Network Access Protection Forum

GPO 802.3 Policies "Settings" lockdown

Thu, 26 Nov 2009 02:42:56 Z

Hello, and Happy Thanksgiving,

I am working on implementing NAP with 802.1x, and EAP enforcement on my network, and so far its going good. I just extended my AD Schema so I could setup a Wired Network 802.3 Policy. That worked great to configure the clients, but users can still go into "Settings" on the Authentication tab, and mess with settings. Why isnt that locked down when the settings are applied via GPO?

NAP Agent does not work

Thu, 26 Nov 2009 01:29:51 Z

I start using NAP in our network, but there are something strange in our wireless clients.

We've already use WPA to enhance our wireless network security.

The issue is: some wirless users find their network was limited. I check NPS log and find they meet "NAP DHCP Non NAP-Capable". i need to restart napagent service to fix this issue. But if these clients use wired network, there is not the same issue.

What shall I do to fix this issue? Thanks!

IAS crashs with msvcrt.dll under WIndows Server 2008 32bits

Fri, 12 Jun 2009 22:23:11 Z

Hi,

I have two servers with Windows Server 2008 32 bits which fails and becomes unresponsive.

The event log says:

"Faulting application svchost.exe_IAS, version 6.0.6001.18000, time stamp 0x47918b89, faulting module msvcrt.dll, version 7.0.6002.18005, time stamp 0x49e0379e, exception code 0xc0000005, fault offset 0x0000a1c3, process id 0x414, application start time 0x01c9e9d991aa7614."

The servers are fresh installed with the lastest patches installed and only with Firefox, Snort and WireShark applications installed.

The roles installed are only NAP role for one of them and the second have NAP, IIS and Certification Authority. The are both Global Catalog and Domain Servers. The system is unable to recover and I have to push the reset button to recover :-s

I have an third 2008 server 64 bits, with NAP and Routing Service roles installed, and it do not fails (it is PDC, RID Master, Schema Master etc...., and not GC)

Thanks in advance for any ideas.

H.

Securing Wireless network from unathorized devices.

Tue, 24 Nov 2009 23:12:16 Z

Hi,

I am trying to prevent non-domain / unathorized devices from connecting to our Wireless LAN. We are currently using 802.1x authentication using PEAP with IAS acting as the RADIUS Server. We are a complete Server 2003 shop running windows XP (for now). We had an issue arise that a domain user was able to connect his iPhone and ipod touch to our wireless network by entering his domain credentials. We have remote access policies setup that are supposed to check that 1) the device is part of our wireless security group and 2) that the user belongs to our wireless user group. We are also using a self signed certificate that is pushed out along with the wireless settings via group policy.

How can I prevent devices specifically non-domain wireless devices and Apple mobile devices from connecting to our wireless network? Any help would be greatly appreciated.

NAP Shv fails

Wed, 09 Sep 2009 09:22:54 Z

Hi all!

I have been experiencing a very concerning problem and found very little on this topic as how to resolve it. I have built a custom Shv and Sha for NAP. When I register the Shv in the NPS everything goes well. It shows up in the NPS configuration snap-in and the solution works well. The Sha and Shv can communicate with eachother (through NAP interfaces) and restrict access depending on client conditions.

But all of a sudden the communication stops (it can take up to severel hours) and in the NPS server logs I see just an error message saying

"SHV Id : 96119 can not create validator."

< Event xmlns =" http://schemas.microsoft.com/win/2004/08/events/event " >

- < System >

< Provider Name =" NPS " />

< EventID Qualifiers =" 49152 " > 10001 </ EventID >

< Level > 2 </ Level >

< Task > 0 </ Task >

< Keywords > 0x80000000000000 </ Keywords >

< TimeCreated SystemTime =" 2009-09-08T10:00:24.000000000Z " />

< EventRecordID > 10414 </ EventRecordID >

< Channel > System </ Channel >

< Computer > CORPAPP02.corp.com </ Computer >

< Security />

</ System >

- < EventData >

< Data > 96119 </ Data >

< Binary > 1A400080 </ Binary >

</ EventData >

</ Event >

and the shv is out the game. It doesn't do anything, it still shows in the NPS configuration snap-in but doesn't communicate with the Sha anymore. What helps it to unregister the dll and register it again or to restart the NPS-service. Obviously something that it out of the question as a permanent solution

The NPS server is running on a x64 Windows Server 2008 R2 Enterprise (no Service Pack installed) and the custom Shv is practically the NAP SDK sample with small modifications.

