NetworkAccessProtectionSupportCase

16December2011 11:19

Ahugeamountoftroublesharingfiles.Emailwith attachmentsarebouncing.

FTPdoesnotprovideprogressfeedbackor seemtowork.

Security Page 1

EventuallyIoptedforsharingviaSkydrivebut thiscreatedaconcernthatImaybeexposing sensitivedataontheinternet.

Security Page 2

Configure NAP with a wizard

The NAP configuration wizard helps you set up NPS as a NAP health policy server. The wizard provides commonly used settings for each NAP enforcement method, and automatically creates customized NAP

Security Page 3

policies for use with your network design. You can access the NAP configuration wizard from the NPS console.

To configure NPS using the NAP wizard 1. 2. Click Start, click Run, type nps.msc, and then press ENTER. In the Network Policy Server console tree, click NPS (Local).

3. In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. See the following example.

4. On the Select Network Connection Method for Use with NAP page, under Network connection method, select IEEE 802.1X (Wired), and then click Next. 5. On the Specify 802.1X Authenticating Switches page, click Add. 6. In the New RADIUS Client dialog box, under Friendly name, type 802.1X Switch. Under Address (IP or DNS), type 192.168.0.3. 7. 8. Under Shared secret, type secret. Under Confirm shared secret, type secret, click OK, and then click Next.

9. On the Configure User Groups and Machine Groups page, click Next. You do not need to configure groups for this test lab. 10. On the Configure an Authentication Method page, confirm that a computer certificate obtained in the previous procedure is displayed under NPS Server Certificate, and that Secure Password (PEAPMSCHAP v2) is selected under EAP types. Click Next. 11. Use the following steps to configure VLAN properties for compliant computers. In this lab, VLAN ID 3 will be used for compliant computers. a. On the Configure Virtual LANs (VLANs) page, under Organization network VLAN, click Configure.

Note If you are running Windows Server 2008 R2, this page is titled Configure Traffic Controls. On the Configure Traffic Controls page, under Full access network, click Configure. b. In the Virtual LAN (VLAN) Configuration dialog box (if you are running Windows Server 2008 R2, this dialog box is titled Configure RADIUS Attributes), on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit. c. In the Attribute Information dialog box, click Add. d. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice. e. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), on the RADIUS standard attributes tab, click Tunnel-Medium-Type, and then click Edit. f. In the Attribute Information dialog box, click Add. g. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected, and then click OK twice.

Security Page 4

h. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), on the RADIUS standard attributes tab, click Tunnel-Pvt-Group-ID, and then click Edit. i. In the Attribute Information dialog box, click Add. j. Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 3, and then click OK twice. This value represents the compliant VLAN ID used in this lab. k. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), click the Vendor Specific attributes tab, and then click Add. l. In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.

Note If you are running Windows Server 2008 R2, in the Add Vendor Specific Attribute dialog box, under Vendor, select Custom. m. In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then click Add. n. In the Attribute Information dialog box, under Attribute value, type 1, and then click OK.

Note The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group these attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch. a. Click Close, and then click OK. 12. Use the following steps to configure VLAN properties for noncompliant computers. These steps are identical to those used for compliant computers with the exception that VLAN ID 2 is configured for noncompliant computers. a. On the Configure Virtual LANs (VLANs) page, under Restricted network VLAN, click Configure.

Note If you are running Windows Server 2008 R2, this page is titled Configure Traffic Controls. On the Configure Traffic Controls page, under Restricted access network, click Configure. b. In the Virtual LAN (VLAN) Configuration dialog box (if you are running Windows Server 2008 R2, this dialog box is titled Configure RADIUS Attributes), on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit. c. In the Attribute Information dialog box, click Add. d. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice. e. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box, if you are running Windows Server 2008 R2), on the RADIUS standard attributes tab, click TunnelMedium-Type, and then click Edit. f. In the Attribute Information dialog box, click Add. g. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected, and then click OK twice. h. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box, if you are running Windows Server 2008 R2), on the RADIUS standard attributes tab, click Tunnel-PvtGroup-ID, and then click Edit. i. In the Attribute Information dialog box, click Add. j. Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 2, and then click OK twice. This value represents the compliant VLAN ID used in this lab. k. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box, if you are running Windows Server 2008 R2), click the Vendor Specific attributes tab, and then click Add. l. In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.

