Quantcast
Viewing all 1875 articles
Browse latest View live

error:04091068:rsa routines:int_rsa_verify:bad signature

January 11, 2019, 4:47 am
$
0
0

Hi everyone,

I am using openssl-1.0.2p in WEC7 client device and using openssl-1.1.1 in Ubuntu 18.10 server machine.Server is running hostapd.When client is trying to connect to server by EAPTLS method using TLSv1.2 ,while certificate verify server is giving the below error.

"SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error"
"OpenSSL: openssl_handshake - SSL_connect error:04091068:rsa routines:int_rsa_verify:bad signature"

When i traced int_rsa_verify API i found that decrypted data is not same as encoded data ,that is the reason for this error.

But the fact is with same certificates and same server and client setup ,client got connected to server with TLSv1.0 .
When TLSv1_client_method() is replaced by TLSv1_2_client_method() ,i am facing this issue.
Client side i am not getting any errors.

Can anyone help me in fixing or debugging this issue???Got struck in this ,any help will be greatly appreciated.
Thanks in advance

Search

KB4025335 kills certificate based computer authentication

July 19, 2017, 7:23 am
$
0
0

Hi,

This morning I became aware of the fact that one of our two NAPs (Windows Server 2012 R2) refused to authenticate client machines through our switches -> 802.1X, computer certificate based authentication.

From the logs: Microsoft Windows security autiting | Even-ID: 6273 |  Code 16

The machine in question has just installed the update KB4025335 tonight and seems to have this problem since then. The other machine did not install this update so far and is still working properly. Given the fact are there is a couple of of NPA related things mentioned in the description of the update, I guess Microsoft did screw up something.

Is anybody else facing this problem since the update?

Best,

dialsc


Accounting NPS on SQL

January 16, 2019, 4:59 am
$
0
0

Dears,

We want to configure SQL accounting with SQL always on.

SQL always on is configured and the accounting servers can connect perfectly to the created database. But our concern is what is the best practice for the Database growth and how to empty it with a maintenance plan or something. As we have a lot of records that will be recorded.

Please your advise is really appreciated.

Best Regards,

User Can not connect to Enterprise Wifi

November 21, 2018, 5:41 am
$
0
0

Hello ,

I met i particular case that the user can not connect to the wireless .we use Aruba access point as radius client

He is in Winows 10 .

Test applied :

1) with his account Ad with his machine => Wifi KO
2)with another user account in his machine => Wifi OK
3) with his accoun Ad , tested in other machine ==>wifi  KO

4) with his accound Ad with the same machine , connected for external network like in hotels .

the account of this user is listed in the group wich autorized in Radius .

what could be the issue please ?

Reagrds

NPS as a radius server,the network policys are not enforced sometime

October 31, 2016, 6:29 am
$
0
0

Hi All,

I have configed a NPS server on a windows server 2012 r2 OS, the radius client is a cisco hardware vpn device.
there is a custom NPS extension registered for some extra authentication(two step authentication).
theere are two types of authentication method:

1. user submit two passwords use "active directory password" + "some extra password" format, like 
"password1_password2", NPS extension split and check both two passwords and NPS itself authorize the user 
using netwok policy, both works fine. there're two security events logged into windows event log: 
the first event (ID6272) shows Network Policy Server granted access to a user.
the second event (ID6278) shows Network Policy Server granted full access to a user because the host met the defined health policy.
in both two events, i can see the Authentication Details shows Proxy Policy Name and Network Policy Name.

2. user submit the first "active directory password" to NPS, NPS extension check the password and return a radius challenge message to the radius client, then user submit the second "some extra password" to NPS, then NPS extension check the second password again.
the problem is: when the authentication process complete, NPS bypass the authorize(network policy) process and directly grant access to the network.
there is only one security events logged into windows event log: 
event (ID6272) shows Network Policy Server granted access to a user.
in this event, only shows the Proxy Policy Name. Network Policy Name is "-".

because the NPS extesion only registered fo authentication and it's worked  fine, so i think this is not a develop related question.
i am not very familiar with NPS, may be i make some wrong configration. 

