Hi All,
We currently have an RODC in the DMZ. Is there any reason why we should be putting an NPS server in the LAN rather than the DMZ?
also, do I need to make crldist available across the internet (as you do with SCCM) or is it not needed, as I assume the check will happen after the device has initiated the initial VPN connection, and will ultimately fail to pass the second phase of authentication if we were to revoke the certificate for any reason.
Thanks!!
We need protocol V2 - due to passwords longer tzhan 16 chars.
Is Radius on NPS defaulting to V1?
Is it possible to change to V2 and where?
hRy
Hello,
I have implemented successfully MFA solution for GlobalProtect VPN client users. Simplified workflow is following:
1. Remote/HomeOffice users initiate VPN connection via GlobalProtect VPN client application and provide their AD credentials
2. VPN gateway (Palo Alto firewall acting as RADIUS client) pass authentication request to local RADIUS server (Windows Server running NPS service with NPS extension installed) for each VPN user connection request.
3. Local RADIUS server performs primary authentication with local AD server (synchronized to Azure AD via Azure AD Connect service) and upon successful primary authentication performs secondary authentication check by sending request Azure MFA)
4. Azure MFA sends default authentication method challenge to user (authenticator app, SMS, phone call etc) and communicate RADIUS server about it which in turn communicate VPN gateway about it which in turn communicate VPN client application GlobalProtect about it. Thus if user have SMS configured as default MFA method, GlobalProtect app will prompt user to enter SMS OTP.
5. After user confirm authenticator app push notification authentication process completes successfully as well as in case with SMS OTP.
However, if user have trouble with authenticator app, which is mostly used as primary authentication method in my organisation, there is no prompt to user to try with alternative MFA authentication methods (such as provided in O365 MFA authentication). It seems that such alternative workflow is not supported in GlobalProtect VPN client application.
Furthermore, Palo Alto firewall VPN gateway and GlobalProtect VPN client application can offer VPN users possibility to connect to multiple gateways (user can select connection point) and each VPN gateway point can be configured to use different RADIUS server i.e. each VPN gateway would have dedicated RADIUS server.
Now, my question is: Is it possible to configure NPS extension to request specific authentication method from MFA Azure service? My idea is to have three RADIUS servers each running NPS extension but fist one would request specifically authenticator app MFA method, second one would specifically request SMS MFA method while third one would request phone call MFA method.
Thanks in advance for people trying to help me.
Haris Alatović
I am logging 2008 R2 NPS to SQL using Microsoft's (officially unsupported) method of how to convert the XML output from NPS to a useful database format. I haven't customized any of the creation steps in the URL, but I have added additional tables, stored procedures, and a trigger on INSERT. I deleted the trigger completely to verify that the trigger on INSERT wasn't the cause of the problems described below the URL link. Here's the example from MSDN that transforms the NPS XML:
http://msdn.microsoft.com/en-us/library/bb960723(VS.85).aspx
Since upgrading to 2008 R2 and promoting this configuration to production where wireless authentication requests easily surpasses development, I now see the error message at the tail of this post, at intervals varying between 2 to 30 minutes. The error code suggests a data transformation problem. NPS logs directly to a locally installed SQL 2008 Express database on each NPS server, and I have ensured the databases are not over the 4GB capacity. Each SQL database is primarily used as data crucible and is purged of records daily. I also scrutinized performance considerably with perfmon while observing the recurring warning, but I am far from being a DBA. I saw no indications of performance problems; I also toyed with the concurrent connections setting in NPS. Nothing I have done has changed the situation.
After logging the warning event, NPS follows on quickly stating it was able to reconnect, but I am wondering if there are any experts that might be able to lend me assistance in identifiying what data is not being converted correctly from the XML. Is there a way I can catch the error and then log the attempt? Or is there a better way to achieve my desired 'highly available yet centrally logged and easily searched' configuration using native Microsoft software? ...
