locked
Issues with NPS, computer certificate, and local admin account RRS feed

  • Question

  • I am having an issue trying to implement 802.1x for wired connections. We have a Windows 2003 domain level. Our DHCP and AD are on 2003. I setup a Windows 2008 server. The 2008 server is running AD CS enterprise level and NPS. We have Alcatel 6200 switches. I worked with Microsoft to make sure our PKI was functioning correctly. What Microsoft had me do was create a connection policy for just time of day (any day/any time) with EAP MSChap. We deployed the computer certificate using GP and confirmed that the certificate is installed. What we want to happen is this. If a computer boots up and has a valid certificate then it is a college owned computer (either office or lab computer) and we want to place it in the default VLAN (student VLAN). If it does not have a certificate, it will get placed in a guest VLAN since it is probably a students home laptop. Then when the user logins in, it will look at what AD group they belong to. If it is a staff login, it will move them to the Staff VLAN. If it is a student login being used on a college owned computer, it will move them in to the Student VLAN. The group based seems to be working ok. If I login as a staff, I get the staff VLAN. We see it on the switch and I get a IP in that VLAN. If I log off and log back in as a student, I see the switch telling me that I am in the Student VLAN but I still have a Staff IP until I do a release and renew. Then it gets a student IP. So that is problem one. The other problem we are seeing with our setup is that if we have to log in as the local admin, we get no IP. NPS says that the host\computer name is granted full access when the computer boots up but as soon as you login as the local admin, I get an error saying that there is no domain controller available for "computer name". I have 2 network policies setup. The first is group based looking for the staff group. The other is just time of day. Again, any day and any time. The Staff policy sends the atribute of VLAN 4 for the Staff VLAN. Again, that works and that is what Alcatel told us to send. I tried sending the attribute 5 for VLAN 5 for students in the second policy. I figured that if a student logged in, it would see that they did not match the first policy (Staff) and do the second policy. Am I correct in my thinking that the connection policy has already taken place and passed because if it had not, it would not even look at the network policy? I guess I am just not sure what or how many policies I need. My connection policy is doing day/time because we could not get anything else to work. If we tried to set Port Type to ethernet, we always failed. This was while we were working with Microsoft. Our clients are running Windows XP SP3. We tried it without the second network policy. We tried changing the order of network policies. Nothing seems to work for the local admin and we need to figure out why we are not changing IPs based on the new VLAN unless we release and renew. Any direction would be greatly appreciated. I am not at work right now but I can post some logs. I am just learning NPS so if you need anything besides a copy/paste of event viewer, you might have to detail the steps.
    Joe M
    Thursday, June 11, 2009 2:33 AM

Answers

  • Hi,

    Some of the requirements you have such as logging onto the same computer with different user accounts will entail specifying settings for machine or user authentication. See this thread for more information about these settings.

    To summarize, there are two problems:


    1) After switching VLANs, the computer isn't getting an address from the new DHCP scope.

    - If I login as a staff, I get the staff VLAN. We see it on the switch and I get a IP in that VLAN. If I log off and log back in as a student, I see the switch telling me that I am in the Student VLAN but I still have a Staff IP until I do a release and renew. Then it gets a student IP. So that is problem one.

    2) When logging in as local admin the computer doesn't get an IP address.

    - ...if we have to log in as the local admin, we get no IP. NPS says that the host\computer name is granted full access when the computer boots up but as soon as you login as the local admin, I get an error saying that there is no domain controller available for "computer name"

    You also have a question -

    Q: Am I correct in my thinking that the connection policy has already taken place and passed because if it had not, it would not even look at the network policy?
    A: Yes. If the connection request policy fails then processing of network policy doesn't take place.

    First of all, the authentication method you have set up doesn't sound right to me. You should be using a secure authentication method for 802.1X such as PEAP. You can use the certificate authentication you described by configuring PEAP-TLS (smart card or other certificate). See the 802.1X deployment guide for details.

    To address the two problems -

    1) What is the client OS (XP SP2, XP SP3, or Vista)? This could be related to a couple of registry keys, namely DhcpGlobalForceBroadcastFlag or DhcpConnEnableBcastFlagToggle.

    2) I assume this is failing authentication and disabling the switch port. Can you confirm this? To prevent this, I think you only need to enable a guest setting on the port.

    -Greg

    Wednesday, June 24, 2009 9:53 PM

All replies

  • The Microsoft supplicant cannot detect a change at the switch as the change from one vLAN to another doesn't drop the connection. Don't change any of your configuration settings, just try a different supplicant.
    Try the Cisco SSC client, you can download a free version from the Cisco website. That is what I did to overcome the limitations of the native Windows supplicants.

