How to configure radius authenication for switchs

June 15, 2020, 11:28 am

≫ Next: NPS VLAN only when both certificate & computer group membership

≪ Previous: Can we access RAS VPN from a Linux system

Hi, running Windows Server 2016 and trying to configure Microsoft NPS to authenticate all of the network equipment we have in production. Here are the following steps I have completed...

- Created the radius client "1 Test Switch"

- Created the connection request policies

- Created the Network policies

I am able to successfully authenticate against NPS if I use my user name in the Connection Request Policies so I know the configuration is correct on my test switch but if I add another users name in the Connection request policies then I can no longer login nor can the person I added. If I take the other name back out then I can login again.

What am I missing here?

How does everyone else setup NPS to authenticate network equipment?

↧

NPS VLAN only when both certificate & computer group membership

June 18, 2020, 2:11 pm

≫ Next: NPS & EAP-MD5

≪ Previous: How to configure radius authenication for switchs

Can I "craft" network policy which drops clients to specified Vlan ONLY when both conditions are true: machine certificate exists AND machine is member of specific group

If machine is NOT member of the group (and only certificate exists), then it gets onto different Vlan

Seb

↧

NPS & EAP-MD5

August 11, 2008, 11:11 am

≫ Next: Always On VPN - Device Tunnel

≪ Previous: NPS VLAN only when both certificate & computer group membership

Hi there,

We are currently working on the deployment of 802.1x enterprise-wide. Since we have some old devices that don't support 802.1x natively, and have a Cisco infrastructure, we decided to go the MAC Authentication Bypass route.

When we tested it prior, we were running Windows 2003 + IAS. The test was flawless, however, it required us to enable Reversable Encryption and relax our password complexity requirements, which was unacceptable. We then decided to upgrade to Windows 2008 to leverage the seperate password/complexity policy requirements based on a user or a group of users.

I've just finished setting that up, and it works perfect. We decided to go with NPS, as it had a bunch of features that were lacking from Windows 2003's IAS (namelly exporting the configuration and being able to import it to our other IAS/NPS servers). We currently run the NPS service on our DC's (two of them for redundancy), however, we can't seem to make the MAC Authentication Bypass work. After some digging, it seems that Microsoft has removed support for EAP-MD5 from Vista/2008. They mention that there are third party EAPHost compliant vendors that 'may' have EAP-MD5 support, but I've been unable to find any.

My question is, has anyone else ran into this problem? If so, how did you go about fixing it. Unfortunately, Cisco only seems to support EAP-MD5 for the MAC Authentication Bypass, we're currently running this on 3560 Catalyst switches. I'd much rather get it working again on our NPS servers, as I don't want to revert back to IAS, as it's a pain to replicate the configurations between more than 1 box.

Thanks!

Warren

↧

Always On VPN - Device Tunnel

June 26, 2020, 4:19 am

≫ Next: Azure MFA NPS module - access denied when generating certificate

≪ Previous: NPS & EAP-MD5

Hi Folks

I just got confused while reading the details of device tunnel in below write-up.

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

Now, questions in my mind are

1. Hope device tunnel is not only for Infra services like AD, DNS, DHCP,PKI,SCCM etc

2. Is device tunnel only sufficient to access Infra Services (like AD, PKI, SCCM) and on-prem applications (HR, Business apps etc) or do we need to have user tunnel also for applications specifically?

3.Can we use same VPN and NPS server to pass the device and user tunnel traffic and authentication? ( i hope yes with IKEv2)

4.Is there a better documentation of implementing AO VPN end to end for on-prem Infra and application access?

Regards:Mahesh

↧

Azure MFA NPS module - access denied when generating certificate

June 26, 2020, 5:24 am

≫ Next: Limited Access when connect to Wifi on Window Server 2012 R2

≪ Previous: Always On VPN - Device Tunnel

Hi,

We have an NPS server with the MFA NPS module running perfectly, to avoid a single point of failure I have built a second NPS server however the MFA NPS module fails to process any MFA requests.

When executing the New-AzureMfaTenantCertificate command I am presented with an "access is denied" message. The Powershell session is "run as administrator" and the account logging into MSOnline is a global admin and also the account used to configure this on the first (working) server.

Any guidance on how to resolve this is much appreciated.

