locked
IPSec Enforcement with Port Authentication RRS feed

  • Question

  • I configured IPSec enforcement as presented in the Step-by-Step Guide and everything works fine. Then I tried to add 802.1X enforcement (I added a Wired Network Policy that requires machine authentication with PEAP). When I apply the policy to a client the client doesn't respond to pings anymore (from the firewall log on the client I can see that ICMP traffic is dropped by the firewall). Does anyone have an explanation for these behavior? Does Wireless Network Policy change anything to firewall rules?
    Friday, March 9, 2007 11:16 AM

Answers

  • Adding to Chris's reply.....

    If you followed the step by step doc online you must have configured the IPSec policies through the "Windows Firewall w/ Adv Security" UI. Did you configure and enabled the global firewall settings? (since they are configured through the same UI). If I recall in beta2 the default global firewall settings pushed down through GP blocks ICMP traffic. You may need to add an exemption for ICMP traffic.

    Wai-O 

    Friday, March 16, 2007 1:07 AM

All replies

  • Seppen

    When combining 2 enforcements, it introduces additional complexity into the scenairo and timing could possibly become an issue.

    Lets verify your setup first, with only IPSec enforcement on, can you check the following:

    -Client in "Not restricted" state has a valid health certificate in its personal local computer store

    -Does the client have a valid IPSec policy pushed down via GP, if so attempt to ping another ipsec enable client to verify.

    -Verify that Security Association has been established between the two clients

    When you refer to "I added a Wired Network Policy that requires machine authentication with PEAP" are you referring to GP settings pushed down to your client's interface?

    After applying the policy, does the client still have an IP Address? still have a valid health certificate?

    Did you configure corresponding network policies on the NPS Server to handle the 802.1x enabled client?

    Can you give a quick description of the policies you crafted on the NPS server?

     

    Saturday, March 10, 2007 12:53 AM
  • I push the authentication settings to the client's interface, the client still has a valid health 
    certificate in its certificate store and the client still has a valid IP address. When I try to ping 
    the client the ICMP traffic gets dropped by the firewall on the client(so it's clearly not an IP problem). 
    The network policies on the NPS server are not the problem (policies for IPSec enforcement and port authentication both work if used seperately). 
    
    To me it seems to be a problem with the firewall (as I can see that ICMP packets are dropped on the client) - 
    the behavior of the firewall changes after I push the new GP (inlucing the Wired Network Policy)to the client and restart it.
    When I'm at the lab again next week, I will test if I still can ping another IPSec-enabled client as you suggested. 
    
    Sunday, March 11, 2007 5:10 PM
  • Was this the first time that GP settings were pushed out to the client?

    Perhaps there is some other configuration that is pushed out by default on GP that is causing the firewall to lock down the ICMP ports?

    -Chris

    Chris.Edson@online.microsoft.com *
    SDET, Network Access Protection
    * Remove the "online" make the address valid.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, March 15, 2007 10:28 PM
  • Adding to Chris's reply.....

    If you followed the step by step doc online you must have configured the IPSec policies through the "Windows Firewall w/ Adv Security" UI. Did you configure and enabled the global firewall settings? (since they are configured through the same UI). If I recall in beta2 the default global firewall settings pushed down through GP blocks ICMP traffic. You may need to add an exemption for ICMP traffic.

    Wai-O 

    Friday, March 16, 2007 1:07 AM