Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

DHCP NAP Windows 7 Client SCCM 2012 SP1 Windows 2012

March 6, 2013, 6:28 am
$
0
0

We have the following config:

  • Windows 2012 DHCP with NPS and HRA services installed (192.168.5.11)
  • Windows 2008 R2 with SCCM 2012 SP1 - no NAP settings (192.168.5.125)
  • Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)

We have configured the following policies on the NPS Server:

  • Connection Request: DHCP: Called Station ID: 192.168.8.0
  • Network Policies with appropriate MS-Service Class for DHCP scope, with compliant and non-compliant Health Polices (very simple, the only thing that isn't being checked is Win Updates)

The DHCP is happy to dish out IP addresses to compliant machines no problem at all. When a machine goes non-compliant it registers the non-compliant machine with event ID 6276 - Network Policy Server quarantined a user.

It then proceeds to send the limited access DHCP options which the client then happily ignores.

I've run WireShark on the clients to capture the DHCP response and I can see the different options being returned to the client, specifically option 121 with the classless static routes.

When I run napstat it says full network access - no issues raised.

Output from netsh nap client show config


NAP client configuration: 
---------------------------------------------------- 

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 

Hash algorithm = sha1RSA (1.3.14.3.2.29) 

Enforcement clients: 
---------------------------------------------------- 
Name            = DHCP Quarantine Enforcement Client 
ID              = 79617 
Admin           = Disabled 

Name            = IPsec Relying Party 
ID              = 79619 
Admin           = Disabled 

Name            = RD Gateway Quarantine Enforcement Client 
ID              = 79621 
Admin           = Disabled 

Name            = Microsoft Forefront UAG Quarantine Enforcement Client 
ID              = 79622 
Admin           = Enabled 

Name            = EAP Quarantine Enforcement Client 
ID              = 79623 
Admin           = Disabled 

Client tracing: 
---------------------------------------------------- 
State = Disabled 
Level = Disabled 

Ok.

Output from netsh nap client show state:

Client state: 
---------------------------------------------------- 
Name                   = Network Access Protection Client 
Description            = Microsoft Network Access Protection Client 
Protocol version       = 1.0 
Status                 = Enabled 
Restriction state      = Not restricted 
Troubleshooting URL    =  
Restriction start time =  
Extended state         =  
GroupPolicy            = Configured 

Enforcement client state: 
---------------------------------------------------- 
Id                     = 79617 
Name                   = DHCP Quarantine Enforcement Client 
Description            = Provides DHCP based enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = Yes 

Id                     = 79619 
Name                   = IPsec Relying Party 
Description            = Provides IPsec based enforcement for Network Access Protection 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79621 
Name                   = RD Gateway Quarantine Enforcement Client 
Description            = Provides RD Gateway enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79622 
Name                   = Microsoft Forefront UAG Quarantine Enforcement Client 
Description            = Reports client health status. 
Version                = 4.0.2095.10000 
Vendor name            = Microsoft Corporation 
Registration date      = 11/01/2013 09:04:05 
Initialized            = No 

Id                     = 79623 
Name                   = EAP Quarantine Enforcement Client 
Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies. 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

System health agent (SHA) state: 
---------------------------------------------------- 
Id                     = 7467776 
Name                   = ESET SHA 
Description            = ESET System Health Agent (SHA) checks compliance of ESET products policy defined by system administrator. 
Version                = 5.0.2126.0  
Vendor name            = ESET 
Registration date      = 23/08/2012 16:12:42 
Initialized            = No 
Failure category       = None 
Remediation state      = Success 
Remediation percentage = 0 
Fixup Message          = (0) -  

Id                     = 79744 
Name                   = Windows Security Health Agent
 
Description            = The Windows Security Health Agent monitors security settings on your computer.
 
Version                = 1.0
 
Vendor name            = Microsoft Corporation
 
Registration date      =  
Initialized            = Yes 
Failure category       = None 
Remediation state      = Success 
Remediation percentage = 0 
Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
 
Compliance results     = 
Remediation results    = 

Id                     = 79745 
Name                   = Configuration Manager 2012 System Health Agent 
Description            = Configuration Manager 2012 System Health Agent facilitates enforcement of software update compliance using Network Access Protection. 
Version                = 2012 
Vendor name            = Microsoft Corporation 
Registration date      = 23/01/2013 17:54:04 
Initialized            = No 
Failure category       = None 
Remediation state      = Success 
Remediation percentage = 0 
Fixup Message          = (0) -  

Ok.