At first I thought that this problem was only related to my Shv component but then I saw in another post that someone running the FCS Shv had the same problem, which lead me to believe that it just might had something to do with the NPS server itself!

Here's a link to that posting

http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/23ec6d43-4de8-4e25-88a2-93750724480e

Since I haven't found much at all on this topic, whether people have gotten it to work or not, it would be great if you could enlighten me as to you did to make it work and on what platform so that I can replicate it or if you have had the problem and solved it!

Anyone with any ideas what I could try or point me in any direction will do though?!

Thanks a lot for your help!

Deploying NAP 802.1x Enforcement w/ 3com 4500 or 5500

Mon, 26 Nov 2007 21:03:49 Z

Hi!

I try to get the 802.1x Step-by-Step Guide to work in my Test Lab. I followed the instructions and everythings seems to be OK as my switch (3Com 4500) gets RADIUS Accept-Access from NAP Server (the logs look good too). Unfortunaltey the switch sends an EAP-Failure message to the client and the port keeps down.

I know that this isn't a support forum for 3Com but I would really appreciate any help.

Here is my configuration (the client uses port 1/0/5):

====================================
4500>display current-configuration
#
private-group-id mode standard
#
local-server nas-ip 127.0.0.1 key 3com
#
domain default enable ams
#
igmp-snooping enable
#
dot1x
dot1x authentication-method eap
#
undo password-control aging enable
undo password-control length enable
password-control login-attempt 3 exceed lock-time 360
#
radius scheme system
radius scheme radius1
primary authentication 192.168.0.2
accounting optional
key authentication secret
timer response-timeout 5
retry 5
user-name-format without-domain
#
domain ams
scheme radius-scheme radius1
domain system
#
local-user admin
service-type ssh telnet terminal
level 3
local-user manager
service-type ssh telnet terminal
level 2
local-user monitor
service-type ssh telnet terminal
level 1
#
acl number 4999
rule 0 deny dest 0000-0000-0000 ffff-ffff-ffff
#
vlan 1
description DEFAULT_VLAN
igmp-snooping enable
#
vlan 2
description NONCOMPLIANT_VLAN
#
vlan 3
description COMPLIANT_VLAN
#
interface Vlan-interface1
ip address 192.168.0.3 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
stp edged-port enable
broadcast-suppression PPS 3000
priority trust
packet-filter inbound link-group 4999 rule 0
dot1x port-method portbased

[...]

interface Ethernet1/0/5
stp edged-port enable
broadcast-suppression PPS 3000
priority trust
packet-filter inbound link-group 4999 rule 0
dot1x port-method portbased
dot1x

[...]

interface GigabitEthernet1/0/25
dot1x port-method portbased
#
interface GigabitEthernet1/0/26
dot1x port-method portbased
#
interface GigabitEthernet1/0/27
shutdown
dot1x port-method portbased
#
interface GigabitEthernet1/0/28
shutdown
dot1x port-method portbased
#
sysname 4500
undo xrn-fabric authentication-mode
#
interface NULL0
#
snmp-agent
snmp-agent local-engineid 8000002B001AC12D89C06877
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all
#
user-interface aux 0 7
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
====================================

Thanks in advance.

Wolfgang

Auto-remediation problem with NAP 802.1x Wired and Windows Firewall

Wed, 18 Nov 2009 23:42:16 Z

I have a NAP lab consisting of the following elements:
1 Windows Server 2003 DC (VM)
1 Windows Server 2008 SP1 NPS Server (VM)
1 Cisco 802.1x-capable switch
1 Windows XP SP3 client
GPOs containing the appropriate settings to get NAP 802.1x PEAP working with XP SP3
1 user account that is an administrator on the client machine

The lab works fine. When the client is compliant, it is placed in a Compliant VLAN, and when it is not compliant, it is placed in a Non-Complaint VLAN.

The issue: If you turn off Windows Firewall on the client, but it is required by NPS, and auto-remediation is enabled in NPS, the Firewall turns on and off about every 5 seconds. As a result, the client is put first in one VLAN and then the other until you start to see DHCP deny messages in the event log. It appears that auto-remediation is fighting with the local setting. The only way to make it stop bouncing is to open Windows Firewall from the Control Panel at one of the moments when the Windows Firewall is disabled, and enable it.

