locked
NAP & VPN Errors RRS feed

  • Question

  • All - I've been racking my brain for a day or two on this. I'm having an issue with W7 & VPN clients when NAP is enabled on Wink 2008 R2 Enterprise box.

    With EAP enabled my W7 client keeps getting an Error 741: The Local Computer does not support this encryption type. Here's how my W7 machine looks...

    C:\>netsh nap client show grouppolicy

    NAP client configuration (group policy):
    ----------------------------------------------------

    NAP client configuration:
    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Disabled

    Name            = IPsec Relying Party
    ID              = 79619
    Admin           = Disabled

    Name            = RD Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Disabled

    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Enabled

    Client tracing:
    ----------------------------------------------------
    State = Disabled
    Level = Disabled

    Ok.

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =
    GroupPolicy            = Configured

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPsec Relying Party
    Description            = Provides IPsec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = RD Gateway Quarantine Enforcement Client
    Description            = Provides RD Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and
    PN technologies.
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent monitors security settings on your computer.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.

    Compliance results     =
    Remediation results    =

    Ok.


    If I switch my clients back to MS CHAP v2, I can login fine but nothing happens as far as remediation goes. I really want to see this work...thanks!

    Tuesday, November 10, 2009 7:09 PM

Answers

  • Glad to see you have things working. For the certificate validation prompt, check these setting:

    VPN connection properties ->Security tab -> make sure your have selected "Use Extensible Authentication Protocol (EAP)" and that "Microsoft: Protected EAP (PEAP) (encryption enabled)" is chosen in the drop-down menu and then click on the "Properties" button.

    If "Validate server certificate" is selected make sure "Root CA" is selected under "Trusted Root Certification Authorities".
    • Marked as answer by Miles Zhang Tuesday, November 17, 2009 9:24 AM
    Thursday, November 12, 2009 6:54 PM
  • I think the step-by-step guide is just a bit out of date and the Validate Server Certificate dialogs are becuase of the same thing.
    • Marked as answer by Miles Zhang Tuesday, November 17, 2009 9:24 AM
    Monday, November 16, 2009 7:13 PM

All replies

  • What does your NPS configuration look like? Are there corresponding Events on the Server? What EAP method are you trying to use? Is the EapHost service running on the client?

    Have you had a look at the NAP step-by-step guides? There is one for VPN NAP. http://www.microsoft.com/windowsserver2008/en/us/nap-technical-resources.aspx
    Wednesday, November 11, 2009 5:32 PM
  • Thanks for your response Matt.

    Single server setup, can it be done? Yes, I've tried following the step by step guide for NAP 3 times now but still no luck.

    Server side Events are showing

    Event ID 20255
    "The following error occured in the Point to Point Protocol module on port: VPN3-127, userName: domain\user. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your usernamd and password may not match the authentication method configured in your connection profile." etcc

    And a new one that I havent been getting is now showing up:

    Event ID 6273
    The certificate chain was issued by an authority that is not trusted.

    I'm trying to use Protected EAP (PEAP) per the Step By Step Instructions guide.

    Yes, Extensible Auth Protocol is running on the client.


    Wednesday, November 11, 2009 6:23 PM
  • I reissued a computer cert on the client machine. This is bringing me a the same VPN error message however in the Event logs I'm now getting the following:

    Event ID 6273
    Reason Code 23
    Reason: An error occured during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log file for EAP errors.


    I restarted EAS service on server and client to no avail. Is the EAP log file the same as the NAP Log Files configured under "Accounting"?
    Wednesday, November 11, 2009 7:18 PM
  • If you are using PEAP-(any method) or EAP-TLS you will need to have a PKI infrastructure in place to provide the necessary certificates. The only EAP method that is not certificate based is EAP-MSCHAPv2 which is password based.

    What do you mean by a single server setup? Is your DC and CA also your NPS server and RAS/VPN server, etc? It is recommended to separate these server roles. Or, do you mean a workgroup server?

    I suspect an issue with your CA/PKI infrastructure due to the event 6273. Have a look here as well as the sub-topics: http://technet.microsoft.com/en-us/library/cc730811.aspx

    Are there any NPS events which could lend further information? Event Viewer -> Custom Views\Server Roles\Network Policy and Access Services

    How are your NPS policies configured? Have you enabled the "Override network policy authentication settings" option in your CRP policy and selected the correct P/EAP methods you wish to use?
    Wednesday, November 11, 2009 7:27 PM
  • I think you were responding while I updated the thread :).

    Yes, single server with DC/CA/RRAS/NPS running...obviously not something for production but waiting for equipment to free up for testing further.

    CA/PKI should be working fine now as I'm no longer getting the certificate chain error but talks about checking EAS issues because I re-enrolled the Computer certificate on the client successfully!