Output from netsh nap client show grouppolicy:


NAP client configuration (group policy): 
---------------------------------------------------- 

NAP client configuration: 
---------------------------------------------------- 

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 

Hash algorithm = sha1RSA (1.3.14.3.2.29) 

Enforcement clients: 
---------------------------------------------------- 
Name            = DHCP Quarantine Enforcement Client 
ID              = 79617 
Admin           = Enabled 

Name            = IPsec Relying Party 
ID              = 79619 
Admin           = Disabled 

Name            = RD Gateway Quarantine Enforcement Client 
ID              = 79621 
Admin           = Disabled 

Name            = Microsoft Forefront UAG Quarantine Enforcement Client 
ID              = 79622 
Admin           = Disabled 

Name            = EAP Quarantine Enforcement Client 
ID              = 79623 
Admin           = Disabled 

Client tracing: 
---------------------------------------------------- 
State = Enabled 
Level = Advanced 

Trusted server group configuration: 
---------------------------------------------------- 
Group            = HRA Servers 
Require Https    = Enabled 
URL              = https://<FQDN>/domainhra/hcsrvext.dll 
Processing order = 1 
Group            = HRA Servers 
Require Https    = Enabled 
URL              = https://<FQDN>/nondomainhra/hcsrvext.dll 
Processing order = 2 

User interface settings: 
---------------------------------------------------- 
Title       = Network Access Protection 
Description = Your machine does not meet the security requirements defined by the company. If your machine does remediate automatically please contact IT 
Image       =  

Ok.

I've tried running: netsh nap client set enforcement ID = 79617 ADMIN = "ENABLE"and restarting the NAP agent on client machines - same thing.

Any ideas what is going wrong?

Search

NPS PEAP authentication dll crashing

March 11, 2013, 4:57 am
$
0
0

Hi,

My problem looks like this topic : http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/89f40e72-8f8a-4b72-bbf2-3aaa583db2ce/

Reason-Code = 10

Reason = The request was discarded because an extension dll crashed or malfunctioned.

Im using W2k8 datacenter edition.

Is there a fixfor this issue ?

Best regards

Peter

Is that possible to check a non-NAP capable computer's health status?

February 26, 2013, 11:51 pm
$
0
0

We have setup a lab to evaluate the Windows Server 2008 NAP role work with 802.1x.

I have two questions:

  1. How to determine a computer is NAP-capable or non-NAP-capable?

  • Non-NAP-capable computer. A computer that cannot provide its health status to NAP server components. A computer that has NAP agent installed but not running is also considered non-NAP-capable.
  • a non-Microsoft OS like Unix/Linux/Mac is non-NAP capable for sure.
  • a computer running with Windows XP pre-SP3 (no NAP agent/client) is non-NAP capable.
  • a computer running Windows XP SP3/Vista/Win7, but not start NAPAgent service, is non-NAP capable.

     From NAP server side, when it will know the supplicant is a NAP or non-NAP capable? It's during detecting through ' Connection Request Policies ' or ' Network Policies ' or somewhere else?

  2. Is that possible to check a non-NAP capable computer's health status?

      In my case, we have most of workstations joined domain, a few don't join domain for some reasons. A workgroup computer running OS - Windows 7, also start NAP service, setup MAC Address Bypass both on Cisco switch and NAP, create AD username with this specific MAC Address and set password as MAC also,  create connection request and network bypass policies only with MAC(User Group) filter in conditions Tab. 

    If not add Health Policies, the bypass works fine. But after added any Health Policies, the request will not match the health check, it will skip the MAC Bypass policy and goto following non-NAP capable policy, which means this computer is not recognized as a NAP capable computer.

    So looks like it's not possible to check health status on non-NAP capable computer? Right?

    The interesting thing here is this win7 with NAP service started is supposed to be a NAP-capable supplicant, but NAP thinks it's a non-NAP. I can't find out the reason.

     Any reply will be appreciate.

