Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

wi-fi connect and certificate issue

$
0
0

hi to all.

i have windows server 2016 with nap role for wi-fi network.

my trouble is windows 10 client cant connect to network while uncheck certificate identity like here step 7  https://www.draytek.com/support/knowledge-base/5759.

my clients is a guests and i cant use GPO.

how should i configure NAP?


Does NPS use all root CAs for authenticating client certificates?

$
0
0

In NPS, if an EAP-TLS policy is configured for wireless clients, am I correct in assuming that any client that has a certificate issued from any of the built in root CAs (i.e DigiCert, Go Daddy, Verisign, etc.) would also be able to successfully authenticate?  Is there no way to lock down the policy to just authenticate clients with certificates issued from your internal CA?

Thanks

How to control Active Directory Users bandwidth in Mikrotik router?

$
0
0

Hi.. i have mikrotik router integrated with Active Directory i want to determine the bandwidth for each user after this integration like the way in mikrotik user manager ,

i did not find any thing for help so please help me fast

WLC + NPS + EAP-TLS + Machine certificate = Deauth after EAPOL key exchange sequence

$
0
0

WLC + NPS + EAP-TLS + Machine certificate = Deauth after EAPOL key exchange sequence

Hi!

Since my account is not verified yet I can't share pictures or links (sry...), but please ask if there is anything that is unclear.

I'm a bit lost here trying to set up EAP-TLS. I want my clients to automatically sign on to my corporate network using computer certificate (or user certificate, does not really matter – but I've tried both without any luck). I have the following "players" in my environment:

WLC - Cisco 2500 Wireless Controller

Radius NPS Windows 2012

Windows 10 clients

Local CA (Windows 2016)

I have followed a few different guides, without any luck and I've decided to reach out instead of trying more :)

So NPS configuration:

Connection Request Policies.

Conditions: NAS Port Type - Wireless - Other OR Wirless - IEEE 802.11

Settings: Authentication Provider - Local Computer

Network Policies.

NAS Port Type - Wirless - IEEE802.11 OR Wirless – Other

Settings:

  • Extensible Authentication Protocol Configuration - Configured
  • Ignore User Dial-In Properties - True
  • Access Permission - Grant Access
  • Extensible Authentication Protocol Method - Microsoft: Smart Card or other Certificate
  • Authentication Method - EAP
  • NAP Enforcement - Allow full netowrk access
  • Update Noncompliant Clients - True
  • Framed-Protocol - PPP
  • Service-Type - Framed

Radius Clients

Cisco WLAN Controller

IP: 10.x.x.x

Device Manufacturer: RADIUS Standard

...

______________

Cisco WLC settings:

RADIUS Authentication Servers:

Server Address (IP address of my NPS server): 172.x.x.x 

WLAN settings:

General:

  • SSID: FT-EAP-TLS
  • Interface: [reused of the one currently used for laptops which connect via DA

Security: 

Layer 2

  • Layer 2 security: WPA+WPA2
  • WPA2 Policy [x]
  • WPA2 Encryption - AES [x]
  • Authentication Key management - 802.1X [x]

AAA Servers: 

Authentication Servers: NPS server.

______________

CA template settings: 

RADIUS NPS Certificate: Duplicate Workstation certificate &  allow PKE

Client certificate: Duplicate Computer certificate & allow PKE

______________

GPO for end user:

Please note that I've published a GPO to configure the WLAN settings. 

_______________

End user experience when trying to access the WLAN:

It keeps spinning until it times out. In the eventviewer from the client I can see:

"Event 6105,netwtw06"

"6105 - deauth after EAPOL key exchange sequence"

_____________________

Is there any settings I need to configure on the APs?

Or do I need to upload the root & intermediate certificate to the WCL?

