Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

Standalone NPS running EAP-TLS

November 8, 2018, 9:39 am
$
0
0

I would like my switch management port to be segregated from the production network so that all RADIUS traffic is confined to a internal VLAN with no outside access.  The NPS is located within the same VLAN as the switch management port.  NPS is set to all ethernet types for the CRP and EAP-TLS with computer certificate for NRP.

If NPS has no access to a DC (since NPS is segregated to a quarantined VLAN) will this process still work?  The PKI enviroment is solid and all machines have certs and trust store is good to go.

Main question:

Does the NPS RADIUS server REQUIRE access to the AD/DC when using EAP-TLS with computer certificates?

Thank you!!!

Search

NPS Regex problem

November 16, 2018, 11:12 am
$
0
0

Hello, I having difficulty generating a regex for use within Windows NPS.

My intention is to allow only the following client IPv4 addresses. Can someone please assist with regex generation to only filter through these three addresses. Thank you kindly.

10.21.250.182
10.21.250.205
10.21.146.215

User Can not connect to Enterprise Wifi

November 21, 2018, 5:41 am
$
0
0

Hello ,

I met i particular case that the user can not connect to the wireless .we use Aruba access point as radius client

He is in Winows 10 .

Test applied :

1) with his account Ad with his machine => Wifi KO
2)with another user account in his machine => Wifi OK
3) with his accoun Ad , tested in other machine ==>wifi  KO

4) with his accound Ad with the same machine , connected for external network like in hotels .

the account of this user is listed in the group wich autorized in Radius .

what could be the issue please ?

Reagrds

Windows 2012 NPS-Radius Client connectivity issue

November 21, 2018, 9:27 pm
$
0
0

Hi,
I am naive to Windows NPS-Radius concept,i have working Active Directory Domain Controller and integrated DNS installed in a server,installed and configured AD Certificate Service,DHCP and NPS roles in another server.
Configured DHCP with a proper Scope,my Apple Wifi even got the IP from my DHCP Server and the same is reserved too,i created a Self-Signed Certificate for NPS and configured the below NPS-Radius option.

1. Under NPS(Local) Radius Client -->Included Radius Clients and assigned Firendly Name As Radius-Test
    i) Address(IP or DNS)entered my Apple Wifi IP which is assigned through my DHCP Server and Manually entered the Shared Secret which is entered in Apple Wifi too.
2. Configured Radius server for 802.1X Wireless or Wired connections-->Secure Wireless Connections, Radius Client Shown the above 1st configuration
    i)At Configure Authentication Method Selected Microsoft Protected EAP(PEAP)-->found my Self-Signed Certificate
    i)At Specify User Groups-->Selected my wifi-authenticated user groups and then Next, Next Finish
3. Connections Request Policies -->Left the Default Radius-Test & Use Windows authentication for all users without any changes
4. Network Policies --> Radius-Test--> Grant Access is selected and Ignore User account dial-in properties is Mark Checked
    i)Under Conditions selected -->NAS Port type --> Wireless other or Wireless - IEEE 802.11
    i)Included Windows Groups --> wifi-authenticated
    i)Constraints --> Added Microsoft Protected EAP (PEAP)
5. AD User & Computers --> User Name : John --> Properties--> Dial in --> Control Access through NPS Network Policy
6. Apple Wifi Configuration--> Selected EAP Enterprise --> Radius Server entered my Radius Server IP and the same shared password used in NPS Configuration.
But When user try to connect wifi(Radius-Test) it prompts for user name password, when enters ad\john and pwd it is not getting connected and finds the attached error under Eventviewer.

Any help please!!

Mohammed...

Windows 2012 Server - Creating an exception for a block rule in the firewall

November 24, 2018, 10:13 am
$
0
0

Hy, ya'll!

I have to deploy a rule to block all outbound traffic towards port TCP 80 regardless of the destination IP, so I set up an outbound "block" rule in the Windows Firewall specifically against that port. it was straightforward and works like a charm. However, I can't seem to find a way to add one single IP as an exception to this rule.