Regards,

Randy Zhong, MCSA/MCDBA/MCSE/MCBMSS@CRM



Port not opening After connected to domain

March 10, 2013, 10:43 pm
$
0
0

I can't able to access one machine after connecting to domain. Before joining to domain i tried telnet 10.*.*.* 80 that is connecting. After i connected to domain i tried the same telnet 10.*.*.* 80 that is not connecting. wt is the problem ?

Thanks in advance

Regards, Hari Prasad.D

NPS Errors and Certificates PEAP

March 12, 2013, 6:54 am
$
0
0
I cant seem to authenticate a domain users to my wireless. I am confused i have followed several how to's and cant seem to get it to work. I have a Windows Server 2008 R2 running my active directory, certificate services, and NPS. For my router i am using a Asus NT-66u running tomato50 by shibby. The errors that i am getting on the server is an NPS error 13 claiming the radius request is from an invalid client IP although i have double checked the IP of the client and it is correct. When i look at an IAS log viewer i get a "Authentication failed. The certificate is malformed and EAP cannot locate credential information in the certificate. Any help would be great!

Settings controlled by Group Policy reported as disabled or off?

March 13, 2013, 12:02 pm
$
0
0

Hi,

NAP is reporting that the Firewall could not be started and that a system health component is not installed.

In Action Center

  • Windows Update is showing as Yellow, with the message Windows Update has been Disabled by your system administrator
  • Network firewall is showing as Yellow, with the message Windows Firewall is turned off and is currently being managed by your system administrator

Both these settings are managed by GPO, the firewall is not disabled (we are running DirectAccess which doesn’t work without it), and Windows Updates are configured by System Center. 

What is the resolution? 

NPS extension DLL problem

December 2, 2010, 4:18 am
$
0
0
Hi. I'm trying to write my own NPS extension DLL on MS VS Ultimate 2010 32bit

This is the code of the DLL:

#include <Windows.h>
#include <Authif.h>

#define DLLEXPORT extern "C" __declspec(dllexport)

DLLEXPORT DWORD WINAPI RadiusExtensionProcess2(__in const RADIUS_ATTRIBUTE *pAttrs,__out PRADIUS_ACTION pfAction)
{
return NO_ERROR;
}
DLLEXPORT DWORD WINAPI RadiusExtensionInit(void)
{
return NO_ERROR;
}

bool APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
return TRUE;
}



But, when NPS is trying to load this library(I've set the path to the dll in the registry), there is an error: "Extension host failed to load extension DLL. Path: C:\New\extention.dll. Error: 0x1c"



As I've understood, library must have been loaded, due to it's simplicity, and rule-export "RadiusExtensionProcess2" function. But there is an error, and NPS can not be started. NPS is running on win server 08 R2 64bit.
When we use 32bit dll, we have 0xc1 error.(not valid win32 application)
When we use 64bit dll, we have 0x7e error.(The specified module could not be found)

Would you show me the simplest DLL code, which NPS is able to load without any error
or tell us which module to use?

THx.
Reply With Quote

Dynamic VLAN switching not working correctly

January 11, 2013, 2:11 am
$
0
0

Hi

I'm having hard times configuring wired 802.1x test lab. Everything went ok on the server side, but I'm getting some weird results when it comes to vlan switching: every time a client authenticates it ends up in a "healthy" vlan, meaning that it succeeded to authenticate. When I disable the 802.1x service on a client computer and it cannot authenticate it still moves to vlan 3 although it should be moved to vlan 2.  

-----

Environment:
NAP server: 192.168.0.10
Switch: 192.168.0.3
Client: 192.168.0.100 (static ip)

----- 

Policies on NPS:

I've ran a wizard to create wired 802.1x policies including the settings concerning VLAN's. My "Compliant" policy has following settings:
Tunnel-Medium-Type: 802 (includes all 802...)
Tunnel-Pvt-Group-IP: 3
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Tag: 1
Health policy: Compliant

"Noncompliant" policy:
Tunnel-Medium-Type: 802 (includes all 802...)
Tunnel-Pvt-Group-IP: 2
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Tag: 1
Health policy: Noncompliant

"Non NAP-Capable" policy:
Tunnel-Medium-Type: 802 (includes all 802...)
Tunnel-Pvt-Group-IP: 2
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Tag: 1

In Windows Security Health Validator i've only ticked the "firewall on" box, nothing else.