↧

Limited Access when connect to Wifi on Window Server 2012 R2

May 11, 2016, 12:48 am

≫ Next: Modifying network policy profile attribute using netsh

≪ Previous: Azure MFA NPS module - access denied when generating certificate

Hi everyone, i have a problem with wifi conection and i think it so strange.
I install window server 2012 r2 on my laptop and then active wireless LAN service follow this guide https://www.niallbrady.com/2012/09/01/how-can-i-manually-enable-wireless-networking-in-windows-server-2012/

it work ok but when i try connect to wifi, it always noticet that connection limited and wifi is broadcasted bymodem. The strangeness here is when i connect to wifi is broadcasted byMacbook is actualy ok, who can help me solve this prolem ?.
Sorry for my bad english, Thanks so much.

↧

Modifying network policy profile attribute using netsh

July 3, 2020, 2:22 am

≫ Next: Using NPS with Cisco IP Phones

≪ Previous: Limited Access when connect to Wifi on Window Server 2012 R2

I recently started using netsh to manage NPS. I am wondering if there is a way to modify a specific profile attribute without touching other attributes of a network policy

Problem:

Network policy configuration:
---------------------------------------------------------
Name = blah
State = Enabled
Processing order = 5
Policy source = 10

Condition attributes:

Name Id Value
---------------------------------------------------------
Condition0 0x1023 "XXXXXXXXXXXXXXXXXX"

Profile attributes:

Name Id Value
---------------------------------------------------------
Ignore-User-Dialin-Properties 0x1005 "FALSE"
NP-Allow-Dial-in 0x100f "TRUE"
NP-Allowed-EAP-Type 0x100a "19000000000000000000000000000000"
NP-Authentication-Type 0x1009 "0x5" "0x1" "0x2" "0x3" "0x4"
Vendor-Specific 0x1a "01000006220106blah"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"

I would like to change vendor specific parameter alone from "01000006220106blah" to "01000006220106rofl".

I tried using

netsh nps set np name = "blah" profileid = "0x1a" profiledata = "01000006220106rofl"

With the above i am able to set profileid "0x1a" to "01000006220106rofl" but all the other profile attributes are set to default values.
After running the command, profile attributes are as below

Profile attributes:

Name Id Value
---------------------------------------------------------
NP-Authentication-Type 0x1009 "0x3" "0x9" "0x4" "0xa"
Vendor-Specific 0x1a "01000006220106rofl"

As you can see NP-Authentication-TYpe, NP-Allowed-EAP-Type and other attributes are set to default values.

Is there a way to change one profile attribute while keeping the others untouched using netsh or any another command.

Last resort is to set all attribues excpet "Vendor-Specific" to existing values and set Vendor-Specific attribute to new value in the same netsh command

C:\>netsh nps set np name = "blah" profileid = "0x1a" profiledata = "01000006220106blah" profileid = "0x1009" profiledata = "0x5" profiledata = "0x1" profiledata = "0x2" profiledata = "0x3" profiledata = "0x4" profileid = "0x100a" profiledata = "19000000000000000000000000000000"

Learning

↧

Using NPS with Cisco IP Phones

December 1, 2010, 12:56 pm

≫ Next: [Announcement] “Network Access Protection” Forum will be migrating to a new home on Microsoft Q&A!

≪ Previous: Modifying network policy profile attribute using netsh

Has anyone setup the NPS to act as an authentication server for Cisco IP phones? I have never done this before and I'm looking for insight. I am not sure exactly what configs need to be set and also need to make sure that the authentication success response includes the class=voip line.

↧

[Announcement] “Network Access Protection” Forum will be migrating to a new home on Microsoft Q&A!

July 13, 2020, 7:13 pm

≫ Next: NPS not forwarding Radius accounting messages

≪ Previous: Using NPS with Cisco IP Phones

This “Network Access Protection” Forum will be migrating to a new home on Microsoft Q&A!

We’ve listened to your feedback on how we can enhance the forum experience. Microsoft Q&A allows us to add new functionality and enables easier access to all the technical resources most useful to you, like Microsoft Docs and Microsoft Learn. 

Now until July 26, 2020:

You can post any new questions on Microsoft Q&A or here.