I tried creating a new rule allowing all traffic to the IP I'm attempting to whitelist but, from what I can gather, the blocking rules in the Windows firewall take precedence over "allow" rules so that explains why it didn't work.

How can I work around this? All I need is to block outgoing traffic to TCP 80 on all but one IP. 

Thanks!

Accounting Servers

November 25, 2018, 6:19 am
$
0
0

Dears,

My concern regarding the NPS Accounting are the below:

  • Can we configure Accounting on a seperated NPS servers (configured only for accounting purposes)? if yes can we add more than one accounting server?
  • If the above is not applicable can do we have to configure accounting on all NPS servers in the environment (Proxy and client NPS)?

Best Regards,

Certyficate for non-domain computer

November 28, 2018, 10:54 pm
$
0
0
Hi ,  i try to make dot1x in company network. 
I would like to give away computer certificates. If the computer is in the domain receives a certificate and is ok. However, many computers do not work in the domain and I would like to generate certificates (dot1x). Is there any way to do this?

Radius setup using PEAP

December 12, 2018, 7:37 pm
$
0
0
Hi,
I need help in setting up RADIUS authentication with our Ubiquiti Wifi. Have read a lot of KB and seems like straightforward but somehow can't make it work. When I try to connect to a PEAP enabled AP, it just keeps prompting me to sign in again.  I should be just able to sign in with my domain credentials.

I use Windows CA and generated machine certificate for the Radius server which I also imported in my test laptop. Wifi AP and Radius server are in a different VLANs. I can see Access request and Access challenge if I do packet capture in my firewall but Radius server doesn't send any packets back to the client to authorize connection.

In my Network Policy and Access Services logs, I can also see that "A LDAP connection with domain controller for domain CSBS is established but that's about it.

Anything else I'm missing? Thanks
Search

Windows 2012 NPS Custom Certificate\Client connecting issue

December 12, 2018, 9:11 pm
$
0
0

Hi,
I am trying to Setup Windows 2012 R2 NPS Radius Server, my lab setup is as below
1. AD + DNS Installed in a Server IP : 192.168.2.5 (Domain Name PDC.mydomain.com)
2. DHCP + NPS + ADCS + IIS All these roles are installed at another server IP: 192.168.2.6 (Which is my domain client)
3. We have primary firewall in amid, i configured DHCP Relay Agent at my firewall,when client requests for IP my Windows DHCP Server distributes the IP.
But unfortunately for my Unifi Access Point it fetches the IP but not getting assigned, so statically i configured a IP like 192.168.2.7 at my Unifi Access point.
4. For my lab setup i have 2 PC's one Windows 10 another Windows 7 and android mobiles (I even need to configure the access for Apple Mac and Iphone)
I configured the Radius Server Details like its IP, Authentication\Accounting Port and Shared Secret Key in my Unifi Access Point.
I created a Self Signed Certificate by going into Certificate Authority--->Certificates Template --->Manage ---> RAS and IAS Server by right clicking and selecting Duplicate Template--->Changed the compatibility Certification Authority-->Windows Server 2012 R2 and Certificate recipient as Windows 7 / Windows 2008
Under General Tab-->Named as NPS_Cert
Security Tab --> Selected Enroll,Autoenroll option to RAS and IAS Server
and left all other options to its default .
Later going into my Domain Controller and configured GPO--->Computer Configuration--->Security Settings --->Public Key Policies--->Certificate Services client -Auto Enrollment Settings--> Automatic certificate management (Enabled) enroll new certificates renew expired certificate (Enabled) update and manage certificates that use Certificate templates from AD (Enabled)
After updating the group policy i can find my custom certificate under NPS---> Network Policies --->Constraints--->Authentication Methods--->Microsoft Protected EAP PEAP (PDC.mydomain.com) Certificate!!
For testing phase Windows 10 is non-domain joint and Windows 7 is domain client, when i try to connect wifi using domain credentials at windows 10 machines its gets connected and even the DHCP distributes the IP and can able to access the network, but now when i try to connect wifi it prompts for credentials but says Can't connect to the network.
Where as when i try to connect Wifi at my Windows 7 machines it prompts for credentials and sometimes get connected but IP doesn't applies, shows as Unidentifed Network and finds APIPA IP unders IP Details and most of the time it shows network not available.Also some time when i create Manual Network connection at Windows 7 and removes the option Validate the server Certificate it gets connected still IP is not getting assigned.