Note If you are running Windows Server 2008 R2, in the Add Vendor Specific Attribute dialog box, under Vendor, select Custom. m. In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then click Add. n. o. In the Attribute Information dialog box, under Attribute value, type 1, and then click OK. Click Close, and then click OK.

13. This completes the configuration of VLAN properties for compliant and noncompliant computers. Click Next. 14. On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next. 15. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish. 16. Leave the NPS console open for the following procedure.

Security Page 5

ConfiguringFullAccess/CompliantNetwork

Security Page 6

Security Page 7

The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group these attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch.

ConfiguringRestrictedAccessNetwork
Security Page 8

VerifySettings

Security Page 9

Security Page 10

Disablefastreconnect.Recommendationisto notenablefastreconnect.

Security Page 11

CheckWiredAutoConfigServiceisrunning.

Whenthisserviceisrunning,authenticationtab appearsintheLANSettings.

Security Page 12

DisableFastreconnectandselectCA'spossible toselectmultiple

SelectConfigureforAuthenticationMethods

Security Page 13

LogName:Security Source:MicrosoftWindowsSecurityAuditing Date:12/21/20111:31:34PM EventID:6273 TaskCategory:NetworkPolicyServer Level:Information Keywords:AuditFailure User:N/A Computer:TFS.effectivecomputing.com Description: NetworkPolicyServerdeniedaccesstoauser. ContacttheNetworkPolicyServeradministratorformoreinformation. User: SecurityID: NULLSID AccountName: AccountDomain: FullyQualifiedAccountName: ClientMachine: SecurityID: EC\SQL1$ AccountName: SQL1.effectivecomputing.com FullyQualifiedAccountName: EC\SQL1$ OSVersion: 6.1.76011.0x64Server CalledStationIdentifier: CallingStationIdentifier: NAS: NASIPv4Address: NASIPv6Address: NASIdentifier: NASPortType: NASPort: RADIUSClient:

192.168.0.6 TFS.effectivecomputing.com Ethernet

Security Page 14

ClientFriendlyName: ClientIPAddress:

AuthenticationDetails: ConnectionRequestPolicyName: NAP802.1X(Wired) NetworkPolicyName: NAP802.1X(Wired)Noncompliant AuthenticationProvider: Windows AuthenticationServer: TFS.effectivecomputing.com AuthenticationType: Unauthenticated EAPType: AccountSessionIdentifier: 6CFBE9471357B4459B0C8CE8676621385B2F9C5337BFCC01 LoggingResults: Accountinginformationwaswrittentothelocallogfile. ReasonCode: 66 Reason: Theuserattemptedtouseanauthenticationmethodthatisnotenabledon thematchingnetworkpolicy. EventXml: <Eventxmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <ProviderName="MicrosoftWindowsSecurityAuditing"Guid="{5484962554784994A5BA3E3B0328C30D}" /> <EventID>6273</EventID> <Version>1</Version> <Level>0</Level> <Task>12552</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreatedSystemTime="20111221T13:31:34.793040700Z"/> <EventRecordID>95408518</EventRecordID> <Correlation/> <ExecutionProcessID="544"ThreadID="2180"/> <Channel>Security</Channel> <Computer>TFS.effectivecomputing.com</Computer> <Security/> </System> <EventData> <DataName="SubjectUserSid">S100</Data> <DataName="SubjectUserName"></Data> <DataName="SubjectDomainName"></Data> <DataName="FullyQualifiedSubjectUserName"></Data> <DataName="SubjectMachineSID">S15212958826572330470367325148002563617</Data> <DataName="SubjectMachineName">SQL1.effectivecomputing.com</Data> <DataName="FullyQualifiedSubjectMachineName">EC\SQL1$</Data> <DataName="MachineInventory">6.1.76011.0x64Server</Data> <DataName="CalledStationID"></Data> <DataName="CallingStationID"></Data> <DataName="NASIPv4Address">192.168.0.6</Data> <DataName="NASIPv6Address"></Data> <DataName="NASIdentifier">TFS.effectivecomputing.com</Data> <DataName="NASPortType">Ethernet</Data> <DataName="NASPort"></Data> <DataName="ClientName"></Data> <DataName="ClientIPAddress"></Data> <DataName="ProxyPolicyName">NAP802.1X(Wired)</Data> <DataName="NetworkPolicyName">NAP802.1X(Wired)Noncompliant</Data> <DataName="AuthenticationProvider">Windows</Data> <DataName="AuthenticationServer">TFS.effectivecomputing.com</Data> <DataName="AuthenticationType">Unauthenticated</Data> <DataName="EAPType"></Data> <DataName="AccountSessionIdentifier">6CFBE9471357B4459B0C8CE8676621385B2F9C5337BFCC01</Data> <DataName="ReasonCode">66</Data> <DataName="Reason">Theuserattemptedtouseanauthenticationmethodthatisnotenabledonthe matchingnetworkpolicy.</Data> <DataName="LoggingResult">Accountinginformationwaswrittentothelocallogfile.</Data> </EventData> </Event>