The question: Why is this happening, and is it a bug, or is there a workaround?

Unauthorized Apple iPODs and MAC notebooks connect to my wireless network

Wed, 21 Oct 2009 19:36:23 Z

I need to prevent Apple iPODs and Mc Notebooks from connetiong to my wireless network. Currently I have Server 2003 IAS Sever and Enterprise Certificate Services installed and configured on my network. Clients authenticate using domain account username and psasswords. Machine Certificates are installed on every domain client notebook using a GPO. These policies worked great for XP Pro and Vista Business clients. I have noticed however that Apple iTouch devices and Apple notebooks can connect to my wireless network if the owner has a valid domain username and password. How are these client machine negotianting a certificate?
I need to lock this down. I am sure this must be a common issue....
My Cisco Access Points are 1100 and 1200 APs. They are clients of the IAS server.
Thanks
ibjean325

How can we change or reset the submitted IPsec Gpo in an Active directory

Sun, 22 Nov 2009 21:22:35 Z

1. Decided to have an IPsec on the Active directory to govern the traffic in a 2008 domain members and environment.
2. Edited a policy script, lists of Filter action,FilterNames, address filters.. etc..and rules.
3. Loaded The IPsec Policy script by the command netshel -F ScriptFileName.txt
4. Created a new GroupPolicyObject in the Domain and linked it and in the asigned it and then run the gPupdate /force and Saw it Fuynction well in all the domain member nodes.
5. After 24 hours of observation decided to add a couple of more lists,, to allow for the trafic to the File and priner servers and also the IE ProxiServer.
6. Deasign the Submitted policy and run gpupdate /force and then repeated the steps 1 and then reasigned the policy. Here I noticed that there are double entries in the Property View of the Policy.
7. This time deasigned and then deleted the policy and run the force gpupdate... Working in the DC node.
8. Verfied that there are No inhibition and that NO IPsec was active on some of the domain member nodes.
9. Did the steps 1 and already here the response to the NetShel command states that there are already entries for the filter Lists and rules..
So My question is what is the correct procedure to wipe out an IP sec policy and resubmit it in an elegant and problem free way.

Looking forward to your help
Regards

BlueOcean

GPO for configuring 802.1x wired clients with XP SP3

Wed, 11 Nov 2009 09:37:11 Z

Hi,
We use actually cisco switchs with ACS like radius server mapped on windows 2003 R2 Active directory server. We use user authentication PEAP-CHAP-V2.
I extend the schema as described in microsoft documentation http://technet.microsoft.com/fr-fr/library/bb967647.aspx to use the computer authentication first.
Now, when i try to modify an GPO, Computer Configuration | Windows Settings | Security Settings | Wired Network (IEEE 802.3) Policies node in the Group Policy Management Editor, this node isn't exist.

Thank you for your help

NAP XP SP3 problems when SQL Logging

Thu, 20 Aug 2009 11:17:56 Z

Hi,

I have used the following DHCP NAP step-by-step guide to configure my POC environment:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ac38e5bb-18ce-40cb-8e59-188f7a198897&displaylang=en

First thing I noticed is that the XP client reports incorrect compliant and non-compliant states.

So I found some other threads here: http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/f7abe0f2-0186-428c-9252-9d22b03dd496
And I tried this setting on the client:
[HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\DhcpGlobalForceBroadcastFlag\0] "0"=dword:00000001

But the problem still persists....I can disable the Firewall, Windows Updates, have no AV product installed...and sometimes the NAP client reports non-compliance, then a few minutes later it says everything is compliant.

THEN I found this little anomaly:
If I do not log to SQL; NAP client seem to report work correctly.
BUT the moment I configure NPS logging to SQL, the NAP client does not work - I can have everything disable on the client (firewall, av, etc) and NAPSTAT displays a very healthy system.

For my test environment, I am running a single VM with Windows 2008 AD, NPS, DHCP, SQL 2005 SP2; and another single VM with XP SP3.

Regards,
Tom

NAp Reporting issue

Tue, 17 Nov 2009 07:37:16 Z

Dear All,

Thanks for your kind support.

i have some question -
1. how i come to know which systems got the certificate
2. how i will know that NAP agent services are not started on which PC
3. how i will know that which PC is not reporting to NAP server
4. how many PC are noncomplaint or complaint
5. how i will know that which not getting the certificate or NAP policy not applied
6. why CA is issuing more that one certificate for the same client
7. how many and which PC have the Full Network Acess or limite or restricted

Rakesh Kumar

Add group issue

Thu, 12 Nov 2009 05:30:33 Z

During adding the group to NPS, there is error message popping up, showing that "Windows cannot process the object witht the name "ACS VLAN 117"because the following error: The specified domain either does not exist or could not be contacted"

Could some one tell me why? How to solve the issue?