THanks for your help。

=======================================

below are policies, values that i did not mention are all use default :

create a new connect request policy:
add a conditions -- NAS Port Type=virrtual(VPN);

create a new network policy:
add a conditions -- Windows Group=contoso\vpn_access_group;
Authentication Method -- only check unencryptedauthentication(PAP,SPAP)
Ignoreuseraccountdialinpropery

=======================================

we find a problem, 

when the authentication extension returrn to radius client a access-challenge message AND a ratState attribute, NPS does not un network policies and diectly let user login.

when the authentication extension returrn to radius client ONLY access-challenge message, NPS can use network policies to authorize the user.




What is RADIUS accounting

January 22, 2019, 3:01 am
$
0
0

Good morning all,

I just want to ask, what is RADIUS accounting?

I ask because while i can see users logging in and failed logins, It is not immediately clear from what device. I can see the RADIUS client says it is our main firewall but there is nothing giving me any clue on the device itself. not sure if RADIUS accounting can help?

We use same firewall to remote users SSL VPN requests. it also use RADIUS. i could point to the same Windows NPS server but is there a case for using a separate RADIUS server? I mean perhaps the authentication is different between WIFI and VPN

win server 2012 r2 nps

January 22, 2019, 3:25 am
$
0
0

hi :) , 

After greetings , how can i stop nps without removing the role on win server 2012 r2 ?

BR

Sherif Adly

IT Engineer

Eastern Company for Tobacco 

Egypt

00201146616236

Engineer.Sherif

Does WAP work with TCP traffic as well

January 23, 2019, 8:52 am
$
0
0

Hi,

Am I correct in thinking that the Web Application Proxy will only work with HTTP traffic and will not allow non-HTTP traffic through? The possible exception being any TCP support required by ADFS for it's Smartcard Authentication Service.

Historically I had used ARR in IIS, which I know was only for web traffic as it was built on top of IIS. I'd heard (probably erroneously) that as WAP was stand alone it didn't have this limitation. 

Thanks in advance for answering what is potentially a very silly question. This really isn't my area.

Search

How do you get only certificate based authentication for Wifi on mobile devices?

January 23, 2019, 1:43 pm
$
0
0

Hi all,

I just want to ask if its possible to only get certificate based authentication for WiFi on mobile devices?

I currently have it set up so Windows devices they can connect to the corporate wifi with their domain username and password. There is a certificate on the NPS server and all windows clients trust that cert because its part of the internal PKI we have.

I am not sure if every user needs his/her own user cert for the wifi connection without username and password or just one cert i need to deploy to all clients

Can anyone help enlighten me?

Windows Computer Certificate for non-Domain Joined client to meet 802.1x Computer security group condition

January 25, 2019, 1:48 am
$
0
0

I have an NPS rule that permits only members of a windows global security group to join WiFi using 802.1x.

Domain joined machines connect fine.

I wanted to issue (and manually distribute) certificates to machines that were not domain joined to allow them to connect but am unable to generate a computer certificate that passes the test.

I can (only) enrol on behalf of users and user based cert authentication also works.

To have the machine auto join I assume I require a machine cert.

Log Example

I can generate a client certificate but it fails as it identifies differently:

Successful client...

User:
Security ID:CONTOSO\CONTOSOWIFIPC$
Account Name:host/CONTOSOWIFIPC.CONTOSO.com
Account Domain:CONTOSO
Fully Qualified Account Name:CONTOSO\CONTOSOWIFIPC$

Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:00-11-22-33-44-55:CONTOSO_Portables
Calling Station Identifier:99-88-77-66-55-44

Unsuccessful client...

