Professional Documents
Culture Documents
16December2011 11:19
Ahugeamountoftroublesharingfiles.Emailwith attachmentsarebouncing.
FTPdoesnotprovideprogressfeedbackor seemtowork.
Security Page 1
Security Page 2
Security Page 3
policies for use with your network design. You can access the NAP configuration wizard from the NPS console.
To configure NPS using the NAP wizard 1. 2. Click Start, click Run, type nps.msc, and then press ENTER. In the Network Policy Server console tree, click NPS (Local).
3. In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. See the following example.
4. On the Select Network Connection Method for Use with NAP page, under Network connection method, select IEEE 802.1X (Wired), and then click Next. 5. On the Specify 802.1X Authenticating Switches page, click Add. 6. In the New RADIUS Client dialog box, under Friendly name, type 802.1X Switch. Under Address (IP or DNS), type 192.168.0.3. 7. 8. Under Shared secret, type secret. Under Confirm shared secret, type secret, click OK, and then click Next.
9. On the Configure User Groups and Machine Groups page, click Next. You do not need to configure groups for this test lab. 10. On the Configure an Authentication Method page, confirm that a computer certificate obtained in the previous procedure is displayed under NPS Server Certificate, and that Secure Password (PEAPMSCHAP v2) is selected under EAP types. Click Next. 11. Use the following steps to configure VLAN properties for compliant computers. In this lab, VLAN ID 3 will be used for compliant computers. a. On the Configure Virtual LANs (VLANs) page, under Organization network VLAN, click Configure.
Note If you are running Windows Server 2008 R2, this page is titled Configure Traffic Controls. On the Configure Traffic Controls page, under Full access network, click Configure. b. In the Virtual LAN (VLAN) Configuration dialog box (if you are running Windows Server 2008 R2, this dialog box is titled Configure RADIUS Attributes), on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit. c. In the Attribute Information dialog box, click Add. d. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice. e. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), on the RADIUS standard attributes tab, click Tunnel-Medium-Type, and then click Edit. f. In the Attribute Information dialog box, click Add. g. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected, and then click OK twice.
Security Page 4
h. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), on the RADIUS standard attributes tab, click Tunnel-Pvt-Group-ID, and then click Edit. i. In the Attribute Information dialog box, click Add. j. Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 3, and then click OK twice. This value represents the compliant VLAN ID used in this lab. k. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), click the Vendor Specific attributes tab, and then click Add. l. In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.
Note If you are running Windows Server 2008 R2, in the Add Vendor Specific Attribute dialog box, under Vendor, select Custom. m. In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then click Add. n. In the Attribute Information dialog box, under Attribute value, type 1, and then click OK.
Note The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group these attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch. a. Click Close, and then click OK. 12. Use the following steps to configure VLAN properties for noncompliant computers. These steps are identical to those used for compliant computers with the exception that VLAN ID 2 is configured for noncompliant computers. a. On the Configure Virtual LANs (VLANs) page, under Restricted network VLAN, click Configure.
Note If you are running Windows Server 2008 R2, this page is titled Configure Traffic Controls. On the Configure Traffic Controls page, under Restricted access network, click Configure. b. In the Virtual LAN (VLAN) Configuration dialog box (if you are running Windows Server 2008 R2, this dialog box is titled Configure RADIUS Attributes), on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit. c. In the Attribute Information dialog box, click Add. d. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice. e. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box, if you are running Windows Server 2008 R2), on the RADIUS standard attributes tab, click TunnelMedium-Type, and then click Edit. f. In the Attribute Information dialog box, click Add. g. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected, and then click OK twice. h. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box, if you are running Windows Server 2008 R2), on the RADIUS standard attributes tab, click Tunnel-PvtGroup-ID, and then click Edit. i. In the Attribute Information dialog box, click Add. j. Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 2, and then click OK twice. This value represents the compliant VLAN ID used in this lab. k. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box, if you are running Windows Server 2008 R2), click the Vendor Specific attributes tab, and then click Add. l. In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.