NAP - 2 Minute Logon Delay

Mon, 26 Oct 2009 12:59:30 Z

I need to know how to get my NAP deployment to authenticate faster. Often when people log in in the morning if they hit CNTL-ALT-DELETE and attempt to log in the moment the computer comes up they get "no domain controller available" message. Right now they are considering removing NAP because of this as it just caused us a heck of a Monday morning problem. Eventually it will authenticate but it takes to long for the way people work. I'm doing dual authentication so I'm considering removing the MAC-based as it isn't needed as much. Also I use HP Switches and one of the settings is "aaa port-access authenticator <PORT> quiet-period 30" I know this setting has the EAP authentication delay 30 seconds between retries (which is most likely causing the delay). I just want to know what I should do to speed up the authentication process.

-Gunnar

NPS Server Install Fails Win08 x64 Only DC

Fri, 23 Oct 2009 22:12:13 Z

I cannot get NPS to install on our ONLY server - a Windows 2008 64 bit DC. There is no precise reason given for failure to install, it just tries to do it, fails, and says the server must be restarted. In the Event Log is refers to Event 1617, which is no help at all. There's absolutely nothing in the install logs that gives any additional detail - in fact - that log is full of entries with a January 2008 date - and the server itself was installed this past August (2009)!

I've seen some posts from MSFT about removing the DC role, etc. but obviously that's just not possible here as it is the ONLY DC and is in live production.

Cannot access certain websites

Sat, 14 Nov 2009 17:36:32 Z

I can use internet just fine, except for a select few websites. My browser tries to load them up like forever and eventually gives up.

among the websites unavailable to me are bioware.com, ign.com, acclaim.com, plaync.com, avg.com and others I can't think of right now. Note that in the past, I could and did access them.

I've googled up (thank god I can at least access google!) various solutions and tried them all but to no avail- Dr. TCP, the Hosts file under system32/drivers/etc, playing around with security and firewall settings, changing browsers, none of these have worked.

pinging any of the websites I can't acccess yields a "Destination host unreachable" message.

Oh yeah, I also use winXP, DSL connection, provided by WLAN, which is in Germany.

Any help would be really appreciated- especially since I don't seem to be the only one who's getting this problem.

NAP & VPN Errors

Tue, 10 Nov 2009 19:09:04 Z

All - I've been racking my brain for a day or two on this. I'm having an issue with W7 & VPN clients when NAP is enabled on Wink 2008 R2 Enterprise box.

With EAP enabled my W7 client keeps getting an Error 741: The Local Computer does not support this encryption type. Here's how my W7 machine looks...

C:\>netsh nap client show grouppolicy

NAP client configuration (group policy):
----------------------------------------------------

NAP client configuration:
----------------------------------------------------

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

Hash algorithm = sha1RSA (1.3.14.3.2.29)

Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Disabled

Name            = IPsec Relying Party
ID              = 79619
Admin           = Disabled

Name            = RD Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Disabled

Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Enabled

Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled

Ok.

Client state:
----------------------------------------------------
Name                   = Network Access Protection Client
Description            = Microsoft Network Access Protection Client
Protocol version       = 1.0
Status                 = Enabled
Restriction state      = Not restricted
Troubleshooting URL    =
Restriction start time =
Extended state         =
GroupPolicy            = Configured

Enforcement client state:
----------------------------------------------------
Id                     = 79617
Name                   = DHCP Quarantine Enforcement Client
Description            = Provides DHCP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79619
Name                   = IPsec Relying Party
Description            = Provides IPsec based enforcement for Network Access Protection
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79621
Name                   = RD Gateway Quarantine Enforcement Client
Description            = Provides RD Gateway enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79623
Name                   = EAP Quarantine Enforcement Client
Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and
PN technologies.
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = Yes

System health agent (SHA) state:
----------------------------------------------------
Id = 79744
Name = Windows Security Health Agent

Description = The Windows Security Health Agent monitors security settings on your computer.

Version = 1.0

Vendor name = Microsoft Corporation

Registration date      =
Initialized            = Yes
Failure category       = None
Remediation state      = Success
Remediation percentage = 0
Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.

