHAP, MS-CHAP-v2) is allowed/enabled on the policy.

Authentication is occurring for this user, and the NPS logs show that the policy being matched is the one described above; however, in the Windows Event Viewer Security log, I'm seeing when this authentication happens, the "Logon Process" showing in event ID 4624 is "CHAP":

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4624</EventID> <Version>1</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2018-09-16T09:28:25.600375100Z" /> <EventRecordID>9104061</EventRecordID> <Correlation /> <Execution ProcessID="472" ThreadID="1728" /> <Channel>Security</Channel> <Computer>REDACTED</Computer> <Security /> </System>
- <EventData><Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">REDACTED$</Data> <Data Name="SubjectDomainName">REDACTED</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">REDACTED</Data> <Data Name="TargetUserName">REDACTED</Data> <Data Name="TargetDomainName">REDACTED</Data> <Data Name="TargetLogonId">0x1ae1538</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">CHAP</Data> <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data> <Data Name="WorkstationName">-</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x104</Data> <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> <Data Name="IpAddress">-</Data> <Data Name="IpPort">-</Data> <Data Name="ImpersonationLevel">%%1833</Data> </EventData></Event>

How this possibly using CHAP (successfully) given the configuration of the associated NPS policy which doesn't allow CHAP?

For what it's worth, we have other NPS policies configured. Our VPN policy allows only MS-CHAP-v2 and successful authentications for this policy show "IAS" for the Logon Process. Another policy for a different wireless network allows both PEAP and CHAP shows the Logon Process is "Schannel" (which I assume means PEAP is being used).

I'm trying to chase down anything that uses CHAP so we can disable the "Store password using reversible encryption" setting domain-wide.

↧

User accounts authenticate via EAP-TLS, but computer accounts do not

September 19, 2018, 11:56 am

≫ Next: EAP-TLS with User Certificate Authentication

≪ Previous: NPS: CHAP authentication occurring even though it isn't allowed on a policy

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: XXXXXXX\XXXXXXXX$
Account Name: host/XXXXXXX.COM
Account Domain:XXXXXXXX
Fully Qualified Account Name:XXXXXXXX\XXXXXXXXXX$

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name:-
Called Station Identifier:XX:XX:XXXXXXX:XX:XXXXX
Calling Station Identifier:XX:XX:XXXXXXXXXXXXX:XX

NAS:
NAS IPv4 Address:192.168.X.X
NAS IPv6 Address:-
NAS Identifier:XXXXXXX_WLC
NAS Port-Type:Wireless - IEEE 802.11
NAS Port: 1001

RADIUS Client:
Client Friendly Name:XXXXXX_WLC
Client IP Address:192.168.XX.XX

Authentication Details:
Connection Request Policy Name:EAP-TLS
Network Policy Name:EAP-TLS
Authentication Provider:Windows
Authentication Server:XXXXXXX.XXXXXX.COM
Authentication Type:EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

I tried adding a computer account to the same Windows group as the users that were working and I tried a separate group and added it to the policy and neither works.

It says credentials mismatch, but that isn't specific enough. How do you make it match?

I do see that computer names have $ appended to end. Is that an issue?

I also see account names and fully qualified names show as blank. If that needs to be fixed, how is it fixed?

↧

EAP-TLS with User Certificate Authentication

September 20, 2018, 1:06 pm

≫ Next: EAP-TLS computer authentication with logged on user?

≪ Previous: User accounts authenticate via EAP-TLS, but computer accounts do not

I have setup an NPS server, and PKI infrastructure. We are attempting to authenticate using EAP-TLS with Certificates.

Our Network Policy is setup in the constraints to use Smartcard or Certificate. Policy points to our Sub CA certificate.

We have setup 802.1x on our WAP that looks to the NPS server for authentication.

I logon to the windows 7 Laptop, connect to network and retrieve a user certificate with Client Authentication. After that I setup the wireless profile and attempt to connect. It prompts me to select the user certificate previously added to mmc. I get the following event in the laptop security events.

Below is the security event error from the PC.

Subject:
      Security ID:            username@domainname
      Account Name:            USERNAME
      Account Domain:            DOMAINANME
      Logon ID:            0xa0dcf

Network Information:
      Name (SSID):            EAP-TLS
      Interface GUID:            {f1d2f46b-8748-47ff-872f-0

2920fc14dbc}
      Local MAC Address:      70:F3:95:E1:75:8E
      Peer MAC Address:      B4:E9:B0:E5:2C:33

Additional Information:
      Reason Code:            Explicit Eap failure received (0x50005)
      Error Code:            0x40420110
      EAP Reason Code:      0x40420110
      EAP Root Cause String:      Network authentication failed due to a problem with the user account

NPS server simply shows error 22 in the logs.