    It seems that most of these "niggling" issues are addressed in Windows 7...but thats not really an answer :)
    Friday, June 12, 2009 9:16 PM
  • Hi,

    Some of the requirements you have such as logging onto the same computer with different user accounts will entail specifying settings for machine or user authentication. See this thread for more information about these settings.

    To summarize, there are two problems:


    1) After switching VLANs, the computer isn't getting an address from the new DHCP scope.

    - If I login as a staff, I get the staff VLAN. We see it on the switch and I get a IP in that VLAN. If I log off and log back in as a student, I see the switch telling me that I am in the Student VLAN but I still have a Staff IP until I do a release and renew. Then it gets a student IP. So that is problem one.

    2) When logging in as local admin the computer doesn't get an IP address.

    - ...if we have to log in as the local admin, we get no IP. NPS says that the host\computer name is granted full access when the computer boots up but as soon as you login as the local admin, I get an error saying that there is no domain controller available for "computer name"

    You also have a question -

    Q: Am I correct in my thinking that the connection policy has already taken place and passed because if it had not, it would not even look at the network policy?
    A: Yes. If the connection request policy fails then processing of network policy doesn't take place.

    First of all, the authentication method you have set up doesn't sound right to me. You should be using a secure authentication method for 802.1X such as PEAP. You can use the certificate authentication you described by configuring PEAP-TLS (smart card or other certificate). See the 802.1X deployment guide for details.

    To address the two problems -

    1) What is the client OS (XP SP2, XP SP3, or Vista)? This could be related to a couple of registry keys, namely DhcpGlobalForceBroadcastFlag or DhcpConnEnableBcastFlagToggle.

    2) I assume this is failing authentication and disabling the switch port. Can you confirm this? To prevent this, I think you only need to enable a guest setting on the port.

    -Greg

    Wednesday, June 24, 2009 9:53 PM
  • Greg,

    I'm not sure if you read your old posts but based on your answer to this question can I assume there is no way to have a machine go into a "guest" VLAN within NPS?  It sounds to me like you have to do this at the switch level.

    Gunnar
    Thursday, September 17, 2009 6:46 PM
  • Hi Gunnar,

    When you enable the "guest" VLAN option on a switch port (via the switch config) this changes the behavior of computers that do not respond to the 802.1X authentication request. Instead of shutting down the port, the computer is moved to a VLAN you specify. In this scenario, there are no credentials sent from the client and subsequently forwarded to NPS, so it isn't possible for NPS to change the VLAN.

    However, you can create another kind of guest VLAN by creating a guest user account in AD. In this case, you can send all users that authenticate with guest credentials to a special VLAN. The guest computers would need to have 802.1X authentication configured. This isn't the same thing as what is typically referred to as a "guest" VLAN on a switch.

    -Greg
     
    Thursday, September 17, 2009 7:20 PM
  • My goal (and I'm having a heck of a time pulling it off) is that if you don't authenticate, or authentication fails, you move to a specified VLAN.  I'm having the same issue that this thread has, if I log in as the local admin I dont' get an IP.  If I log in as a domain user it works fine.  I just want a catch all, so if something doesn't work right at least the computer gets an IP but it'll get it from the "guest" VLAN.  I know how to put someone in a specific VLAN, but it seems like no matter what rules I set in the policy, when i look at the log it continues to look at that local admin account and state that no DC is available for <the computer name>.  It's occuring to me that unless you are an AD account NPS just doesn't work, but that can't be right because there are so many conditions outside of using an AD UserGroup/WorkstationGroup.

    Let's say, for simplicities sake, I want one policy, no matter what you are you go to a certian VLAN.  I setup a policy called EVERYTHING and set the condition to Day and Time of ALL DAY, allowed.  WHen I look at the logs all I see is <COMPUTERNAME>\<LOCALADMIN> and the computer doesn't get an IP.  This doesn't make sense to me because my policy is wide open.
    Thursday, September 17, 2009 8:10 PM
  • Hi Gunnar,

    Are you saying that when you create the Day and Time policy that the local admin account login matches this policy, or doesn't match the policy?

    If it matches the policy, is VLAN getting applied on the port? You can usually check this using "show vlan" or a similar command on the switch.

    If the computer doesn't get an IP address, it is usually because: A) line protocol on the port is down (authentication was tried and failed) or B) the DHCP server is unreachable from the VLAN that is assigned or C)  a DHCP request/renew problem common with XP computers and VLAN switching.

    I am thinking that the first possibility is most likely in your case.