Security Page 15

CheckingtheCiscoRouterSettingsalso.Iadded VLAN2and3justnow.

Security Page 16

CaseRef111121543042674

Troubleshooting23.01.2012

Security Page 17

LogName:Security Source:MicrosoftWindowsSecurityAuditing

Security Page 18

Date:1/23/20123:29:11PM EventID:6273 TaskCategory:NetworkPolicyServer Level:Information Keywords:AuditFailure User:N/A Computer:TFS.effectivecomputing.com Description: NetworkPolicyServerdeniedaccesstoauser. ContacttheNetworkPolicyServeradministratorformoreinformation. User: SecurityID: NULLSID AccountName: AccountDomain: FullyQualifiedAccountName:

ClientMachine: SecurityID: EC\SQL1$ AccountName: SQL1.effectivecomputing.com FullyQualifiedAccountName: EC\SQL1$ OSVersion: 6.1.76011.0x64Server CalledStationIdentifier: CallingStationIdentifier: NAS: NASIPv4Address: NASIPv6Address: NASIdentifier: NASPortType: NASPort: RADIUSClient: ClientFriendlyName: ClientIPAddress:

192.168.0.6 TFS.effectivecomputing.com Ethernet

AuthenticationDetails: ConnectionRequestPolicyName: NAP802.1X(Wired) NetworkPolicyName: NAP802.1X(Wired)Noncompliant AuthenticationProvider: Windows AuthenticationServer: TFS.effectivecomputing.com AuthenticationType: Unauthenticated EAPType: AccountSessionIdentifier: 4527F31BCE51CD49A79F3FD387E1AAFB5B7226ABAFD9CC01 LoggingResults: Accountinginformationwaswrittentothelocallogfile. ReasonCode: 66 Reason: Theuserattemptedtouseanauthenticationmethodthatisnotenabledonthematching networkpolicy. EventXml: <Eventxmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <ProviderName="MicrosoftWindowsSecurityAuditing"Guid="{5484962554784994A5BA3E3B0328C30D}"/> <EventID>6273</EventID> <Version>1</Version> <Level>0</Level> <Task>12552</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreatedSystemTime="20120123T15:29:11.926990400Z"/> <EventRecordID>110956128</EventRecordID> <Correlation/> <ExecutionProcessID="504"ThreadID="632"/>