Compliance results =
Remediation results =

Ok.

If I switch my clients back to MS CHAP v2, I can login fine but nothing happens as far as remediation goes. I really want to see this work...thanks!

WINDOWS 7 Ultimate NAP Client missing the Remote Access Enforcement Client??

Tue, 10 Nov 2009 16:26:44 Z

I'm testing the windows 7 NAP client and I noticed that way our users connect, the remote access enforcement client , is missing. It was also known as enforcement id 79618. Has Microsoft removed this, or have they rolled the remote access enforcement client functionality into one of the four other enforcement clients?

The only clients listed as available are
DHCP Quarantine        ID:79617
IPSec Relaying           ID:79619
RD Relay Quarantine ID:79621
EAP Quarantine        ID: 79623

Thanks in advance

NAP DHCP Problem

Fri, 13 Nov 2009 15:29:10 Z

Hi Guys,

I am configuring DHCP NAP Using Virtual Machines but could not configure. I used that step by step guide but at the end when I turned off the firewall it is not turning on automatically. Please someone help me.

windows security health chec

Fri, 13 Nov 2009 05:07:53 Z

by default, what does windows security health check on a windows vista client?

NAP related

Fri, 13 Nov 2009 05:01:52 Z

What other enforcement mechanisms are available with Network Access Protection?

Remote Access Policy(only allow Lan connection)

Wed, 11 Nov 2009 16:37:12 Z

How I setup a Remote Access Policy to allow only LAN connection?
I have a small business server 2003.
I am able to "Remote Desktop Connection" to the server from WAN.

Right now, I don't want any connection from WAN being able to connection to the server.
Only LAN can remote desktop to server. How can I setup the policy without using ISA?

Thank you

completely reinstall NPS with original settings?

Wed, 11 Nov 2009 09:59:00 Z

Hi! I am very new on this NPS/NAP topic. I deleted the standard settings by mistake on my Windows Server 2008 R2. If I deinstall the NPS role and install the rule again there are the latest settings. Is it possible to reinstall NPS with 'factory settings'? There are no SHVs after reinstalling.

Is the NPS role demaged until I have to reinstall the whole server or is there a way to 'reset' NPS to first install state?

Every tip is very appreciated! Dietmar

Dietmar

Default Firewall Rules NPS Server

Mon, 09 Nov 2009 19:43:08 Z

Is there a way to get back my default windows firewall rules that I got after installing NPS? I had to import a policy from my DC because I just made one of my NPS servers a DC. Unfortunately I lost my NPS settings, I can re-import the old settings but I need both the NPS and the DC firewall rules. If there is a way just to send a command and have NPS recreate these rules that woudl be idea.

Gunnar

NAP DHCP Non NAP-Capable

Sat, 07 Nov 2009 10:21:02 Z

We are deploying NAP with Windows 2008 R2. Both NPS and DHCP roles enabled on one machine. While the NAP enforcement is enabled on one machine, the NAP non-capable Windows XP machine gets full access to network. Once we do a IPconfig /releae and /renew it gets restricted IP address. Again if we do a IPconfig /releae and /renew it gets full access. It is happening alternatively. The Window 7 machines are working as desired. first time and consecutive /release and /renew also they are getting restricted IP address. We have already installed hotfix KB953761. Any fix for Windows XP SP3 machines? Help needed from the experts...

Best Regards,

Rama Mohan
H/P: 9987001939

Adding NAP Role - Error

Mon, 06 Oct 2008 21:11:29 Z

I am currently running a 2003 R2 native domain consisting of (1) 2003 R2 DC,
(1) 2003 DC and (2) 2008 Server DC's.

My 2003 DC is an IAS server.

I am trying to add the NAP role to my 2008 DC's but on both I recieve the
following error:

Network Policy and Access Services: Installation Failed

Attempt to install Server failed with error code 0x80070643. Fatal error
during installation.

Can any one help me out with way I can not add this role? IAS is the only
service that is keeping me from from removing the 2003 servers and going all
2008 Native.

(I can not upgrade my 2003 Servers to 2008).