_______________

Additional information:

When I generate a wlanraport ("netsh wlan show wlanreport" from cmd) I can see:

  1. Wireless security started
  2. Wireless 802.1x authentication started
  3. Wireless 802.1x authentication was restarted
  4. User Uses Saved Credentials
  5. Wireless 802.1x authentication was restarted
  6. User Uses Saved Credentials

And it loops. 

____________

From the WLCs message logs:

*spamApTask7: Sep 02 12:53:20.868: %LWAPP-3-REPLAY_ERR: spam_lrad.c:41295 The system has received replay error on slot 0, WLAN ID 4, count 1 from AP 70:69:5a:xx:xx:xx
*Dot1x_NW_MsgTask_2: Sep 02 12:53:16.525: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:849 Unable to send AAA message for client a4:34:d9xx:xx:xx
*Dot1x_NW_MsgTask_2: Sep 02 12:53:16.505: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:450 Authentication Aborted for client a4:34:d9:xx:xx:xx Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*spamApTask0: Sep 02 12:53:09.810: %LWAPP-3-REPLAY_ERR: spam_lrad.c:41295 The system has received replay error on slot 0, WLAN ID 4, count 4 from AP 40:01:7a:xx:xx:xx
*Dot1x_NW_MsgTask_2: Sep 02 12:52:58.499: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:849 Unable to send AAA message for client a4:34:d9:xx:xx:xx

___________________

Please help :) This have been my headache for quite some time now!

With best regards,

TB



Considerations when changing the NPS server name

$
0
0

Hi,

I'm in bit of trouble finding the impact of changing the hostname of a NPS server in our cooperate network which is being utilized for Wi-Fi authentication.

If there is any impact of doing such a change I would like to know the correct steps to change the hostname.

We have an internal CA server & I can see there are 2 certificates (below) on NPS server's certificate store issued by the internal CA for Client & Server authentication purposes.

  1. NPS Server
  2. RAS & IAS Server

Many Thanks in advance,

Asiri

GPO

$
0
0
Can we prevent users in our company , open shared folder using ip address , we want users open share folder just using DNS . 

NPS

$
0
0

Hi All 

I have deployed the MAc Authentication on my Wireless access controller I want the users use their MAc Address to access the

network 

MAC address authentication to authenticate dumb terminals such as wireless network printers and wireless phones that cannot have an authentication client installed.

deployment with MAC filtering

How to configure the NPS Server to work with Access controller 

Thank 

Azure NPS extension Certificate archiving incorrectly

$
0
0
What would cause a Personal Certificate for NPS server to randomly archive? Playing around with Azure NPS extension on aMicrosoft 2019 server. After some time my personal cert archives automatically causing the NPS extension to fail. Once I set-itemProperty on the archive to set to $false the NPS extension works properly. Really strange, I see logs in the server saying it archives it but no reason why--the cert is not set to expire for many years from now.

Trying to setup 802.1x auth via MAB using the Calling Station ID for authentication.

$
0
0

We are currently testing setting up 802.1x for port authentication using our NPS server.  We have been able to successfully test domain joined PC's.  Now we are needing to authenticate IP Phones that most users use to attach their PC to.  All of our phones are from one vendor so I was hoping to just challenge the Calling Station ID for the first part of the MAC address.  In my test I actually set the entire calling station ID to the MAC of the test phone.  

NPS is seeing the request but denying the attempt.  

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			0004f2bd531f
	Account Domain:			xxxx
	Fully Qualified Account Name:	xxxx\0004f2bd531f

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		F0-B2-E5-D2-BC-02
	Calling Station Identifier:		00-04-F2-BD-53-1F

NAS:
	NAS IPv4 Address:		192.168.150.8
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Ethernet
	NAS Port:			50102

RADIUS Client:
	Client Friendly Name:		xxxxxx-Switches-Lab
	Client IP Address:			192.168.150.8

Authentication Details:
	Connection Request Policy Name:	dot1x
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		awsapp07.AD.xxxx.xxx
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			16
	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Something that the log showed that I found interesting is that it showed the correct Connection Request Policy Name but no Network Policy Name.