------

Switch config:

aaa authentication dot1x default group radius
aaa authorization network default group radius 
authentication mac-move permit
ip subnet-zero
dot1x system-auth-control

 

vlan internal allocation policy ascending
vlan 2
 name non-compliant
vlan 3
 name compliant

interface GigabitEthernet2/0/1//this is the Client interface
 switchport mode access
 dot1x pae authenticator
 spanning-tree portfast

interface GigabitEthernet2/0/24//this is the NAP server interface
 switchport mode access
 spanning-tree portfast 

interface Vlan1
 ip address 192.168.0.3 255.255.255.0
 no ip route-cache

-----



Search

DirectAccess with NAP

February 25, 2013, 3:54 am
$
0
0

Hi

I'm running DirectAccess on an Windows Server 2012. My Goal is now to enable NAP. I don't want to protect my entier network. I only want to check the clients which are connecting over the DirectAccess gateway. If  the don't pass the health check they shouldn't be able to build up the DirectAccess connection.

Is there a way to realise this scenario?

Kind regards

IKEv2 EAP not remembering properties

April 22, 2011, 3:07 pm
$
0
0

Hi Everyone,

I'm trying to setup an IKEv2 VPN connection that uses EAP - Smart Card or other Certificate, and when I change any property under the properties section of that EAP Protocol it will not remember them.

What I'm trying to do is select the Trusted Root Certification Authorities under the properties for the EAP protocol and everytime I make a single change on this window it is not remembered.

To reproduce, I created a single-user only VPN connection name VPN connection.
I then selected the type of VPN as IKEv2, and checked "Use Extensible Authentication Protocol (EAP)" and selected "Microsoft: Smart Card or other Certificate (encryption enabled). Afterwards, I selected Properties and selected our CA under the Trusted Root Certification Authorities. At this point I hit the OK button on the next two windows, only to find out that my settings were not remembered.

Please help me out with this problem. I am a full administrator on this computer and have tried even disabling UAC and it still will not remember the EAP settings. Please keep in mind that this issue does not happen with PPTP, L2TP, or SSTP. Only when Automatic, or IKEv2 is selected.

Thanks!

Stop Iphone/Androids any mobile device to access my Wireless network .

January 26, 2013, 2:14 am
$
0
0

I have a corporate wireless setup but what I noticed as it allows Domain Users or Computers to connect my users are easily able to connect just by typing user name and password for the domain . This is creating lot of issues and I am not very confident how to Block it through Radius /NPS server .

I would like to see only my domain computers connect to wireless network .

Anand Shankar

NAP+IPSec - IPSec Rules

March 14, 2013, 3:33 pm
$
0
0

Good afternoon everyone
I need some help, I am implementing NAP + IPSec, this is my scenario

1 DC
1 Server for NAP
1 Windows XP computer
1 Windows 7 Computer

I used the Step by Step Guide to NAP + IPSec, after correcting some details that come along the way, I made ​​my implementation work but not 100%.

I configured the two PC's to be compliant I check they have health certificates and everything works fine I have PING RDP and File Sharing.

but when I turn my computer with Windows 7 noncompliant and ceases to have the health certificate, I can not get the computer with XP responer stop the PING, the RDP and FileSharing, I checked again and again congiruacion rules IPSec but still no success.

agradecere your help

att

Carlos Landaverry
Guatemala

Terminal Services Manager

March 14, 2013, 6:42 pm
$
0
0

I am still running server 2003, I know upgrade, I will in July.

When I log into my server I notice immediately that new programs have been installed i.e Google Chrome and Fire Fox knowing I did not install them I uninstall both. I log in the next day and they have both been reinstalled, so I check in Terminal Service Manager and discover that a user unknown to us has logged in and is installing the above mentioned programs.

The user name is always something like this pzll or some other weird variation. I need to stop this intrusion or determine if it is coming from inside my network or from the outside. I did notice inTask Manager, three processes of winlog.exe running.