    Connection Request Policies include just a single entry:

    NAP VPN
    Overview
    -> Polcy Enabled
    -> Remote Access Sever (VPN-Dial up)
    Conditions
    -> NAS Port Type  Virtual VPN
    Settings
    -> Overide network policy authentication settings
    -> EAP Types: Microsoft Protecte EAP (PEAP)

    If I click edit on the EAP Type I can see the Root Certificate Authoity cert and "Enforce Network Access Protection" is selected.
    EAP types is set to Secured Password (EAP-MSCHAP v2)


    Under Less secure AuthenticatioN methods:
    -> Microsoft Encrypted Authentication version 2 (MS-CHAP-V2) is selected
    -> User can change password after it has expired is also selected


    Nothing other than the access denied logs I was getting earlier the only difference is the Reason:

    An error occurred during the Network Policy Server use of the Extensible Authentication protocol (EAP). Check EAP log files for EAP errors.

    FYI - If I disable EAP I can VPN in fine...
    Wednesday, November 11, 2009 7:44 PM
  • I just tried this using VM's and was able to get VPN NAP to work using a single server setup, so it is possible. This is most likely a configuration issue somewhere.

    Have you configured everything mentioned in the VPN NAP step-by-step guide (Active Directory Certificate Services, RRAS, Group Policy management, NAP Client Computers security group, NAP Client Settings GPO, client VPN connection settings, etc.)?

    When configuring the RRAS service and the wizard comes to the "Managing Multiple Remote Access Servers" portion, select "No, use Routing and Remote Access to authenticate connection requests". RRAS communicates with the local NPS instance via an IPC mechanism. The other option will actually configure the local NPS instance to proxy to another RADIUS server (which is what you want when your RRAS and NPS servers are different).

    Disable the CRP in NPS that RRAS creates and use the NAP wizard to configure NPS for VPN NAP. You don't need to configure any RADIUS clients in the wizard when the requests come in from RRAS using the IPC mechanism. Make sure that the CRP policy is configured to use PEAP-EAP-MSCHAPv2 and that the PEAP certificate selected is a "Client Authentication, Server Authentication" certificate issued by your Root CA. Following the step-by-step guide, mine PEAP configuration read "Certificate issued <machine name>.contoso.com".

    I did not need to enroll any certificates on the client but it was joined to the domain and in the NAP Client Computers security group.

    Thursday, November 12, 2009 1:57 AM
  • Matt -

    Thanks for going through all that work just to verify it works. That's pretty awesome and really appreciated.

    As for now, it's ALMOST working but with an interesting caveat when I first connect (subsequent connection attempts do not show this message):

    "Windows Security Alert"

    The connection attempt could not be completed

    The credentials provided by the server could not be validated. We recommend that you terminate the connection and contact your administrator with the information provided in the details. You may still connect but doing so exposes you to a security risk by a possible rogue server.

    Detail
    Radius Server:          myallinoneserver.contoso.net
    Root CA:                  Root Certificate Authority

    The server "myallinoneserver.contoso.net" presented a valid certificate issued by "Root Certificate Authority", but "Root Certificate Authority" is not configured as a valid trust anchor for this profile."

    I have the option to Terminate or Connect. When I choose Connect everything works fine and it performs health checks as it's supposed ot etc...and I don't get prompted again when reconnecting. But this happens on first connect everytime.

    The step by step guide shows to install a CA, then issue a Root CA certificate during install. Then subsequently make sure the Radius server has a machine certificate issued. I went ahead and did that as well even though it's all in one machine. Finally, I issued a Computer certificate to the client machine (jonaldo9.contoso.net).

    Also, if i look at my CRP's, I have one for NAP VPN properties. When I look at what's going on with the auth type it shows multiple certificates to choose from in the Certificate issued. When I choose "Root Certificate Authority" then attempt a connection is when I get the Error 741. When I choose the other Cerificate Issued which is myallinoneserver.contoso.net, my client gets the  "Windows Security Alert" message at the top of this response.

    Not sure where I'm going wrong here...many thanks in advance.
    Thursday, November 12, 2009 6:14 PM
  • Glad to see you have things working. For the certificate validation prompt, check these setting:

    VPN connection properties ->Security tab -> make sure your have selected "Use Extensible Authentication Protocol (EAP)" and that "Microsoft: Protected EAP (PEAP) (encryption enabled)" is chosen in the drop-down menu and then click on the "Properties" button.

    If "Validate server certificate" is selected make sure "Root CA" is selected under "Trusted Root Certification Authorities".
    • Marked as answer by Miles Zhang Tuesday, November 17, 2009 9:24 AM
    Thursday, November 12, 2009 6:54 PM
  • I also verified the Certificate Issued on the CRP is indeed a Client Authentication, Server Authentication cert.

    Thursday, November 12, 2009 7:02 PM
  • Interesting, that seems to solve the issue!

    I guess my next question would be is that Windows Security Alert expected then? The guide states:

    You are presented with a Validate Server Certificate window the first time this VPN connection is used. Click View Server Certificate, and verify Certificate Information shows that the certificate was issued to nps1.contoso.com by Root CA. Click OK to close the Certificate window, and then click OK again.

    Seems to be a different dialog thatn what I'm seeing on first connect...
    Thursday, November 12, 2009 7:54 PM
  • I think the step-by-step guide is just a bit out of date and the Validate Server Certificate dialogs are becuase of the same thing.
    • Marked as answer by Miles Zhang Tuesday, November 17, 2009 9:24 AM
    Monday, November 16, 2009 7:13 PM
  • great, thanks a lot this is very helpful information.
    Thursday, December 3, 2009 11:36 PM