My settings are:

Not sure what I'm doing wrong.  I really would like to avoid having to add all the phones in our AD as users if at all possible. 

Consuming a visual foxpro COM DLL in a .NET web service - error 80040154

$
0
0
Dear Professionals,
Background : 

A visual foxpro com dll (ourdll.dll) has been copied to c:\inetpub\wwwroot\ourdir\ in the server with IP 192.168.0.1 and also registered using regsvr32.

We have a .net Web Service (ourwebservice) in c# which consumes the com interop of ourdll.dll. ourwebservice has been hosted on IIS as ourwebsite in the server 192.168.0.1.

From a client system we are able to get the wsdl listing using :
http://192.168.0.1/ourwebsite/service.asmx?wsdl

But when we try to consume the webservice by calling a function in the com dll from a windows form application or from the explorer in the local system it returns a 500 error :

Retrieving COM class factory ... Server was unable to process request. Retrieving the COM class factory for component with CLSID {...} failed due to the following error: 80040154.

Probably we are missing something else or are not doing something in the right way.

Please guide. Thanks in advance.

What I have tried:

Googled enough.

1. Firewall.
2. unregistering and reregistering the com dll
3. Restarting the server several times.
4. Adding the dll entry under the wow6432 hive.
5. Building the webservice with X86 configuration.
6. Enable 32 bit applications in IIS application pool.

Cross-forest NPS not working

$
0
0

Hello,

We have a two-way forest trust with forest-wide authentication. Our NPS server is located in one forest and we are trying to authenticate computer accounts with certificates (EAP) from the other forest, but receiving the following error on the NPS server:

  • Event ID: 6273
  • Reason Code: 7
  • Reason: The specified domain does not exist.

Does anyone have any thoughts? Do we need a RADIUS proxy?

NPS Configuration for using PKI certificates from Smart cards for VPN Access

$
0
0

I'm looking for configuration help on how to set up a MS Windows NPS server to handle Radius Requests that will authenticate smart card certificates for users that try to VPN into the network using IPSEC vpn connections.

Thanks in advance

Can NAP be replicated?

$
0
0

I have a couple of 2008 R2 Domain Controllers that we are getting rid of, each runs NAP. I need to put this on our new DCs. The settings appear to match each other. I made the assumption that because NAP is on the DC's that the data is replicated.....I believe I am wrong. If I am wrong, is it just a matter of exporting it and importing it from the NAP gui (I see those options) to the other machine so they are "snc'd" (then you just have to remember to update it manually when you make a change)? Or, must you use powershell\command line to transfer the config?

Jason

NPS authentication and vlan assign issue

$
0
0
Hi,
Users are unable to receive IPs from their respective vlan while trying to connect wireless through NPS. Need your help to check further on the same.

Thanks
Panimaya Raj
Ph: +91-9500006340


Windows Store and MFA(2FA) randomly prompting users?

$
0
0

Hello,

     We have MFA enabled for users and some of them are reporting receiving prompts to allow a windows login attempt(Maybe they're being hacked!) but when checking in the admin center, the prompt was caused each time by an entity known as "Universal Store Native Client" which is an Application from the Resource: "Windows Store for Business"(Oh thank goodness its just a false negative. But now we're plagued with these false negatives!).

     My question is; How would I go about fixing this issue?

     I haven't found it so far within the Settings>Apps>Apps & Features area. I see Windows Store, but no Windows Store for Business. And even within the regular Windows Store settings I see nothing which seems out of place or like it would cause an MFA prompt spontaneously during the day. The kicker is, nothing pops up on the PC, just the notification on the phone. So if the fix is something like "just hit allow", we're taking a big leap of faith then since there's no visible evidence that when we get prompted in order to confirm that we're allowing the Windows Store and not some hacker with good timing. That's a big risk. 

     So if there's any other, safer, more secure way to fix this issue, please help! Any ideas or suggestions are more than welcome too!

