locked
802.1x NAP for Wired and Wireless, using VLAN switching RRS feed

  • Question

  • Hello. We're having a bit of a fight with our new setup of NAP enforcement on Wireless.
    (Phew, I hope this isnt too much info - sorry for the lengthy post).

    Configuration overview:
    • Server 2008 NPS, AD and PKI
    • Windows XP SP3 clients (only). No Vista.
      Computer certificates only (user domain is another trusted domain, with no PKI yet).
    • 3 VLAN's, Guest + Remediation + Internal
    -------------------

    So far we have 2 scenarios working:
    • Wireless 802.1x only, no NAP - VLAN tag only
      802.1x authentication, Smartcard or other certificates - Computer certificates only (AuthMode 2, SupplicantMode 3). Authenticates as expected.
      GPO's from the 2008 DC are assigning all neccessarry setting for enabling all the services and config for the Windows XP Clients.
    • Wired 802.1x with NAP/VLAN tags
      Using Protected EAP and NAP. Authentication and NAP works as expected.
      GPO's are pushing the Wired config to the Win XP clients.

    -------------------

    Not working: Wireless 802.1x with NAP/VLAN tags

    The problem seems to arise when we're trying to enable NAP on Wireless - switching from "Smartcard or other certificate" to "Protected EAP" in the CRP.
    I've made separate Wireless CRP - which the client is using, according the the NPS/IAS logs.
    The reason for separate CRP is that we already have limited pilot production environment - but thats on "802.1x without NAP", as well as "Wired 802.1x with NAP".
    So for now, 3 CRPs:
    1. "WLAN 802.1x" (no NAP/PEAP - only Smartcard/Certificates)
    2. "Ethernet 802.1X Wired".
    3. "TEST WLAN 802.1x NAP"

    The CRP's are assigned as expected, according to the logs.

    However - we're not able to make any match with the Network Policy
    The same policies that are able to trap WIRED clients, are not trapping WIRELESS clients.
    Health policies:
    1. NAP 802.1X (Wired) Compliant
    2. NAP 802.1X (Wired) Noncompliant

    Using WIRED 802.1x NAP and VLAN switching according to SoH works - along having Wireless with 802.1x Authentication.
    Both methods use the computer certificate.

    Also, keep in mind - the VLAN for the Wired and Wireless is the same VLAN.
    a) GUEST, VLAN ID 10, WIRED: Assigned for "Auth-Fail" and "Default VLAN" on the Cisco switch.
    b) GUEST, WIRELESS: Doesn't exist / nothing assigned. (Guest WLANS / public network - other SSID)
    c) Remediation, VLAN 20, Wired and Wireless network
    e) Internal, VLAN 30, Wired and Wireless network

    Network policies (simplified):
    1. "802.1X Wired - NAP Compliant - VLAN30"
     Condition: Health Policy = "NAP 802.1X (Wired) Compliant" AND Windows Group:"MYDOM\_computers_VLAN30"

    2. "802.1X Wired - NAP Compliant - VLAN31"
     Condition: Health Policy = "NAP 802.1X (Wired) Compliant" AND Windows Group:"MYDOM\_computers_VLAN31"

    3. "802.1X Wired - NAP Noncompliant - ANY - VLAN20"
     Condition: Health Policy = "NAP 802.1X (Wired) Noncompliant"

    4. "802.1x WLAN - VLAN30"
     Condition: NAS Port type: "Wireless IEEE 802.11 OR Wireless Other" AND Windows Group:"MYDOM\_computers_VLAN30"

    5. "802.1x WLAN NAP Test"
     Condition: Health Policy = "NAP 802.1X (Wired) Compliant"

    6. "Others - DENY"
     Condition: Day and time restriction: All Week.

    Last bit of information, I've added a "Other - DENY DENY DENY" with condition "24/7" at the bottom of the NPS rulelist.
    Wireless NAP clients are trapped by this rule if it is enabled. If the rule is disabled, they will try to reauthenticate over and over again, every minute.