Thanks - TD

XP client cant access Win2003 Server in same workgroup

Wed, 16 Sep 2009 16:37:19 Z

i have 2 machines with XP and win2003 and both have manual IP in same subnet; i want to access window 2003 via IE and also shared folders and vice versa?

both cant ping each other; i tried editing the host file in XP to access win2003 but still no luck; my firewall is on in both and if i need to check something here then kindly tell the sections to check.

they are in same workgroup but still no luck;

pls help

Good day ,Bhavtosh

NPS allows Macintosh Authentication even if not in Windows Group.

Mon, 02 Nov 2009 13:58:13 Z

We are in the process of implementing PEAP with AD authentication in our environment. We are running Server 2008 NPS and Cisco WLC's at our locations. We recently discovered that the MacBook can authenticate with a username and password that are not in our wireless group. The Windows PC's, on the domain or not can not authenticate if they are not in the groups. If they are in the groups they are fine. What would be causing the Mac's to bypass the groups for authentication through NPS?

802.1x alternatives

Thu, 05 Nov 2009 14:57:20 Z

Hi,

we are using 802.1x on our environment, but it works terrible with windows, is any alternative of this, like authentication in order to get IP, with certificates or something ?

thnaks
aurimas

NAP and Windows 7 Client

Tue, 03 Nov 2009 12:48:56 Z

I have clients running MS XP and Vista and with NAP with results as I expect.

When I try a Windows 7 client I have issues.

I issue the napstat command and it says the SHA is not present.

When I issue the netsh NAP client show state command under ID = 79744 SHA

Is says initialized = no

I am using EAP quarantine enforcement client and it is initialized.

I am totally new to NAP and Microsoft for that matter so I need much remediation.

Are there some specifics for Windows 7?

Server 2003 as a NAP client?

Wed, 04 Nov 2009 20:20:14 Z

Hi,

before Windows Server 2008 was RTM I read in several articles that a NAP client for Server 2003 will be available via Windows update. However, I cannot find any. Is there a chance to configure a Windows Server 2003 as a NAP client? What about Server 2003 R2?

Thank you for your help!

Dagmar

Netwok Access Problem

Wed, 04 Nov 2009 03:41:53 Z

Hi, all

my domain has been sharing same folder but I can access at my network palce, before that I and my company user can be access. Now I use IP to access from the network?

How to fix this problem.

I am using win 2000 server the PC is second DC.

Printer excemption using 802.1X enforcment

Thu, 28 May 2009 19:22:21 Z

Hi All

I am doing test on 802.1x enforcement. what to know if there is way to wildcard printer and other IP enable devices without OS using the calling station ID feature. as it was disscussed in the following link. http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/cd410b9e-b6ff-4303-b6c0-44030a1adfd0?prof=required. I mananged to use MAC authentication with creating username and password using MAC Address in AD and created policy successfuly and put the printer into the vlan by NPS policy. I want to know if there is other way. As we have over 1000 HP printers and it is lots of work to create that many user names

Thanks

Daniel

Network Access Protection Agent failed to acquire a certificate for the request

Mon, 02 Nov 2009 04:13:47 Z

My network policy server suddenly quit functioning and is issuing thousands of errors (see below). Previously it had been functioning fine. Fortunately I was still in reporting mode. I am using NAP for IPsec.

Event ID: 26 Source: HRA
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {3C0A1519-6C31-439E-B33E-8EE7BFE21DE8} - 2009-11-01 16:37:29.062Z from https://swopenps.swopeparkwayhc.int/domainhra/hcsrvext.dll. The request failed with the error code (500). This server will not be tried again for 10 minutes.See the HRA administrator for more information.

On the client side

Event ID: 21 Source: NAPAgent
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {2CB52616-49C5-4CD7-B090-585AE90B4ECB} - 2009-11-02 04:09:06.276Z from https://swopenps.swopeparkwayhc.int/domainhra/hcsrvext.dll.
The request failed with the error code (500). This server will not be tried again for 10 minutes.

When I issue the command "netsh nap client show configuration" from a client I get the following:

NAP client configuration:
----------------------------------------------------

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
ider, keylength = 2048

Hash algorithm = sha1RSA (1.3.14.3.2.29)

Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Disabled

Name            = Remote Access Quarantine Enforcement Client
ID              = 79618
Admin           = Disabled

Name            = IPSec Relying Party
ID              = 79619
Admin           = Disabled

Name            = Wireless Eapol Quarantine Enforcement Client
ID              = 79620
Admin           = Disabled

Name            = TS Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Disabled

Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Disabled

Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled

Ok.