User:
Security ID:NULL SID
Account Name:host/CONTOSOWIFIPC.CONTOSO.com
Account Domain:CONTOSO
Fully Qualified Account Name:CONTOSO\host/CONTOSOWIFIPC.CONTOSO.com

Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:00-11-22-33-44-55:CONTOSO_Portables
Calling Station Identifier:99-88-77-66-55-44

I duplicated Workstation and Computer CA templates for client auth but if I manually specify the host name I get the Unsuccessful log above (no SID association). If I generate name using AD (with SID association) I can only use the name of the workstation/server at which the cert is generated.

Enrol On Behalf of

User Enrol On Behalf Of won't permit computer accounts.

No option for Enrol On Behalf Of for computer/machine Cert MMC. (I managed to find how to generate a computer cert using the option https://docs.vmware.com/en/VMware-AirWatch/9.3/vmware-airwatch-guides-93/GUID-AW93-SetRestrEnrolAgentSignCA.html but that still only specifies the local machine I used if I build from Ad - I never get prompted to Browse for an account)

Workaround

In the end I used an actual windows client to create an exportable cert and now import that one cert onto the wifi systems and that works.

Question

Is it possible to stage (manually create) computer accounts (that are members of a security group) in AD and get exportable certs for them that I can carry to clients (that might be named differently than the cert I want to give them e.g. client called MYSURFACE but I want it to auth to WiFi as STAFFMEMBER01.Contoso.com? Or am I on a wild goose chase...


Windows 10 802.1X timers

January 28, 2019, 1:15 am
$
0
0

Hello

I have some questions about 802.1X implementation in Windows 10.

- what is the timer for 802.1X timeout and how can i change it?

- how many times will Windows 10 try to re-authenticate if 802.X timeout occurs?

- where can i see logs for authentication attempts?


Thanks in advance!


RRAS L2TP client on Windows Server 2016

January 28, 2019, 9:34 am
$
0
0

Hello,

I'm trying to connect a Windows server 2016 (the client, a RDS server) to another Windows server 2016 (the server) with a L2TP connection.

When I provide the connection with control panel, it's working I'm able to configure with MS-CHAP V2, the presharedkey, ... I import the certificat into personal cert and the connection works fine. But the goal is to have a permanent connection to the server.

I've tried to do that with RRAS, and I've setup a Network Interface with the same parameters but connection always failed :-(

I really don't know what I'm doing wrong ? And I don't know where I can find some logs who can explain the problem ? Maybe it is a NPS blockage ? But I don't know what to put on it ?

I really need to have a permanent VPN connection even if no users are connected to the RDS.

Thanks for your help :-)

Window Server 2016 RADIUS WIFI Authentications not working on home router with DD-WRT Installed

January 28, 2019, 4:49 pm
$
0
0
Hello I am trying to set up WPA2 Enterprise WIFI authentication using my Asus Router with DD-WRT Installed firmware. I only have one Windows Server on the network. This server is my gives out DHCP address from 10.0.0.10 to 10.0.0.100 and DNS and also it is configured as a ADDS. I have attached a screen shot of the configurations on the server side and also on the router side. The Error I keep getting is ERROR 13 "A RADIUS message was received from the invalid RADIUS client IP address 10.0.0.4." Which 10.0.0.4 is my home router. If you want to know more information feel free to ask!Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Network Policies Processing Order

May 3, 2016, 2:53 am
$
0
0

Setup:

Unifi AP's connected to NPS running on Server 2012 R2.

Goal:

1. Laptop users to be able to connect to the production wireless network simply by having their computer accounts in an authorized group egCompany/Laptops

2. If your device is not in the said group (not an AD object in essence), promote for credentials from eg.Company/Authorized Users.

What so far:

I created a Network Policy with one of its conditions being that you have to be a member ofCompany/Laptops to be granted access to the wireless network. This works fine as laptop connect directly if authorized.

A second policy was created where the condition was you have to be a member ofCompany/Authorized Users.