Currently, I employ a custom trigger to distill only the relevant information while excluding health monitors authentications from 3rd party load balancers. I admit my solution is a bit heavy weighted, but has saved me the trouble of writing a completely in-house NPS data transformation app. On INSERT to accounting_data, the custom trigger raises an SQL error with only the desired information from authentication and accounting requests, thusly logging to the Application log where a third party agent running on the NPS server then forwards Application log messages to a central logging solution, whereby AAA data from multiple NPS servers can easily be searched. Accounting data doesn't appear to ever be logged anywhere except via SQL or logfiles, whereas Authentication requests end up in the Security log. Furthermore, other than native NLB and a 3rd party log harvesting agent, I haven't found any means by which accomplish the desired configuration. Perhaps there's a better approach to providing NPS redundancy and consolidate auditing while only logging relevant information (such as success/error, specific NAS info, username, proxy/network policy names). But if not, here's the error
System/Event ID 4404/Task Category None/Warning
NPS cannot log accounting information in the primary data store (.\SQLEXPRESS). NPS will continue to process connection requests without logging accounting information in this data store. Error information: 0x80040e57.
NAT works just fine until i add an address pool for multiple public addresses. Does the Microsoft implementation actually support multiple public IPs or not. If so, where is an article or instructions on how to properly configure the public IP address pool. This is NOT a VPN client address pool!!!! I mean a NAT address pool.
server has 2 NICs
1 LAN
1 WAN
i have reconfigured everything, multiple times, in many ways and the address pool always breaks the NAT routing. WHY?
Ive recently been having problems with my users not being able to connect to our domain PPTP VPN (running on Server 2008 R2).
It was configured about 2 years ago and has been working great! Now for some reason its just stopped working, nothing has been changed on the server (to my knowledge) and doesnt happen on all client machines.
My macbook (just running Mac OSX) connects fine
It doesnt seem to follow any pattern (Generally all using Win 7) it seems almost 50/50 as to who can connect.
Do you have any ideas?
As mentioned in the title they get error 619 (A connection to the remote connection couldnot be established, so the port used for this connection was closed.)
Any help would be greatly appreciated! Thanks.
Hi,
I administer a Windows 2016 domain with three brach offices and a CPD in another location. All users are in the branch offices.
We have 3 sites. Site 1 is for Branch 1, Site 2 for Branch 2 and Site 3 for central CPD and Branch 3.
All users and computers belong to domain, and we have an EPO McAfee server for antivirus and WSUS for Windows Updates.
We receive external workers all the time in every branch office. They have domain users for accesing servers and resources in domain, but their computers don't belong to the domain.
We want to implement a NAP solution, so that when a computer plugs into the network and a user tries to access the domain in some way (RDP connection, SMB connection or whatever way it establishes connection to domain), we can check if it is a secure computer (i.e., updated antivirus and windows). If not, take it to a network place where it can solve the uncompliances, and when it fullfil the requests, then be granted access.
I know the concept, but I don't know how to put on work. I don't want radius server for remote access and things like that. I just need to know how many servers I need, with which roles each, where they need to be placed, and how exactly give computers access to the remediate servers, and how all this mixes with current infrastructure.
I have found theoretical documentation in Microsoft site, but no hands on and practical information about this.
Hope you can help me with this.
Hi,
I am using NPS on Windows server 2016 as the radius authentication server, which is a member server to our domain.
Access points throughout our various sites are all in the 10.112.0.0/14 scope. We have therefore created a single radius client entry in NPS for 10.112.0.0/14.
Our connection request policies and network policies are quite straight forward, allowing access to users which are members of machine groups or windows groups via PEAP.
Quite frequently users and or computers won't be able to connect to the defined 802.1x SSID being broadcast by our access points. This occurs across multiple operating systems and device types, using either certificate or user credentials for authentication. If the access point is rebooted the problem is gone for a few hours, then it resurfaces. Other access points work fine, and the issue is not consistently isolated to a single access point.
On the image below, the gray records are unsuccessful attempts to connect to the ssid, blue are successful. The side by side image below shows the detailed information of a blue record left, compared to a gray record right.Notice the connection result unknown
The image below shows the event viewer record for a failed attempt, to which you can see the user is granted.
After mirroring the access points NIC on the switch we can see the radius exchange.