Note If you are running Windows Server 2008 R2, in the Add Vendor Specific Attribute dialog box, under Vendor, select Custom. m. In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then click Add. n. o. In the Attribute Information dialog box, under Attribute value, type 1, and then click OK. Click Close, and then click OK.
13. This completes the configuration of VLAN properties for compliant and noncompliant computers. Click Next. 14. On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next. 15. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish. 16. Leave the NPS console open for the following procedure.
Security Page 5
ConfiguringFullAccess/CompliantNetwork
Security Page 6
Security Page 7
The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group these attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch.
ConfiguringRestrictedAccessNetwork
Security Page 8
VerifySettings
Security Page 9
Security Page 10
Disablefastreconnect.Recommendationisto notenablefastreconnect.
Security Page 11
CheckWiredAutoConfigServiceisrunning.
Whenthisserviceisrunning,authenticationtab appearsintheLANSettings.
Security Page 12
DisableFastreconnectandselectCA'spossible toselectmultiple
SelectConfigureforAuthenticationMethods
Security Page 13
LogName:Security Source:MicrosoftWindowsSecurityAuditing Date:12/21/20111:31:34PM EventID:6273 TaskCategory:NetworkPolicyServer Level:Information Keywords:AuditFailure User:N/A Computer:TFS.effectivecomputing.com Description: NetworkPolicyServerdeniedaccesstoauser. ContacttheNetworkPolicyServeradministratorformoreinformation. User: SecurityID: NULLSID AccountName: AccountDomain: FullyQualifiedAccountName: ClientMachine: SecurityID: EC\SQL1$ AccountName: SQL1.effectivecomputing.com FullyQualifiedAccountName: EC\SQL1$ OSVersion: 6.1.76011.0x64Server CalledStationIdentifier: CallingStationIdentifier: NAS: NASIPv4Address: NASIPv6Address: NASIdentifier: NASPortType: NASPort: RADIUSClient:
Security Page 14
ClientFriendlyName: ClientIPAddress:
AuthenticationDetails: ConnectionRequestPolicyName: NAP802.1X(Wired) NetworkPolicyName: NAP802.1X(Wired)Noncompliant AuthenticationProvider: Windows AuthenticationServer: TFS.effectivecomputing.com AuthenticationType: Unauthenticated EAPType: AccountSessionIdentifier: 6CFBE9471357B4459B0C8CE8676621385B2F9C5337BFCC01 LoggingResults: Accountinginformationwaswrittentothelocallogfile. ReasonCode: 66 Reason: Theuserattemptedtouseanauthenticationmethodthatisnotenabledon thematchingnetworkpolicy. EventXml: <Eventxmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <ProviderName="MicrosoftWindowsSecurityAuditing"Guid="{5484962554784994A5BA3E3B0328C30D}" /> <EventID>6273</EventID> <Version>1</Version> <Level>0</Level> <Task>12552</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreatedSystemTime="20111221T13:31:34.793040700Z"/> <EventRecordID>95408518</EventRecordID> <Correlation/> <ExecutionProcessID="544"ThreadID="2180"/> <Channel>Security</Channel> <Computer>TFS.effectivecomputing.com</Computer> <Security/> </System> <EventData> <DataName="SubjectUserSid">S100</Data> <DataName="SubjectUserName"></Data> <DataName="SubjectDomainName"></Data> <DataName="FullyQualifiedSubjectUserName"></Data> <DataName="SubjectMachineSID">S15212958826572330470367325148002563617</Data> <DataName="SubjectMachineName">SQL1.effectivecomputing.com</Data> <DataName="FullyQualifiedSubjectMachineName">EC\SQL1$</Data> <DataName="MachineInventory">6.1.76011.0x64Server</Data> <DataName="CalledStationID"></Data> <DataName="CallingStationID"></Data> <DataName="NASIPv4Address">192.168.0.6</Data> <DataName="NASIPv6Address"></Data> <DataName="NASIdentifier">TFS.effectivecomputing.com</Data> <DataName="NASPortType">Ethernet</Data> <DataName="NASPort"></Data> <DataName="ClientName"></Data> <DataName="ClientIPAddress"></Data> <DataName="ProxyPolicyName">NAP802.1X(Wired)</Data> <DataName="NetworkPolicyName">NAP802.1X(Wired)Noncompliant</Data> <DataName="AuthenticationProvider">Windows</Data> <DataName="AuthenticationServer">TFS.effectivecomputing.com</Data> <DataName="AuthenticationType">Unauthenticated</Data> <DataName="EAPType"></Data> <DataName="AccountSessionIdentifier">6CFBE9471357B4459B0C8CE8676621385B2F9C5337BFCC01</Data> <DataName="ReasonCode">66</Data> <DataName="Reason">Theuserattemptedtouseanauthenticationmethodthatisnotenabledonthe matchingnetworkpolicy.</Data> <DataName="LoggingResult">Accountinginformationwaswrittentothelocallogfile.</Data> </EventData> </Event>
Security Page 15
CheckingtheCiscoRouterSettingsalso.Iadded VLAN2and3justnow.
Security Page 16
CaseRef111121543042674
Troubleshooting23.01.2012
Security Page 17
LogName:Security Source:MicrosoftWindowsSecurityAuditing
Security Page 18
Date:1/23/20123:29:11PM EventID:6273 TaskCategory:NetworkPolicyServer Level:Information Keywords:AuditFailure User:N/A Computer:TFS.effectivecomputing.com Description: NetworkPolicyServerdeniedaccesstoauser. ContacttheNetworkPolicyServeradministratorformoreinformation. User: SecurityID: NULLSID AccountName: AccountDomain: FullyQualifiedAccountName:
ClientMachine: SecurityID: EC\SQL1$ AccountName: SQL1.effectivecomputing.com FullyQualifiedAccountName: EC\SQL1$ OSVersion: 6.1.76011.0x64Server CalledStationIdentifier: CallingStationIdentifier: NAS: NASIPv4Address: NASIPv6Address: NASIdentifier: NASPortType: NASPort: RADIUSClient: ClientFriendlyName: ClientIPAddress:
AuthenticationDetails: ConnectionRequestPolicyName: NAP802.1X(Wired) NetworkPolicyName: NAP802.1X(Wired)Noncompliant AuthenticationProvider: Windows AuthenticationServer: TFS.effectivecomputing.com AuthenticationType: Unauthenticated EAPType: AccountSessionIdentifier: 4527F31BCE51CD49A79F3FD387E1AAFB5B7226ABAFD9CC01 LoggingResults: Accountinginformationwaswrittentothelocallogfile. ReasonCode: 66 Reason: Theuserattemptedtouseanauthenticationmethodthatisnotenabledonthematching networkpolicy. EventXml: <Eventxmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <ProviderName="MicrosoftWindowsSecurityAuditing"Guid="{5484962554784994A5BA3E3B0328C30D}"/> <EventID>6273</EventID> <Version>1</Version> <Level>0</Level> <Task>12552</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreatedSystemTime="20120123T15:29:11.926990400Z"/> <EventRecordID>110956128</EventRecordID> <Correlation/> <ExecutionProcessID="504"ThreadID="632"/>
Security Page 19