Problem:

1. After implementing the second policy, which is 2nd in the processing order, even authorized laptop are prompted for credentials.

2. Devices not in the Company/Laptops group are not granted access at all.

Public Certificate for NPS/NAP?

December 9, 2011, 2:45 pm
$
0
0

Ok I am trying to get NPS setup that will be used for guests to access the Internet but still require a login on our network using PEAP.  I got a trial certificate from GeoTrust/RapidSSL/FreeSSL and it only offers "Digital Signature, Key Encipherment (a0)" but NPS requires a certificate with "Data Encipherment".  I have not found ANY public CA that issue this type of certificate so if Microsoft requires this for PEAP where am I to get a valid certificate for this?

I have check Verisign, and GoDaddy and all of them only offer "Key Encipherment".


Search

Limit one connection to the VPN server per user

February 15, 2019, 5:09 am
$
0
0

I have a w2016 server with NPS and remote routing, and I would like to know how to limit to a single connection per user of the active directory.

Thanks 


Hi, I want to block BitLocker in AD

February 15, 2019, 11:29 pm
$
0
0
Hello Everybody,

I have a problem in the Microsoft Windows Server 2008 and 2012 R2. I want to block a BitLocker service in AD (Active Directory). How to do it in GPO? Last my machine to get hack, and my Hard Drive was blocked in the ransomware attack. Thanks for all answers :) 

Secondary Authentication

February 19, 2019, 8:19 am
$
0
0
hey,

we have some 3rd party radius that is performing OTP othentication for the user.

i want to have two factor authentication on my VPN GW, it knows how to handle challange from the radius server to send additional password but i dont know the implementation on the NPS server.
the process should be something like this:
1) user sent the username and password on the VPN GW
2) authentication request send to the radius server
3) the radius server authenticates the user credentials against the AD
4) the NPS will send a Access Challenge to the client for additional password  
5) the NPS will forard the authentication to a remote radius server
6) if the remote radius server returns access granteed the NPS will also send this type back to the server

thanks


NPS Called-Station-ID Regex Pattern

March 22, 2011, 7:36 am
$
0
0

I am trying to set separate auth policies up per WLAN. The attribute "Called-Station-ID" contains the mac address and SSID of the WLAN a client is connecting from so this seemed an obvious choice. When I specify any kind of regex pattern in the "Called-Station-ID" authentication fails with error 69 stating the Called-Station-ID does not match any policy. I know the policy is fine except for the Called-Station-ID attribute b/c If I enter the exact Called-Station-ID value, as pulled from the logs, which includes the mac address and SSID it works fine. I searched Google first and none of the suggestions I found worked. I would appreciate some help.


Working Called-Station-ID: 00-17-df-34-82-80:RSC-Secure-Wireless

List of attempts:

.*:RSC-Secure-Wireless

.0-17-df-34-82-80:RSC-Secure-Wireless

^00-17-df-34-82-80:RSC-Secure-Wireless$

/00-17-df-34-82-80:RSC-Secure-Wireless/

/^00-17-df-34-82-80:RSC-Secure-Wireless$/

 

While my first attempt may have been incorrect at least one of my test patterns should have worked. From what I can gather its not processing the value as a pattern at all.

 

share RDS Gateway with Trusted Domain. Keep getting NPS Reason code = 65

February 25, 2019, 10:44 am
$
0
0

I have two domains Domain1 and DomainB. I have a full trust setup between the two. I can RDP on to the RDS Server, I can login to RDWEB but i can not launch anything I get access denied to connect.

Looked at LOGS and I see the cause. Under NPAS i get Network Policy Server denied access to a user. reference the Policy that denied access it lists RDG Marker and when i reference that im guessing its working because it says allow unauthenticated Access.

No i have the firewall only allowing the ports i need but i feel like leaving this unauthenticated is dumb.

How do i configure the policy to allow DomainB users access to Domain1 servers using NPS?

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>