↧

EAP-TLS computer authentication with logged on user?

September 20, 2018, 2:03 pm

≫ Next: NPS Stopped Authenticating PAP

≪ Previous: EAP-TLS with User Certificate Authentication

We set up NPS on Server 2016 and set up EAP-TLS with user and computer authentication. Both the user and computer have certificates.

This works for domain users, but has caused a new problem.

When an IT administrator needs to log in using a local user admin account, the network is disconnected because local users can't get a certificate to authenticate to the wireless.

Anyone who has access to log into the laptop will also have access to the network with those credentials. This is the same as they would if the laptop was plugged into Ethernet. I don't see any benefit of needing both user and computer authentication for domain joined laptops.

We need computer authentication for wireless so users without cached credentials can sign into new laptops.

How can we configure the policy so computer authentication works both pre and post login?

↧

NPS Stopped Authenticating PAP

September 21, 2018, 11:35 am

≫ Next: Configure Radius and Accounting Servers

≪ Previous: EAP-TLS computer authentication with logged on user?

Before anyone says "don't use PAP", yes yes I know. But, our Dell 6000 series network switches only support PAP. :-(

On the 16 May PAP authentication on the switches worked perfectly.

By 24 July it had stopped working. (Yes, we don't log into them very often because they just work.)

We have checked the switch configs - nothing's changed in config / firmware etc.

We have checked the NPS server config - no changes there either.

Well, something's obviously changed, but I can't see what.

A bit of background...

NPS reports this:

Authentication Details:
Connection Request Policy Name: Dell 6248P Switch Management CRP
Network Policy Name:  -
Authentication Provider:  Windows
Authentication Server:  WIMNPS01.v1c.biz
Authentication Type:  PAP
EAP Type:   -
Account Session Identifier:  -
Logging Results:   Accounting information was written to the local log file.
Reason Code:   16
Reason:    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

The domain controller says this:

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: a.admin.user
Source Workstation:
Error Code: 0xC000006A

So, we can see that the DC is simply rejecting the request. (The NPS debug logs really just confirm this: they'll all paraphrases of "the DC says 'no'"! So, I'm not bothering to dump them here.

The mystery is: why is the DC suddenly saying "no", when, back in May, it (correctly) said "yes"?

NPS: 2012 R2 (fully patched)

DC: 2016 (fully patched)

The Domain is replicating perfectly.

I'm wondering: I know how Microsoft like to release security patches that break things / make them more secure (take your pick). So before I do some serious debugging on the DC (which is going to take ages), I was wondering if anyone's reading this thinking"this is a classic - PAP on NPS against a 2016 DC no longer works"? Or something.

(I have cleared the NPS config and re-created it - didn't fix it.)

(Oh, and yes, the password is definitely correct! The problem affects all network admins.)

TIA

↧

Configure Radius and Accounting Servers

September 24, 2018, 4:14 am

≫ Next: NPS/RADIUS high availability without NPS Proxy?

≪ Previous: NPS Stopped Authenticating PAP

Dears,

I'm new to Radius configuration, i have some concerns regarding a deployment:

Can we create two radius servers as HA and HOW?
Can we have two radius servers and two Accounting servers for the same domain?

Best Regards,

↧

NPS/RADIUS high availability without NPS Proxy?

September 24, 2018, 12:27 pm

≫ Next: RADIUS over the internet?

≪ Previous: Configure Radius and Accounting Servers

We have one Server 2016 NPS server running in Hyper-V currently only used for EAP-TLS authentication.

We want to be able to fail over to second RADIUS is the NPS is offline. However creating a RADIUS group requires a proxy which itself becomes a single point of failure. So, we would need 2 proxies to get around that and now that's becoming over the top complicated for this environment.

What other more simple options are there? Can we just build another NPS server with the same configuration and add both servers in the RADIUS client settings and the wireless settings on the clients?

If not, what is the best way quickly restore a failed NPS server if we rely on very quick disaster recovery of a single server instead of second server plus proxies?

Hyper-V Replica? Full system backup twice a day?

↧

Latest Images