Any help to stop this intrusion would be greatly appreciated

Thank you

I am running Kaspersky 8.0 for windows servers and Malwarebytes, have done full scan with both and found nothing

NAP- DHCP Client disconnections

February 19, 2013, 9:15 pm
$
0
0

Hi,

I have configured NAP DHCP using SCCM. I have Windows XP SP3 machines in my enviorment.  From few days i'm facing issues with some client machines, most of them disconnects from network then again reconnects in 1-2 minutes. This happens at same time almost everyday. I've checked my DHCP lease expiration time, and evaluation time network access protection agent in SCCM. Both of them does not match with the time when machines disconnects from network. Also, i dont see anything in client logs. If this issue related with DHCP-NPS-SCCM or it this normal when clients updates its state to server?

VPN not connecting to local DHCP server

February 25, 2013, 3:54 am
$
0
0

Hi together,

we have a W2008 R2 with actual patch level in a DMZ.

The Server is member of an internal domain (connectivity to AD is fine).

The server hat VPN (RRAS) and DHCP role to let external user connect.

The server is connected to internet with public IP 12.34.56.7 to witch the VPN clients should connect (having the default gayeway configured).

The server has also an interface to a V-LAN 23.45.67.8. This V-LAN is used to later route the clients to an internally protected network.

Within THIS network a DHCP range is configured 23.45.67.10-20. Client coming over 23.45.67.8 should get an ip address from this range and then route over the V-LAN.

Unfortunatly the RAS Service says: "EVENTID 20169 Unable to contact a DHCP server."

We put a client in the 12.34.56.7 and figured out that DHCP itself is working fine.

Only the local RRAS is unable to connect to the local DHCP. firewall is off!

Help is needed!

Greetings/Grüße Gernot

Search

NPS Logs Quick Question

March 19, 2013, 8:36 am
$
0
0
Just a quick question. Does the NPS logs not show the IP address of the user that is connected? 

VPN Connection and Local Domain Account Problem.

March 20, 2013, 2:50 am
$
0
0

I often use VPN connections to connect to clients for remote support, usually to their server.

Since starting to use windows 8 I have encountered a strange problem when trying to access my own local server which my windows 8 PC is a member of a domain controlled by that server.

Whenever I have a VPN connection to a client, windows 8 sends the wrong credentials to my local DC and it refuses the connection.

Simply browsing to \\server prompts for a username and password and has the VPN connection's credentials in the box as default.

Dropping the VPN connection immediately fixes this issue.

Is there a way to maintain a local domain connection at the same time as having a VPN connection open.

Thanks,

Stuart.

NPS and AudioCodes Gateway

August 28, 2012, 5:11 am
$
0
0

Does anyone have any experience using NPS and AudioCodes Gateway's, specifically the Mediant 3K?  I was told by AudioCodes that version 6.6 fully supports RADIUS authentication with any RADIUS client, but when I set it up within NPS I recieve the following error in the Event Viewer:

--

Authentication Details:
Connection Request Policy Name:M3KConnection
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:QSEC-DC2.qsec.local
Authentication Type:PAP
EAP Type: -
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

--

I have attached some screen shots of my setup.

I know that the passwords are correct, I don't know where else to go.  I have contacted AudioCodes and they provided no assistance.

Thanks for any help

.


Windows 2008 R2 Firewall Inbound Rule problem

March 21, 2013, 12:18 pm
$
0
0
I've created a firewall rule on my web server that is set to allow port 80, 443 and 999.  The rule works and I can successfully log in from a client computer.  I then want to limit to only certain IPs so that only specific clients can connect.  On the scope tab, under Remote IP address, I've chosen the These IP addresses option, added the client IPs, and applied.  Now connections fail.  I used netstat to confirm that the incoming request (foreign address) was correct and that the local port was 80.  Any idea why the firewall is blocking ALL connections when I set an IP specific filter?

Disabling programs on another pc on my network

March 23, 2013, 10:34 pm
$
0
0

Hi,

Im having some issues with a small server setup that i've configured a few days ago, im no pro by the way!!

I setup a server running Windows Server 2008 and i have another pc in my networking running XP.I would like to know how to disable programs on it. I have them both on the same network right now and they can see each other. I have tried to configure a group policy and ive managed to lock notepad (as an example) on my server machine, with its version of 6.XXX I then browsed to my XP machine and found notepad. I disabled that too its version was 5.1XXXXX. I rebooted both machines but XP's notepad is still not restricted. I have been told it could be an issues with my DNS on another forum, but no one has responded after that. I have not configured DNS on my server yet and only installed it as a role.

Thanks.

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>