<Channel>Security</Channel> <Computer>TFS.effectivecomputing.com</Computer> <Security/> </System> <EventData> <DataName="SubjectUserSid">S100</Data> <DataName="SubjectUserName"></Data> <DataName="SubjectDomainName"></Data> <DataName="FullyQualifiedSubjectUserName"></Data> <DataName="SubjectMachineSID">S15212958826572330470367325148002563617</Data> <DataName="SubjectMachineName">SQL1.effectivecomputing.com</Data> <DataName="FullyQualifiedSubjectMachineName">EC\SQL1$</Data> <DataName="MachineInventory">6.1.76011.0x64Server</Data> <DataName="CalledStationID"></Data> <DataName="CallingStationID"></Data> <DataName="NASIPv4Address">192.168.0.6</Data> <DataName="NASIPv6Address"></Data> <DataName="NASIdentifier">TFS.effectivecomputing.com</Data> <DataName="NASPortType">Ethernet</Data> <DataName="NASPort"></Data> <DataName="ClientName"></Data> <DataName="ClientIPAddress"></Data> <DataName="ProxyPolicyName">NAP802.1X(Wired)</Data> <DataName="NetworkPolicyName">NAP802.1X(Wired)Noncompliant</Data> <DataName="AuthenticationProvider">Windows</Data> <DataName="AuthenticationServer">TFS.effectivecomputing.com</Data> <DataName="AuthenticationType">Unauthenticated</Data> <DataName="EAPType"></Data> <DataName="AccountSessionIdentifier">4527F31BCE51CD49A79F3FD387E1AAFB5B7226ABAFD9CC01</Data> <DataName="ReasonCode">66</Data> <DataName="Reason">Theuserattemptedtouseanauthenticationmethodthatisnotenabledonthematchingnetwork policy.</Data> <DataName="LoggingResult">Accountinginformationwaswrittentothelocallogfile.</Data> </EventData> </Event>
PSC:\Users\Austin.EC>Netshnapclientshowgrouppolicy NAPclientconfiguration(grouppolicy): NAPclientconfiguration: Cryptographicserviceprovider(CSP)=MicrosoftRSASChannelCryptographicProvider,keylength=2048 Hashalgorithm=sha1RSA(1.3.14.3.2.29) Enforcementclients: Name=DHCPQuarantineEnforcementClient ID=79617 Admin=Disabled Name=IPsecRelyingParty ID=79619
Security Page 20
Admin=Enabled Name=RDGatewayQuarantineEnforcementClient ID=79621 Admin=Disabled Name=EAPQuarantineEnforcementClient ID=79623 Admin=Enabled Clienttracing: State=Disabled Level=Disabled Trustedservergroupconfiguration: Group=NAPTrustedHealthRegistrationAuthorities RequireHttps=Enabled URL=https://TFS.effectivecomputing.com/DomainHRA/hcsrvext.dll Processingorder=1 Group=NAPTrustedHealthRegistrationAuthorities RequireHttps=Enabled URL=https://ConfigManager.effectivecomputing.com/DomainHRA/hcsrvext.dll Processingorder=2 Ok. PSC:\Users\Austin.EC>Netshnapclientshowconfiguration NAPclientconfiguration: Cryptographicserviceprovider(CSP)=MicrosoftRSASChannelCryptographicProvider,keylength=2048 Hashalgorithm=sha1RSA(1.3.14.3.2.29) Enforcementclients: Name=DHCPQuarantineEnforcementClient ID=79617 Admin=Disabled Name=IPsecRelyingParty ID=79619 Admin=Disabled Name=RDGatewayQuarantineEnforcementClient ID=79621 Admin=Disabled Name=EAPQuarantineEnforcementClient ID=79623 Admin=Disabled
Security Page 21