Whilst also capturing raw 802.11 frames we can see the authentication, association, eap, and death stages take place. Im not sure as to why the eap failure is being sent as NPS granted access.
I do notice that in the raw 802.11 capture, the BSSID has changed completely, yet the wap hostname still reports correctly. This can be seen in the access point controller logs. This may be nothing however as the the library access point which we successfully connected to is the same.
Does anyone have any thoughts or suggestions on what could be going wrong?
Thanks in advance
Hi!
I have a working setup with NPS and Azure MFA. I have two groups of users.
I've set up two network policies, one for each group. Each policy has a Vendor-specific attribute with the group name.
This works if I have the authentication method set to push alert. If I change the method for the same user to code from the app, it doesn't work.
By looking at the packets in Wireshark, I see that the group attribute does not seem to be sent from the NPS when I'm using code to authenticate:
If i change back to push authentication:
Can anyone tell me why this is happening? Why would the NPS not send the group attribute (and apparently other attributes as well) when using code from authenticator?
Hi All,
I have configed a NPS server on a windows server 2012 r2 OS, the radius client is a cisco hardware vpn device.
there is a custom NPS extension registered for some extra authentication(two step authentication).
theere are two types of authentication method:
1. user submit two passwords use "active directory password" + "some extra password" format, like
"password1_password2", NPS extension split and check both two passwords and NPS itself authorize the user
using netwok policy, both works fine. there're two security events logged into windows event log:
the first event (ID6272) shows Network Policy Server granted access to a user.
the second event (ID6278) shows Network Policy Server granted full access to a user because the host met the defined health policy.
in both two events, i can see the Authentication Details shows Proxy Policy Name and Network Policy Name.
2. user submit the first "active directory password" to NPS, NPS extension check the password and return a radius challenge message to the radius client, then user submit the second "some extra password" to NPS, then NPS extension
check the second password again.
the problem is: when the authentication process complete, NPS bypass the authorize(network policy) process and directly grant access to the network.
there is only one security events logged into windows event log:
event (ID6272) shows Network Policy Server granted access to a user.
in this event, only shows the Proxy Policy Name. Network Policy Name is "-".
because the NPS extesion only registered fo authentication and it's worked fine, so i think this is not a develop related question.
i am not very familiar with NPS, may be i make some wrong configration.
THanks for your help。
=======================================
below are policies, values that i did not mention are all use default :
create a new connect request policy:
add a conditions -- NAS Port Type=virrtual(VPN);
create a new network policy:
add a conditions -- Windows Group=contoso\vpn_access_group;
Authentication Method -- only check unencryptedauthentication(PAP,SPAP)
Ignoreuseraccountdialinpropery
=======================================
we find a problem,
when the authentication extension returrn to radius client a access-challenge message AND a ratState attribute, NPS does not un network policies and diectly let user login.
when the authentication extension returrn to radius client ONLY access-challenge message, NPS can use network policies to authorize the user.
I am trying to set up an IKEv2 VPN to run alongside the existing PPTP VPN.
I have successfully used AD CS to generate a Root CA Cert and a Certificate with the correct capabilities (Client Auth, Server Auth, IP security IKE intermediate). The Root CA Cert is installed as a Trusted Root Certification Authority, and the Certificate into Personal Certificates on both the machine running ADCS / NPS / RRAS, and on the client machine. Both machines claim the Certificate as OK and validated against the Root CA Cert.
When I configure NPS to create a Network Access policy, in Authentication Methods, the only EAP authentication methods available are:
There is no option to add "Microsoft: Smart Card or Certificate".
If I add Protected EAP, and configure it, it shows my the correct Certificate and offers an EAP type of "Secured Password (EAP-MSCHAP v2)" - but again, no option to use certificates.
I have tried using PEAP with EAP-MSCHAP v2, but my Windows 10 client will not authenticate, failing with "IKE Authentication Credentials are unacceptable" (The Event Viewer shows error 13801).