The same when i try to connect at my Android Mobile IP is not getting assigned.
Any help please!!!

Mohammed...


configure firwall to allow RDP before enable it

December 17, 2018, 6:42 am
$
0
0

Is there a way to configure the firewall before enabling it, the minute i enable it on our server, i get kicked out from RDP on server 2012?

I might have been hacked and it is not allowing me to connect on Remote desktop when enabled.  the minute I enable it from services, I get logged out and I can't get in again.

Help.

Windows NPS - EAP-TLS problem

December 17, 2018, 2:40 pm
$
0
0

Hello, I have a Windows NPS EAP-TLS policy configured, however my test user is receiving this error. I am not 100% sure that the authenticating client actually has a local certificate. Do the following NPS logs confirm that a client certificate has been presented for authentication or could this error simply mean that client certificate has been presented ?

Are there any logs within NPS that would show what certificate was presented for authentication via EAP-TLS ?

Thank you.

Authentication Details:

Connection Request Policy Name:CR-ZoneDirector
Network Policy Name:NP-DOMAIN-BYOD-Wifi-EAP_TLS
Authentication Provider:Windows
Authentication Server:DAKLRAD1.domain.forest
Authentication Type:EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code: 287
Reason: A certificate chain could not be built to a trusted root authority.************

NPS Receiving Computer Name Instead of Credentials Entered in WPA2 Enterprise Prompt

December 18, 2018, 8:50 am
$
0
0

Hello All,

I am having a very difficult time trying to figure this one out. I have 2 networks, linked by a site to site VPN. All of the infrastructure such as AD and NPS are located at the home office. The remote office has several computers and laptops. The Ethernet connections work just fine and are able to communicate with everything I want them to across the VPN. 

I have verified that NPS traffic can traverse the network both ways from the remote computers all the way through both firewalls and the VPN, to the NPS server. We use WPA2 Enterprise authentication for the wireless, which connects to our NPS server.

My problem is, the computers that attempt to connect to the wireless are prompted for credentials, but fail to connect. I have verified on the NPS server that traffic is indeed making it to the NPS server, and have looked through Event Viewer for some clues. I am noticing that NPS requests from the remote office do not properly use the supplied credentials. We are using only User Authentication, but for some reason the requests are using the Computer Name as the Security ID, Account Name, and FQAN.

I was under the impression the NPS request would use the supplied credentials for the Security ID and Account Name?

EKU Server authentication

December 18, 2018, 12:22 pm
$
0
0

Hello, what is best practice regarding including the 'Extended Key Usage' field for Server authentication within the public cert of a root CA ? i.e. should it be a golden rule for all root CA public certificates to includes this EKU Server Authentication field ?

My situation is that our company has it's own internal root CA server but the EKU 'Server Authentication' field is missing from the public cert. This is causing problems with a third party authentication server I am configuring as it expects to see this EKU field. It throws the error message 'Lowest cert does not have server authentication EKU, assuming this is not server cert.'

Is it easy enough to add this EKU field to the public certificate of our root CA ?

Thank you for any comments.


Block Unauthorize Device Access into LAN

December 23, 2018, 9:15 am
$
0
0

We have thin clients (sunray) environment. User logon through remote desktop services. DHCP running on network devices and thin client getting IP through DHCP.

We want to block access of unauthorize device connectivity into our environment.

One of our user accesses got into the network through soft client installed on laptop.

Does NPS will work in our case? Assistance and guidance required.

Rox_Star

Server 2016 with a WiFi adapter broadcasts a SSID that you can use to connect directly to the server, no password

December 26, 2018, 1:33 pm
$
0
0

I have a wifi adapter on an instance of Server 2016 which I typically use to connect to various networks. Which works fine, however it also publishes its own SSID of the Machine name with no credentials. This needs to be turned off, but I can not find anything that even admits that the server will actually do this.