Clienttracing: State=Disabled Level=Disabled Ok. PSC:\Users\Austin.EC>Netshnapclientshowstate Clientstate: Name=NetworkAccessProtectionClient Description=MicrosoftNetworkAccessProtectionClient Protocolversion=1.0 Status=Enabled Restrictionstate=Notrestricted TroubleshootingURL= Restrictionstarttime= Extendedstate= GroupPolicy=Configured Enforcementclientstate: Id=79617 Name=DHCPQuarantineEnforcementClient Description=ProvidesDHCPbasedenforcementforNAP Version=1.0 Vendorname=MicrosoftCorporation Registrationdate= Initialized=No Id=79619 Name=IPsecRelyingParty Description=ProvidesIPsecbasedenforcementforNetworkAccessProtection Version=1.0 Vendorname=MicrosoftCorporation Registrationdate= Initialized=Yes Id=79621 Name=RDGatewayQuarantineEnforcementClient Description=ProvidesRDGatewayenforcementforNAP Version=1.0 Vendorname=MicrosoftCorporation Registrationdate= Initialized=No Id=79623 Name=EAPQuarantineEnforcementClient Description=ProvidesNetworkAccessProtectionenforcementforEAPauthenticatednetworkconnections, such asthoseusedwith802.1XandVPNtechnologies. Version=1.0
Security Page 22
Vendorname=MicrosoftCorporation Registrationdate= Initialized=Yes Ok. PSC:\Users\Austin.EC>Netshnapclientdump #========================================================== #NetworkAccessProtectionclientconfiguration #========================================================== pushdnapclient # #Trustedservergroupconfiguration # resettrustedservergroup # #Cryptographicserviceprovider(CSP)configuration # setcspname="MicrosoftRSASChannelCryptographicProvider"keylength="2048" # #Hashalgorithmconfiguration # sethashoid="1.3.14.3.2.29" # #Enforcementconfiguration # setenforcementid="79617"admin="disable"id="79619"admin="disable"id="79621"admin="disable"id= "79623 "admin="disable" # #Tracingconfiguration # settracingstate="disable"level="basic" # #Userinterfaceconfiguration # resetuserinterface popd #EndofNAPclientconfiguration PSC:\Users\Austin.EC>Netshnapclientshowhashes
Security Page 23
Availablehashalgorithms: NameOID sha1RSA1.2.840.113549.1.1.5 md5RSA1.2.840.113549.1.1.4 sha1DSA1.2.840.10040.4.3 sha1RSA1.3.14.3.2.29 shaRSA1.3.14.3.2.15 md5RSA1.3.14.3.2.3 md2RSA1.2.840.113549.1.1.2 md4RSA1.2.840.113549.1.1.3 md4RSA1.3.14.3.2.2 md4RSA1.3.14.3.2.4 md2RSA1.3.14.7.2.3.1 sha1DSA1.3.14.3.2.13 dsaSHA11.3.14.3.2.27 mosaicUpdatedSig2.16.840.1.101.2.1.1.19 sha1NoSign1.3.14.3.2.26 md5NoSign1.2.840.113549.2.5 sha256NoSign2.16.840.1.101.3.4.2.1 sha384NoSign2.16.840.1.101.3.4.2.2 sha512NoSign2.16.840.1.101.3.4.2.3 sha256RSA1.2.840.113549.1.1.11 sha384RSA1.2.840.113549.1.1.12 sha512RSA1.2.840.113549.1.1.13 RSASSAPSS1.2.840.113549.1.1.10 sha1ECDSA1.2.840.10045.4.1 sha256ECDSA1.2.840.10045.4.3.2 sha384ECDSA1.2.840.10045.4.3.3 sha512ECDSA1.2.840.10045.4.3.4 specifiedECDSA1.2.840.10045.4.3 Ok. PSC:\Users\Austin.EC>Netshnapclientshowcsps Availablecryptographicserviceproviders(CSPs): Name MicrosoftBaseCryptographicProviderv1.0 MicrosoftBaseDSSandDiffieHellmanCryptographicProvider MicrosoftBaseDSSCryptographicProvider MicrosoftBaseSmartCardCryptoProvider MicrosoftDHSChannelCryptographicProvider MicrosoftEnhancedCryptographicProviderv1.0 MicrosoftEnhancedDSSandDiffieHellmanCryptographicProvider MicrosoftEnhancedRSAandAESCryptographicProvider MicrosoftRSASChannelCryptographicProvider MicrosoftStrongCryptographicProvider Ok.
Security Page 24
PSC:\Users\Austin.EC>
Theauthenticationmodewasnotset,we changedthis.
Uncheckedoveridenetworkpolicysettings.
Security Page 25
Security Page 26