From July 27, 2019 until August 10, 2020:

New posts – We invite you to post new questions in the “Network Access Protection” forum’s new home on Microsoft Q&A. The current forum will not allow any new questions.
Existing posts – Interact here with existing content, answer questions, provide comments, etc.

August 10, 2020 onward:

This forum will be closed to all new and existing posts and all interactions will be in Microsoft Q&A.

We are excited about moving to Microsoft Q&A and seeing you there.        

Learn More

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

↧

NPS not forwarding Radius accounting messages

July 16, 2020, 2:22 am

≫ Next: How to configure Net Authentication with Active Directory

≪ Previous: [Announcement] “Network Access Protection” Forum will be migrating to a new home on Microsoft Q&A!

Greetings,

Preamble: I'm a network engineer so my Windows server knowledge is limited.

I'm trying to implement identity based rules on our firewall (Fortigate). For that I need our NPS/Radius forward accounting messages to the firewall.

The following was set up:

NPS –> RADIUS Client and Servers –> Remote RADIUS Server Group – New group -> add Fortigate to this group
NPS –> Policies Use Windows authentication for all users(Enabled) –> Settings –> accounting - Forward accounting request to this remote RADIUS server group and add the group with Fortigate

However, there are no accounting messages forwarded to the Fortigate. Unfortunately I currently can't run Wireshark on the Windows server. I did a packet capture on the Firewall and when I do trigger some Radius action, like sign into a switch, I can see the Radius traffic between the switch and the NPS but nothing is forwarded to the firewall.

Any ideas what is wrong?

↧

How to configure Net Authentication with Active Directory

July 16, 2020, 6:51 am

≫ Next: renew radius certificate from internal ca

≪ Previous: NPS not forwarding Radius accounting messages

Dear Team

I want to that,

Unknown device will not get internet if it has WiFi connect users without logging in to Active Directory.

Those who have Active Directory connect AD users will only get internet.

Please advice and share Microsoft document and authentication diagram.

Thanks

↧

renew radius certificate from internal ca

July 21, 2020, 6:01 am

≫ Next: Extension Host failed to load extension DLL

≪ Previous: How to configure Net Authentication with Active Directory

dears,

my radius server has a certificate issued from CA and it expires tomorrow.

can you advise on how to renew it from ca?

kind regards,

↧

Extension Host failed to load extension DLL

March 4, 2013, 3:35 am

≫ Next: NPS SQL Logging not working

≪ Previous: renew radius certificate from internal ca

Hi Everyone,

I am new to NPS. I am using Windows Server 2008 R2. I have developed an Authentication Extension DLL which is basically a MFC Extension DLL for custom authentication in NPS. (http://msdn.microsoft.com/en-us/library/windows/desktop/bb892024(v=vs.85).aspx)

Now, to apply this Extension DLL at NPS I have used following steps:-

I have put that DLL in %System Root%\System32\radius.dll folder.
I have create HKLM\System\CurrentControlSet\Services\AuthSrv\Parameters\registry key and set path of DLL as described here http://msdn.microsoft.com/en-us/library/windows/desktop/bb892024(v=vs.85).aspx

Now, when I am restarting NPS server I am getting following error:-

"Extension Host is failed to load DLL.Path %System Root%\System32\radius.dll".

↧

NPS SQL Logging not working

March 13, 2010, 8:41 am

≫ Next: Regarding number of RADIUS Clients are supported by Windows Server 2016 Standard

≪ Previous: Extension Host failed to load extension DLL

I am running NPS on a Windows 2008 enterprise server in a VM. I also installed SQLExpress 2008 w/adv tools on the same server. My goal is to have NPS log to SQL to generate reports. I ran the Accounting wizard to create the database, so I have the required stored procedure in SQL and I am using Windows Authentication in SQL. I can authenticate to my Cisco devices, wireless clients and VPN users. I have no problem when I use the local logging. When I setup NPS accounting, the data link connects successfully. After setting up SQL, I get the ReasonCode 80 in the NPS event log. I don;t know what I am missing. Any ideas?

↧

Regarding number of RADIUS Clients are supported by Windows Server 2016 Standard

April 17, 2018, 9:03 pm

≪ Previous: NPS SQL Logging not working

Dear All,

I need help to know that how many RADIUS clients (maximum limit) are supported by Windows Server 2016 Standard.

Thanks,

Amit Jogi

↧