When I issue the command "netsh nap client show grouppolicy" from a client I get the following:

NAP client configuration (group policy):
----------------------------------------------------

NAP client configuration:
----------------------------------------------------

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
ider, keylength = 2048

Hash algorithm = sha1RSA (1.3.14.3.2.29)

Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Enabled

Name            = Remote Access Quarantine Enforcement Client
ID              = 79618
Admin           = Disabled

Name            = IPSec Relying Party
ID              = 79619
Admin           = Enabled

Name            = Wireless Eapol Quarantine Enforcement Client
ID              = 79620
Admin           = Disabled

Name            = TS Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Disabled

Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Disabled

Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled

Trusted server group configuration:
----------------------------------------------------
Group            = HRA Servers
Require Https    = Enabled
URL              = https://swopenps.swopeparkwayhc.int/domainhra/hcsrvext.dll
Processing order = 1

User interface settings:
----------------------------------------------------
Title = Swope Community Enterprises
Description = Network Health Assessment
Image =

Ok.

The command "netsh nap client show configuration" shows IPsec Relying Party as "disabled", whereas the command "netsh nap client show grouppolicy" shows IPsec Relying Party as enabled.

When accessing the trusted server URL from the client's browser I get the message "500 - Internal server error", which from reading other posts normally indicates the ability to connect via SSL.

The clients used to receive the"Health Cetificate", but are no longer receiving the certificates.

Here is my setup:
1 windows 2008 server .DC , Root CA and DNS
1 Windows 2008 server , NPS , HRA , Stand alone SUB
450 plus Windows XP Clients - Joined to the Domain

Any and all assistance is greatly appreciated.

NPS Installation Failure

Wed, 14 Oct 2009 14:50:41 Z

I seem to be having the same issue as here: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/0571c5a4-5b51-43d9-a77e-26481b799119, but it appears that no clear direction seems to be given. I've tried all the recommendations for security, etc., but still no-go on the install. Every time I try to install NPS on my one 2008 server, it fails and then asks to reboot for the uninstall. The Server Manager log gives the following:
4932: 2009-10-13 19:00:18.423 [CBS]                       ...parents that will be auto-installed: '<none>'
4932: 2009-10-13 19:00:18.439 [CBS]                       ...default children to turn-off: '<none>'
4932: 2009-10-13 19:00:18.501 [CBS]                       ...current state of 'IAS NT Service': p: Staged, a: Staged, s: UninstallRequested
4932: 2009-10-13 19:00:18.501 [CBS]                       ...setting state of 'IAS NT Service' to 'InstallRequested'
4932: 2009-10-13 19:00:18.548 [CBS]                       ...'IAS NT Service' : applicability: Applicable
4932: 2009-10-13 19:01:26.315 [CbsUIHandler]              Initiate:
4932: 2009-10-13 19:01:26.330 [InstallationProgressPage] Installing...
4932: 2009-10-13 19:07:03.215 [CbsUIHandler]              Error: -2147021879 :
4932: 2009-10-13 19:07:03.215 [CbsUIHandler]              Terminate:
4932: 2009-10-13 19:07:03.230 [CBS] Error (Id=0) Function: 'NativeMethods.GetPackageStatus(out status)' failed: 80070bc9 (-2147021879)
4932: 2009-10-13 19:07:03.230 [CBS]                       ...done installing 'IAS NT Service '. Status: -2147021879 (80070bc9)
4932: 2009-10-13 19:07:03.230 [InstallationProgressPage] Verifying installation...
4932: 2009-10-13 19:07:03.261 [Provider]                  Skipped configuration of 'NetworkPolicyServer' because install operation failed.
4932: 2009-10-13 19:07:03.261 [Provider]
[STAT] ---- CBS Session Consolidation -----
[STAT] For
          'NetworkPolicyServer'[STAT] installation(s) took '405.9273872' second(s) total.
[STAT] Configuration(s) took '0.0100242' second(s) total.
[STAT] Total time: '405.9374114' second(s).

The IAS NT Service fails installation. I've added the "Full Control" to the IAS folder, but still no go.

By the way, at one time, I DID have NPS installed on this server, but after I installed 2008 SP2, the NPS service wouldn't start. I uninstalled NPS and tried to re-install but no go. I uninstalled SP2, but I still cannot install the NPS role.

Any help here would be appreciated. This last NPS install is prohibiting me from a full 2008 migration.

Thanks!

NAP 802.1x Enforcement . client xp sp3 can't get automatic ip after manual remedation.