    -Greg
    Thursday, September 17, 2009 8:28 PM
  • Yes, the first one is my case, it shows authentication failure.  On the server it shows  the denied message "Network Policy Server denied access to a user." Reason: "The specified domain does not exist."  This drives me nuts because my policy isn't even looking at the domain (well it's not supposed to).  I also noticed something very strange on the switch debug log:

    802.1x: 1 auth-failures for the last 60 sec.
    radius: Can't reach RADIUS server x.x.x.x

    Now this is weird because this error only occurs when I log in locally, when i log in using domain credentials it works without issue.  I'm thinking this error is just poor coding on HP's part (I'm using HP switches), because I can see the NAP server respond to the client with a denial, the moment the denial is sent to the switch is when I see the "can't reach RADIUS server..." error.  So my guess here is that if you are denied by the RADIUS that this error message is just what HP shows, which isn't helpful but I have no other explaination for it.  It's not like I'm changing my swithc config between logins.

    Also, I notice that after this error the port that the offending workstation is plugged into goes to no VLAN.  Which makes sense becuase I'm using 802.1x for enforcment, and if you are denied I'd assume you wouldn't go to any VLAN.  However, this is why I want to create a catchall policy, I want a policy created that doesn't really care who or what you are, if you are plugging into my network you would "authenticate" and would be sent to a specific VLAN.  My EVERYTHING policy I describe is meant to do this but isn't working.

    The reason I started asking about Guest VLAN is becuase of other posts like this:

    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/ba2ce768-4ade-4e20-a7cc-9610c519fe4b

    It seems to me that if you can't authenticate to the NPS server you have to have a guest VLAN.  I just don't understand what the NPS server uses for authentication if my policy isn't looking at the AD credentials, what is?

    My hunch is that this is something on the client side.
    Friday, September 18, 2009 12:49 PM
  • Hi,

    If you are logging into the local machine, you aren't logging into the domain - so it makes sense that the switch would deny you access to domain resources. If it didn't do this, then someone could get access to the local area network by simply plugging in a machine they configured with a local admin account. That wouldn't be very secure.

    The reason you are not going to a guest VLAN is because you are attempting 802.1X authentication. In other words, you are asking for access to the domain, but not providing the correct credentials.

    There is a way to configure it so that you can provide domain user credentials for 802.1X authentication when not logging directly into the domain. You need to configure the client so that it doesn't automatically send the username and password (which in the case of a local machine logon will be invalid for the domain). Click the authentication tab of your local area connection properties, click the settings button for Protected EAP, and then click Configure under Select Authentication Method. If you are using EAP-MSCHAP v2 here you'll see a check box for "Automatically use my Windows logon name and password." Remove the check that is in this check box and save the settings.

    Now, when you attempt 802.1X authentication you should see a popup that says "Additional information is required to connect to the network" which you can click to provide domain credentials. If you fail to provide these credentials, line protocol on the port should go down. If you attempt to do this same sort of thing from a machine that is not domain joined, you'll need to also configure the computer to trust the domain Root CA so that it trusts the NPS certificate for PEAP authentication. This can be done by importing the Root CA certificate.

    I hope this helps,
    -Greg
    Friday, September 18, 2009 9:34 PM
  • Thanks Greg,

    It does help but... then again it doesn't.  I'm going to have a lot of devices plugged in that will not be a member of the domain, for instance, printers.  Based on your post, it sounds to me like unless the printer was able to send a username/password it would never be able to access the network.  This can't possibly be the case.  There has to be a way to allow non-authenticated users to be moved into a specific VLAN.

    Gunnar
    Monday, September 21, 2009 2:22 PM
  • Hi Gunnar,

    Printers often use a certificate to provide domain credentials. Or, you can put them on a port that is unauthenticated. The only time there is a problem is if you attempt a domain login without a domain account.

    -Greg
    Monday, September 21, 2009 3:31 PM
  • I'll look into the certificate thing, I have not yet.  We were able to find a command on the HP ProCurve to move un-authorized people into a seperate VLAN:

    aaa port-access authenticator 1-48 unauth-vid <ID>

    This will work for me for the most part, but I'd still like to take NAP and have it use other references for authentication.  I understand why it doesn't, but it doesn't change that I need it to.

    Maybe that certificate thing will work for my terminal devices?  Can you send me a link where I can learn more about that?  Thanks again for all your help.

    Monday, September 21, 2009 4:06 PM
  • Hi Gunnar,

    802.1X and terminal device access is outside my area of expertise, so I really can't provide good advice. I recommend you look at the support information for each device and see if it can do 802.1X. If not, you might want to try a MAC address based exemption. You might find this reference helpful: http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm since you are using an HP switch. I wish I would be more help.

    -Greg

    Monday, September 21, 2009 4:27 PM