    Failed WLAN connection, IAS entry (data has been changed for my protection):
    "MYRADIUS","IAS",09/24/2008,18:23:31,1,"host/MYTESTPC5005","MYDOMAIN.LOCAL/RES/Computers/Laptops/MYTESTPC5005","0013.c345.3300", "0018.debf.0f49",,,,"99.0.88.77",4700,0,"99.0.88.77","wlancontroller05",,,19,,,1,11,"Others - DENY",0,"311 1 2002:d9ad:fcea::d9ad:fcea 09/17/2008 13:21:42 31277",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"TEST WLAN 802.1x NAP",1,,,,
    "MYRADIUS","IAS",09/24/2008,18:23:31,11,,"MYDOMAIN.LOCAL/RES/Computers/Laptops/MYTESTPC5005",,,,,,,,0,"99.0.88.77", "wlancontroller05", ,,,,,,11,"Others - DENY",0,"311 1 2002:d9ad:fcea::d9ad:fcea 09/17/2008 13:21:42 31277",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"TEST WLAN 802.1x NAP",1,,,,


    Working WIRED entry, from the same client, IAS:
    "MYRADIUS","IAS",09/24/2008,18:24:13,1,"host/MYTESTPC5005","MYDOMAIN\MYTESTPC5005$","00-19-2F-4E-68-1D","00-16-D4-4C-3B-98", ,,,"99.0.99.199",50025,0,"99.0.99.199","lancontroller65",,,15,,,2,11,"802.1X Wired - NAP Compliant - VLAN30",0,"311 1 2002:d9ad:fcea::d9ad:fcea 09/17/2008 13:21:42 31298",,,,"Microsoft: Smart Card or other certificate",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Ethernet 802.1X Wired",1,,,,
    "MYRADIUS","IAS",09/24/2008,18:24:13,2,,"MYDOMAIN\MYTESTPC5005$",,,,,,,,0,"99.0.99.199","lancontroller65",,,,,1,2,11, "802.1X Wired - NAP Compliant - VLAN30",0,"311 1 2002:d9ad:fcea::d9ad:fcea 09/17/2008 13:21:42 31298",,,,"Microsoft: Smart Card or other certificate",,,,,,,,,,,,,,13,6,,,,"9",,,,,,,,,,,"Ethernet 802.1X Wired",1,,,,



    Working WLAN, 802.1x only:
    "MYRADIUS","IAS",09/24/2008,16:11:11,1,"host/TESTPC8811.MYDOMAIN.LOCAL","MYDOMAIN.LOCAL/RES/Computers/Laptops/TESTPC8811", "001e.4a32.0410","001c.bf29.4c76",,,,"99.0.88.77",66273,0,"99.0.88.77","wlancontroller05",,,19,,,1,5,"802.1x WLAN - VLAN30", "311 1 2002:d9ad:fcea::d9ad:fcea 09/17/2008 13:21:42 14014",,,,"Microsoft: Smart Card or other certificate",,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,"WLAN 802.1x",1,,,,
    "MYRADIUS","IAS",09/24/2008,16:11:11,2,,"MYDOMAIN.LOCAL/RES/Computers/Laptops/TESTPC8811",,,,,,,,0,"99.0.88.77", "wlancontroller05", ,,,,,,5,"802.1x WLAN - VLAN30",0,"311 1 2002:d9ad:fcea::d9ad:fcea 09/17/2008 13:21:42 14014",,,,"Microsoft: Smart Card or other certificate",,,,,,,,,,,,,,13,6,,,,"9",,,,,,,,,14,2,"WLAN 802.1x",1,,,,


    --------------------------------------------------------------------

    Summary:
    1. 802.1x Wireless without NAP, authenticates and assigns VLAN correctly through the NPS.
    2. 802.1x Wired with NAP, authenticates and assigns VLAN correctly through the NPS. Changes in Statement of Health is working correctly.
    3. 802.1x Wireless with NAP isn't trapped by the Network Policy rulesets, client never gets an assigned VLAN and fails to connect.

    How can this be? The client delivers it's health correctly through the wired at the same moment as it tries to act on the wireless.
    The wired accepts the health status, traps it with RULE 1 or 2 according to it's Windows group.
    The wireless just ignores the health status and is getting trapped by RULE 6. (Again, if RULE 6 is disabled - it's trying to authenticate over and over again).