I want to be able to use the wifi to connect to other networks but I can not have anyone connecting, via wifi, to the server.

I have both a 2012R2 and 2016 server that both do this. Server 2019 doesn't.

How do I stop the server from allowing direct connections? This is a real security issue!



Scott

Search

How can I set exception rule for specified computer group

December 29, 2018, 12:56 am
$
0
0

Hi Team,

We add the connection value "company\Domain Computers" under Network Policies, it is allowed the joined domain computers are able to connect our Wireless network. Right now we do not want the specified computers to connect to. How can we reach the goal? Just add another deny network policy under the allow one?

Thanks.

Regards,

Yong

Assign authorized MAC addresses per user

January 4, 2019, 6:14 pm
$
0
0

Hey guys,

I'm trying to add a list of MAC addresses per user as a constraint, I was thinking maybe setting it up on the user's AD entry or something similar, but I'm not sure how's it done. The AD card has a lot of stuff in it, I'm sure MAC address must already be in the schema but I can't find it.

Let me clarify again, I'm not trying to set up MAC authentication for devices, that, I'm already doing; I want assign specific a list of specific MAC addresses so if the user is connecting from an unknown device it'll get rejected. The only way I could come up with is adding new policies per user or worse, per MAC address, and some variations from that. That's zero practical unless scripted, and still...mm-no.

I'm aware MAC addresses can be easily spoofed specially in this context where user input is still needed, but I'd still like to try it. If you guys can clue me in where to begin I'd forever grateful I promise. :)

I bet you think this post is about you. Don't you…don't you. ♪

Generic Failure while Pinging

September 16, 2011, 2:29 am
$
0
0

Pinging 192.168.1.45 with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.

Please tell me any solution for this

NPS Conditional Wifi access for corporate iPads

January 10, 2019, 12:17 pm
$
0
0

Hi!

I use NPS to allow access to corp Wifi for my domain joined laptops based on the group 'Domain Computers'.  So if the laptop is a domain member it just connects to Wifi with no username or password prompt.

Getting a lot of requests to allow corporate owned and managed iPads to connect to this same network which I am doing using domain username and password and the MAC address of the Ipad.  We add the MAC addresses under 'Calling-Station ID' and trigger on a domain group 'IPad-Access'.  This like the laptops works well however starting to get very messy to manage and like something else I can trigger in NPS for these specific iPads other than the MAC addresses.   Installing a domain cert on each would be an option but not sure how this would be setup.

Anyone have any thought on a better way?

Thank you!


 


WPA-2 Enterprise Authentication works with iOS, Windows 8 devices, but not Windows 7

January 10, 2019, 1:43 pm
$
0
0

Trying to set up WPA-2 Enterprise authentication for my wireless devices. I have an AD CS root CA and my NPS/Radius server has a machine cert that chains to the root CA:

When I join my wifi network from an iOS device, it asks for my user credentials and I enter my domain credentials. It then complains about not trusting the RADIUS server certificate (understandable since this device is not joined to our domain). But it gives me the option to trust the certificate anyway, and once I do, I'm authenticated. 

When I join from my domain-joined Windows 8 tablet, it asks for my user credentials, I enter my domain credentials, and I'm authenticated. No problem. 

When I join from my domain-joined Windows 7 laptop, it repeatedly tells me "unable to connect." 

When I check the RADIUS server logs, it tells me "Authentication failed due to credentials mismatch." But I know my credentials are good because I used them from the iOS and Windows 8 devices:

When I check the workstation logs, I get various error messages. One says there's a "problem with the certificate on the server" but I know that's not true because my non-domain joined iOS device authenticated no problem as well as my domain joined Windows 8 workstation:


The other error message says a "user certificate required for the network can't be found on this computer." Well that shouldn't matter because again, no user certificate on the iOS device and it authenticated no problem. The Windows 8 and Windows 7 workstations both have auto-enrollment enabled for certificates, both have auto-enrolled user certs installed and both have the AD CS root cert installed: 

So obviously seems like a Windows 7 issue, but can't figure out what. Thoughts? 

Shaun

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>