-John


How to boot to domin network & Firewall by default everytime you boot up

$
0
0

Hello Everybody,

Machine OS's: Server 2008R2 & 2012

VMWare ESXI

Veeam B&R

The issue I'm facing is when I run Veeam SureBackup jobs I have VM's that will fail ping tests because they boot up to the public network thus using the public firewall and are unreachable unless you log in through the ESXI console and disable then re-enable the network adapter. After that they will pick up the domain network and firewall allowing communication.

I would like to make these start up on the domain network & firewall automatically upon starting. Is this possible?

I tried changing the NLA service to delayed start to see if that would solve the issue but it didn't.

Any help will greatly appreciated

Thanks Jeff

failed 0x80040111 classfactory On DC 2008 SP1

$
0
0

Hi,

I have one Domain Controller 2008 SP1 that is physical Server. I can not get any backup from this DC. Because I get this error (volume shadow copy initialization failed 0x80040111 classfactory cannot...).

Also, when I`m checking drive C (Property From Drive C) I get this error.

As well, I can not convert this server to virtual server, Because I get 0x80040111 error.

How Can I resolve this problem?

80040111 & 80042302


Future is mine! ^_^


Can not connect to VPN server from outsite network

$
0
0

Hello, My name is Linh.

Could you help me the problem as below:

My VPN server configure on Window server 2012 R2 standard, im also opened port 1723 on router, turn off all firewall on my server, allow access for all domain users which i want to use for VNP connect. In internal network i can connect from client computer to VPN server by domain user but from outside network i can not connect to my VPN user, it's say that " Window could not connect using user name & password you provided, maybe i'm missing something? could you please help me to fix it

thank you so much.



NPS & RADIUS Authentication with SmartCard

$
0
0

Working on a data switch for PKI Smart Card authentication using RADIUS to provide Authentication and Authorization to the CLI.   So not a PEAP, EAP, 802.1x type solution.    Client Access with return attribute that provides Authorization to the device.   

The user name is taken from the Subject of the x.509 Certificate and what we are missing is what needs to be sent via RADIUS PAP/CHAP/MS-CHAP is the password.  I have seen a number of responses around the internet and here on TechNet.   None answer the question.    The certificate as the password is too big if NPS follows the RFC.   Smallest size would 2k and the RFC only allows 128 characters.   It would not be the private key, that would be something you should not be sharing and also too big.    So what gets sent as the password to NPS?   Is this even supported?       

Note, RADIUS configuration was tested prior to activating smartcard authentication.   Standard user name and password works just fine and provides RADIUS return attribute that enables authorization on the networking device.    

Windows Server 2016 Data Center

Active Directory with SmartCard enabled on Users

NPS Installed and Configured to support RADIUS Client Authentication and Authorization

Third Party Data Networking device configured to use NPS as a RADIUS server for Authentication and Authorization.  

NAP 802.1x EAP with Certificate - Deployment with Procurve Dynamic ACL / per User ACL

$
0
0

Hello,

i try to accomplish the following:

Notebook is in a restricted state from the start and only has access to DHCP/PXE Server and our Deployment Solution
After startup it authenticates with its computer certificate to the NPS server
If valid it gets full access (or whatever the NAP Client says)
If not valid or not existing it stays restricted

What i tested out till now:

NAP 802.1x EAP with Certificate is up and running.

But:

No certificate no access at all.
Although i configured an extended control list on the procurve and added the filter-id to not compliant.
Another try was to set the restricted access control list as a static ACL on the interface and then switch to the allowed ACL when authorized.
But the switch just don't get the command to apply the "allowed ACL" to the port. Is there something i'm missing?

I only find tutorials and tips for cisco router/switches. So can anyone help me to apply the filter-id or even better a per user ACL (so that the NPS sends the ACL to the switch (less configuration for me).

 

Greets
Stephan

Viewing all 1875 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>