    Sorry I that I cant post any logs just yet - we're still in the process of gathering all the data we need - but I just wanted to run this by the forum to see if someone had an idea why 802.1x NAP Enforcement on Wireless isnt trapped by the network policy. :)



    Sincerly, Jon E. Carlsen
    Wednesday, September 24, 2008 5:17 PM

Answers

  •  I see.

    In Vista, both wired and wireless are enable via the EAP Quarantine Enforcement Client.  But in XP SP3, because of some architectural differences, they have differing Enforcement Client components.

    Yes, you will need to enable the enforcement client you highlighted.  I'll point Greg Lindsay to this thread, as I believe he can get you the answer to 'where to enable in GP' for that particular Enforcement Client for XPSP3.  (I don't have it handy)


    -Chris
    -Chris Chris.Edson@online.microsoft.com * SDET II, Network Access Protection Platform Team * Remove the "online" make the address valid. ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, September 29, 2008 5:12 PM
  • Hi Jon,

    The Group Policy setting to enable this enforcement client on XP SP3 is in a slightly different place than the other NAP client settings.

    You'll find this under Computer Configuration\Policies\Administrative Templates\Windows Components\Network Access Protection

    You want to enable "Allow Network Access Protection Client to support the 802.1X Enforcement Client component"

    You'll see that this says supported on at least XP SP2, but this should say XP SP3. You can click on the Explain tab for more information.

    -Greg
    • Marked as answer by Jon E. Carlsen Tuesday, September 30, 2008 6:51 AM
    Monday, September 29, 2008 6:00 PM

All replies

  • Can you provide one or both of the following files?


    netsh.exe nps export myconfig.xml YES
    Captures the NPS configuration to myconfig.xml


    netsh.exe nps dump YES > myconfig.txt
    Captures the NPS configuration commands for netsh to myconfig.txt


    Please send them to me at Chris.Edson (at) online (dot) microsoft (dot) com
    (drop the 'online', and replace the other symbols)

    And I'll get them looked at.  :)

    -Chris

    ---------
    Chris Edson
    SDET II
    Network Access Protection Platform Team
    Friday, September 26, 2008 1:04 AM
  • Thank you for your attention, sir.

    We've tested some more, added a new rule with conditions:
    "NAS TYPE = IEEE 802.11 and Other Wireless" and "Computer is not NAP-capable" - then we were able to successfully trap the client.

    The client is capable and compliant with WIRED - but obviously on another adapter it's not capable. This is quite interesting, and brings up the question "why?".

    Another observation: The Wireless adapter seems to be a software adapter, a Bluetooth Wireless adapter. We'll test on other clients next week, which have true Wireless adapaters.

    (Note to self: Read email instructions properly the next time, I kept trying sending the mail to the domain online microsoft com.)

    I'll try to get the config away as soon as possible. :)


    Sincerly, Jon E. Carlsen
    Saturday, September 27, 2008 1:50 AM
  • I must admit it was a bit hasty to assume it was the Bluetooth Wireless.
    With two "proper" wireless adapters, one HP NC6320 client and a HP NC6400 client, both using Intel Wireless 3945ABG - we still get the "NAP Non-capable" trap.

    Plugging the cable out and in, generates the System Events "napagent" 27, 28 and "Full Access" 29 - as well as Dot3Svc events.
    Disabling and enabling Wireless on the same client generates no "napagent" events, as well as no "Dot3Svc" events.

    Is there a better way to trace the agents and the state on the clientside? Is there any bindings we could look at?

    Sincerly, Jon E. Carlsen
    Monday, September 29, 2008 7:46 AM
  •  When I was preparing a few dumps for you, Chris - I discovered the disabled Enforcment client for WLAN.
    This is the client group policy config:


    NAP client configuration (group policy):
    ----------------------------------------------------

    NAP client configuration:
    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Disabled

    Name            = Remote Access Quarantine Enforcement Client
    ID              = 79618
    Admin           = Disabled

    Name            = IPSec Relying Party
    ID              = 79619
    Admin           = Disabled

    Name            = Wireless Eapol Quarantine Enforcement Client
    ID              = 79620
    Admin           = Disabled

    Name            = TS Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Disabled

    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Enabled

    Client tracing:
    ----------------------------------------------------
    State = Enabled
    Level = Advanced

    User interface settings:
    ----------------------------------------------------
    Title       = Per Eilefs spesial NAP
    Description = Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test Test test 
    Image       = tc64x64.bmp

    Ok.