Security Page 19

<Channel>Security</Channel> <Computer>TFS.effectivecomputing.com</Computer> <Security/> </System> <EventData> <DataName="SubjectUserSid">S100</Data> <DataName="SubjectUserName"></Data> <DataName="SubjectDomainName"></Data> <DataName="FullyQualifiedSubjectUserName"></Data> <DataName="SubjectMachineSID">S15212958826572330470367325148002563617</Data> <DataName="SubjectMachineName">SQL1.effectivecomputing.com</Data> <DataName="FullyQualifiedSubjectMachineName">EC\SQL1$</Data> <DataName="MachineInventory">6.1.76011.0x64Server</Data> <DataName="CalledStationID"></Data> <DataName="CallingStationID"></Data> <DataName="NASIPv4Address">192.168.0.6</Data> <DataName="NASIPv6Address"></Data> <DataName="NASIdentifier">TFS.effectivecomputing.com</Data> <DataName="NASPortType">Ethernet</Data> <DataName="NASPort"></Data> <DataName="ClientName"></Data> <DataName="ClientIPAddress"></Data> <DataName="ProxyPolicyName">NAP802.1X(Wired)</Data> <DataName="NetworkPolicyName">NAP802.1X(Wired)Noncompliant</Data> <DataName="AuthenticationProvider">Windows</Data> <DataName="AuthenticationServer">TFS.effectivecomputing.com</Data> <DataName="AuthenticationType">Unauthenticated</Data> <DataName="EAPType"></Data> <DataName="AccountSessionIdentifier">4527F31BCE51CD49A79F3FD387E1AAFB5B7226ABAFD9CC01</Data> <DataName="ReasonCode">66</Data> <DataName="Reason">Theuserattemptedtouseanauthenticationmethodthatisnotenabledonthematchingnetwork policy.</Data> <DataName="LoggingResult">Accountinginformationwaswrittentothelocallogfile.</Data> </EventData> </Event>

PSC:\Users\Austin.EC>Netshnapclientshowgrouppolicy NAPclientconfiguration(grouppolicy): NAPclientconfiguration: Cryptographicserviceprovider(CSP)=MicrosoftRSASChannelCryptographicProvider,keylength=2048 Hashalgorithm=sha1RSA(1.3.14.3.2.29) Enforcementclients: Name=DHCPQuarantineEnforcementClient ID=79617 Admin=Disabled Name=IPsecRelyingParty ID=79619

Security Page 20

Admin=Enabled Name=RDGatewayQuarantineEnforcementClient ID=79621 Admin=Disabled Name=EAPQuarantineEnforcementClient ID=79623 Admin=Enabled Clienttracing: State=Disabled Level=Disabled Trustedservergroupconfiguration: Group=NAPTrustedHealthRegistrationAuthorities RequireHttps=Enabled URL=https://TFS.effectivecomputing.com/DomainHRA/hcsrvext.dll Processingorder=1 Group=NAPTrustedHealthRegistrationAuthorities RequireHttps=Enabled URL=https://ConfigManager.effectivecomputing.com/DomainHRA/hcsrvext.dll Processingorder=2 Ok. PSC:\Users\Austin.EC>Netshnapclientshowconfiguration NAPclientconfiguration: Cryptographicserviceprovider(CSP)=MicrosoftRSASChannelCryptographicProvider,keylength=2048 Hashalgorithm=sha1RSA(1.3.14.3.2.29) Enforcementclients: Name=DHCPQuarantineEnforcementClient ID=79617 Admin=Disabled Name=IPsecRelyingParty ID=79619 Admin=Disabled Name=RDGatewayQuarantineEnforcementClient ID=79621 Admin=Disabled Name=EAPQuarantineEnforcementClient ID=79623 Admin=Disabled
Security Page 21

Clienttracing: State=Disabled Level=Disabled Ok. PSC:\Users\Austin.EC>Netshnapclientshowstate Clientstate: Name=NetworkAccessProtectionClient Description=MicrosoftNetworkAccessProtectionClient Protocolversion=1.0 Status=Enabled Restrictionstate=Notrestricted TroubleshootingURL= Restrictionstarttime= Extendedstate= GroupPolicy=Configured Enforcementclientstate: Id=79617 Name=DHCPQuarantineEnforcementClient Description=ProvidesDHCPbasedenforcementforNAP Version=1.0 Vendorname=MicrosoftCorporation Registrationdate= Initialized=No Id=79619 Name=IPsecRelyingParty Description=ProvidesIPsecbasedenforcementforNetworkAccessProtection Version=1.0 Vendorname=MicrosoftCorporation Registrationdate= Initialized=Yes Id=79621 Name=RDGatewayQuarantineEnforcementClient Description=ProvidesRDGatewayenforcementforNAP Version=1.0 Vendorname=MicrosoftCorporation Registrationdate= Initialized=No Id=79623 Name=EAPQuarantineEnforcementClient Description=ProvidesNetworkAccessProtectionenforcementforEAPauthenticatednetworkconnections, such asthoseusedwith802.1XandVPNtechnologies. Version=1.0
Security Page 22