Questions:
Thanks
Nick
Hi Everyone,
Is there a way to allow network user to map a shared folder content, has the ability to run a program from the shared drive (admin account is required to create shortcut of the exe program on the desktop. The user will only run the shortcut program) , has the ability to write to the folder from the application(only) but DO NOT have the ability to copy the folder. Also do not have the ability to view the content of the folder without an elevated admin permission? Your help will be highly appreciated. Thanks
Hello Team,
I have a windows 10 PC that is configured for Machine or User authentication using dot1x. When the machine is reloaded, i can see machine authentication taking place followed by a user authentication when the user logs on to Windows. This part works as expected.
However, when the user logs out of Windows, we expect to perform EAPoL logoff and have the machine authenticate with the machine account. This is not happening for some reason. When we log out of windows, machine authentication is not triggered.
Is there any setting we need to play with to trigger machine authentication when the user logs out? Never had this issue before.
Any help would be appreciated.
Regards,
Regards:Mahesh
Hi,
I'm trying to find out if Network Access Protection(corp) can be integrated with Azure? I can't find any information on this topic. Also what other roles can you integrate(onpremise to cloud) with Azure? I know about ADFS.
Thanks for some clues, articles, links and simple explanations,
Hello,
we are currently trying to bring up AAA via dot1x with our Alcatel-Lucent VoIP-Phones and Microsofts NPS 2016. EAP-TLS with Certificates is supported and certificates with the correct chain were imported on the phones.
But if we take a look into the Event Manager of NPS we can see that there is a request for an ad-user account named like the phone. So we created this user account in AD, as well. But Event Manager throws Event 6272 with Code 16 "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."
So we're considering, that the user account is searched and selected correctly but the Password might be wrong. Alcatel tells a lot about "using the mac address as the password" (but in fact only for MAC Bypass mode) or using the userneme or just the a string "password".
Taking a closer look in wireshark Shows that there might not be a Password in the RADIUS-Requst? Here is a short snipped.
AVP: l=8 t=User-Name(1): ALCIPT
AVP: l=6 t=Service-Type(6): Framed(2)
AVP: l=27 t=Vendor-Specific(26) v=ciscoSystems(9)
Normally, for example on other Windows machines, there will be a encrypted Password AVP right behind the user Name. Is this the correct behaviour? Any ideas? Can we ignore the Password in NPS? Is this a Topic for Alcatel?
Thanks and regards,
Jochen
Viele Grüße<br/> <br/> Jochen Reinecke (MCSA Windows Server 2012)
Hey everyone,
I have a question:
When I create a network share is it possible to only use share permissions? It seems to me that there always have to be NTFS permissions so that the share permissions even count.
Example: I just created a network share with the share permission "Everyone - Full Control" but didnt give the user-Group any permission in NTFS permissions.
Then I tried to access this network share with my user account and it didnt work; when I gave the user group an NTFS-permission; the share permissions suddenly applied.
So as a conclusion: Share permissions can never be alone; there always have to be NTFS-permissions in addition.
Is that correct?
Thanks a lot!
I just installed the NPS for the first time on our domain and authentication fails with message " There is no domain controller available for domain tp.dom" . We have two domain controllers and both are working fine. I ran nltest with various options and all the commands are successfully completed and finds the domain controllers. Also I can login to NPS server using TP.DOM\username. I tried few different users and it's successfully. I am not sure why NPS can't locate the domain controller.
So I tried on a different machine and getting the same error. Both run windows 2008 R2. Our DCs are 2003 R2.
Below is the message from NPS trace.
[5424] 07-08 18:54:32:124: Failed to connect to the cached DC, try DC locator ...
[5424] 07-08 18:54:32:124: Could not open an LDAP connection to domain TP.DOM.
[5424] 07-08 18:54:32:124: NTDomain::getConnection failed: The specified domain either does not exist or could not be contacted.
[5424] 07-08 18:54:32:124: Retrying LDAP search.
[5424] 07-08 18:54:32:124: Could not open an LDAP connection to domain TP.DOM.
[5424] 07-08 18:54:32:124: NTDomain::getConnection failed: The specified domain either does not exist or could not be contacted.
[5424] 07-08 18:54:32:124: No AUTHORIZATION extensions, continuing
[5424] 07-08 18:54:32:124: Added EAP Failure packet
Any help is appreciated. - thanks.