Mon, 26 Oct 2009 08:19:34 Z

Hello!

Server's:
Windows 2008 DC, DHCP, NAP
Windows 2003 CA

Client:
Windows XP SP3

I have followed "Step By Step Guide 802.1x" But i'm having one problem i can't getting ip on resolve manual remedation, need force release/renew to get ip...it's correct?

Thanks,

rixor

NPS & EAP-MD5

Mon, 11 Aug 2008 18:11:17 Z

Hi there,

We are currently working on the deployment of 802.1x enterprise-wide. Since we have some old devices that don't support 802.1x natively, and have a Cisco infrastructure, we decided to go the MAC Authentication Bypass route.

When we tested it prior, we were running Windows 2003 + IAS. The test was flawless, however, it required us to enable Reversable Encryption and relax our password complexity requirements, which was unacceptable. We then decided to upgrade to Windows 2008 to leverage the seperate password/complexity policy requirements based on a user or a group of users.

I've just finished setting that up, and it works perfect. We decided to go with NPS, as it had a bunch of features that were lacking from Windows 2003's IAS (namelly exporting the configuration and being able to import it to our other IAS/NPS servers). We currently run the NPS service on our DC's (two of them for redundancy), however, we can't seem to make the MAC Authentication Bypass work. After some digging, it seems that Microsoft has removed support for EAP-MD5 from Vista/2008. They mention that there are third party EAPHost compliant vendors that 'may' have EAP-MD5 support, but I've been unable to find any.

My question is, has anyone else ran into this problem? If so, how did you go about fixing it. Unfortunately, Cisco only seems to support EAP-MD5 for the MAC Authentication Bypass, we're currently running this on 3560 Catalyst switches. I'd much rather get it working again on our NPS servers, as I don't want to revert back to IAS, as it's a pain to replicate the configurations between more than 1 box.

Thanks!

Warren

remote access quatantine enforcement client problems on windows 7

Sat, 05 Sep 2009 15:43:23 Z

I am running windows 7 rtm and am having trouble with the remote access quarantine client, in fact the client doesn't appear to be on this computer.. when i go to napclcfg.msc the remote access quatantine enforcement client is not listed. If I try to enable it from the command prompt, this is the message I get

C:\Users\whittla>netsh nap client set enforcement ID = 79618 ADMIN = "ENABLE"
Element not found.

set enforcement
[ID = ] id
[ADMIN = ] ENABLE|DISABLE

   Enables or disables enforcement clients. You can specify one or more
   enforcement clients, but you must specify at least one. By default, all
   enforcement clients are disabled.

Id - the identifier for the Quarantine Enforcement Client (QEC).

Examples:

set enforcement ID = 67213 ADMIN = "DISABLE"

And if I run the "NETSH NAP CLIENT SHOW GROUPPOLICY" command I get this result

NAP client configuration:
----------------------------------------------------

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
ider, keylength = 2048

Hash algorithm = sha1RSA (1.3.14.3.2.29)

Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Disabled

Name            = IPsec Relying Party
ID              = 79619
Admin           = Disabled

Name            = RD Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Disabled

Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Enabled

Client tracing:
----------------------------------------------------
State = Enabled
Level = Advanced

Ok.

Which shows that the client isn't even installed. How can I install that client.

Thanks

anonymous access to shares

Wed, 28 Oct 2009 07:17:42 Z

I am sure people have asked this a million times, but i have been unable to find a clear answer.
I took advantage of the trial download of Windows server 2008 R2 and installed it for my small home network. Now i want to make some network drives, but i don't want to send a username. Basically, i want this share to be wide open, to anyone who will be on my network.
For some reason though, i cannot get this to work.

I have added the anonymous user as everyone policy and have tried to add the shares to the list of shares, that allows anonymous. I'm not sure it is correct though.
How do i define the shares in the list?
I have a share called Files which is located at d:\files\
But what do i add to the list? Just Files or D:\files or \\servername\files or something else?

Nicolai Søndergaard LM Glasfiber A/S

Auto configuration of NAP features

Thu, 08 Oct 2009 06:17:33 Z

Dear All,

Thank s for your help.

i have some question for NAP as below -

1. How to configure NAP client setting(certificate installation, HRA autodiscovery settings etc) for client machines from a centralized location (group policy or SCCM).
2.How to set HRA trusted servers on client machine automaticaly.

your kind help will be highly appreciated.

Rakesh Kumar