Vendorname=MicrosoftCorporation Registrationdate= Initialized=Yes Ok. PSC:\Users\Austin.EC>Netshnapclientdump #========================================================== #NetworkAccessProtectionclientconfiguration #========================================================== pushdnapclient # #Trustedservergroupconfiguration # resettrustedservergroup # #Cryptographicserviceprovider(CSP)configuration # setcspname="MicrosoftRSASChannelCryptographicProvider"keylength="2048" # #Hashalgorithmconfiguration # sethashoid="1.3.14.3.2.29" # #Enforcementconfiguration # setenforcementid="79617"admin="disable"id="79619"admin="disable"id="79621"admin="disable"id= "79623 "admin="disable" # #Tracingconfiguration # settracingstate="disable"level="basic" # #Userinterfaceconfiguration # resetuserinterface popd #EndofNAPclientconfiguration PSC:\Users\Austin.EC>Netshnapclientshowhashes
Security Page 23

Availablehashalgorithms: NameOID sha1RSA1.2.840.113549.1.1.5 md5RSA1.2.840.113549.1.1.4 sha1DSA1.2.840.10040.4.3 sha1RSA1.3.14.3.2.29 shaRSA1.3.14.3.2.15 md5RSA1.3.14.3.2.3 md2RSA1.2.840.113549.1.1.2 md4RSA1.2.840.113549.1.1.3 md4RSA1.3.14.3.2.2 md4RSA1.3.14.3.2.4 md2RSA1.3.14.7.2.3.1 sha1DSA1.3.14.3.2.13 dsaSHA11.3.14.3.2.27 mosaicUpdatedSig2.16.840.1.101.2.1.1.19 sha1NoSign1.3.14.3.2.26 md5NoSign1.2.840.113549.2.5 sha256NoSign2.16.840.1.101.3.4.2.1 sha384NoSign2.16.840.1.101.3.4.2.2 sha512NoSign2.16.840.1.101.3.4.2.3 sha256RSA1.2.840.113549.1.1.11 sha384RSA1.2.840.113549.1.1.12 sha512RSA1.2.840.113549.1.1.13 RSASSAPSS1.2.840.113549.1.1.10 sha1ECDSA1.2.840.10045.4.1 sha256ECDSA1.2.840.10045.4.3.2 sha384ECDSA1.2.840.10045.4.3.3 sha512ECDSA1.2.840.10045.4.3.4 specifiedECDSA1.2.840.10045.4.3 Ok. PSC:\Users\Austin.EC>Netshnapclientshowcsps Availablecryptographicserviceproviders(CSPs): Name MicrosoftBaseCryptographicProviderv1.0 MicrosoftBaseDSSandDiffieHellmanCryptographicProvider MicrosoftBaseDSSCryptographicProvider MicrosoftBaseSmartCardCryptoProvider MicrosoftDHSChannelCryptographicProvider MicrosoftEnhancedCryptographicProviderv1.0 MicrosoftEnhancedDSSandDiffieHellmanCryptographicProvider MicrosoftEnhancedRSAandAESCryptographicProvider MicrosoftRSASChannelCryptographicProvider MicrosoftStrongCryptographicProvider Ok.
Security Page 24

PSC:\Users\Austin.EC>

Theauthenticationmodewasnotset,we changedthis.

Uncheckedoveridenetworkpolicysettings.

Security Page 25

Security Page 26