    However, Im still looking for the GPO setting that enables the 79620 enforcement client, I can only find the 5 others in the GPO console on a Server 2008. I'll keep looking.


    Sincerly, Jon E. Carlsen
    Monday, September 29, 2008 8:56 AM
  •  I see.

    In Vista, both wired and wireless are enable via the EAP Quarantine Enforcement Client.  But in XP SP3, because of some architectural differences, they have differing Enforcement Client components.

    Yes, you will need to enable the enforcement client you highlighted.  I'll point Greg Lindsay to this thread, as I believe he can get you the answer to 'where to enable in GP' for that particular Enforcement Client for XPSP3.  (I don't have it handy)


    -Chris
    -Chris Chris.Edson@online.microsoft.com * SDET II, Network Access Protection Platform Team * Remove the "online" make the address valid. ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, September 29, 2008 5:12 PM
  • Hi Jon,

    The Group Policy setting to enable this enforcement client on XP SP3 is in a slightly different place than the other NAP client settings.

    You'll find this under Computer Configuration\Policies\Administrative Templates\Windows Components\Network Access Protection

    You want to enable "Allow Network Access Protection Client to support the 802.1X Enforcement Client component"

    You'll see that this says supported on at least XP SP2, but this should say XP SP3. You can click on the Explain tab for more information.

    -Greg
    • Marked as answer by Jon E. Carlsen Tuesday, September 30, 2008 6:51 AM
    Monday, September 29, 2008 6:00 PM
  • Ah, now thats a suprise - not having it within the "Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection".

    Thank you very much - I'll test it tomorrow and report back. :)


    Sincerly, Jon E. Carlsen
    Monday, September 29, 2008 6:47 PM
  • NAP enforcement agent 79620 is now active for the Wireless.
    Both LAN and WLAN NAP state are trapped as expected by the NPS.

    Thank you very much for your assistance. :)


    Sincerly, Jon E. Carlsen
    Tuesday, September 30, 2008 6:53 AM
  • Hi Jon, we are trying the same setup with Cisco Aironet AP's (1200). Can you please let me know what wireless hardware you have used in your setup?

    Regards,
    Jeroen

    Wednesday, March 4, 2009 3:47 PM
  • I've used several variations of 1200 series APs, and all worked pretty well, as long as you ensure that the firmware is up-to-date.
    The ones I've used were all the thin APs - ones that farm out the vLANning to the switches behind them, and just act as a RADIUS terminator and a trunk line.

    -Chris
    Chris.Edson@online.microsoft.com *
    SDET II, Network Access Protection Platform Team
    *Remove the "online" make the address valid.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, March 4, 2009 5:05 PM
  • I know we've tested several different types, such as AP12040AG, AP1010 together with WLCs in the 4400 series. But I have to verify this with the COM team to be 100% certain, unless you're just looking for a general hint. :)
    Sincerly, Jon E. Carlsen
    Wednesday, March 4, 2009 11:11 PM
  • Thanks for the reply.
    As far as I can see you need a WLAN Controller for NAP to work? I searched for hours but cannot find a configuration for NAP with Cisco AP's without the use of a WLC. We use the 1240AG with full IOS.
    Can someone confirm that you need a WLC?

    Thursday, March 5, 2009 8:05 AM
  •  
    J. Miezenbeek said:

    Thanks for the reply.
    As far as I can see you need a WLAN Controller for NAP to work? I searched for hours but cannot find a configuration for NAP with Cisco AP's without the use of a WLC. We use the 1240AG with full IOS.
    Can someone confirm that you need a WLC?



    The guys over at the COM team tells me that it is desirable to use a WLC in larger environments where you want to have a bit better managebility (plus some features) - but it's not a requirement.
    I got a confirmation that we dont use WLC's at a couple of locations (I only see the radius clients in the NPS) :-)

    So you can do without a WLC, but it might be a bit more job to configure properly - and I dont know if that also will exclude multiple SSID etc for your WLAN.
    Sorry that I cant be of more help with that question.
    Sincerly, Jon E. Carlsen
    Thursday, March 5, 2009 11:15 PM