NPS and NAP help???
Robbo777
Member Posts: 331 ■■■□□□□□□□
I'm having trouble getting my NPS which is on the same computer as my DC for the domain, to validate a system health check on a client PC that i'm intentionally switching off the firewall for. It's my first time doing this type of setup but as you can see i'm using a wired 802.1X trigger which i'm assuming is correct because the virtual machine is technically using a "wired" connection, along with PEAP and MS-CHAPv2 encapsulated in PEAP and my trusted certificated from my DC. Along with the network policy using only "system health check" with no other options and the health policy connecting to the health validator that says the firewall must be enabled. All the services are enabled on server and client and the user is set to login using the NPS on their account. I honestly dont know what the problem is here. Any help would be appreciated, cheers.
Also, this is confusing again now haha! Because i was under the impression that when a user logs onto a domain its Kerberos that handles the process (not including winlogon and the lsa etc...) and authenticates the client. But now with implementing an NPS server, does this mean that when a user logs into the domain the NPS along with PEAP and MsCHAPv2 instead of kerberos? It's just a bit confusing (onto of this not working to haha)
Also, this is confusing again now haha! Because i was under the impression that when a user logs onto a domain its Kerberos that handles the process (not including winlogon and the lsa etc...) and authenticates the client. But now with implementing an NPS server, does this mean that when a user logs into the domain the NPS along with PEAP and MsCHAPv2 instead of kerberos? It's just a bit confusing (onto of this not working to haha)
Comments
-
BornToBeMild Member Posts: 69 ■■□□□□□□□□You might find this helpful:
https://technet.microsoft.com/en-us/library/cc732256(v=ws.10).aspx
You will find that your lab has a bit missing - an 802.1x authenticating switch. Labs I've seen for NPS/NAP don't use the 802.1x functionality because you need a physical device - an authenticating switch or wireless access point - or a way of emulating them.
NPS acts as a Radius server, so the user devices don't connect directly to it. In a lab environment it is easier to use the DHCP or VPN functionality for test purposes, but you will still need additional roles (RRAS or DHCP) setup and configured. -
Robbo777 Member Posts: 331 ■■■□□□□□□□Thanks for the info, i've just discarded the 802.1X connection and configured a VPN one. When i go to connect to the VPN on the same computer as the NPS is on etc... It gives me a message saying "an existing connection was forcibly closed by the remote host". Any idea why i'm getting this message? Are there services that need to be enabled? I havent configured RRAS yet but does that matter or is it essential for it to work?
If you want pictures just let me know what you'd like to view.
I'm getting this message in the remote access error log "CoId={74759ACB-6693-452A-9C9A-3EC9022F8C96}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again.
Disabled the firewall on the DC and still wont have it. Do i have to set up encryption polices or something like that on the DC to in IP security polices? (just a guess) I didn't think i needed to?
An existing connection was forcibly closed by the remote host."
Thanks again -
Robbo777 Member Posts: 331 ■■■□□□□□□□Update:
I have successfully managed to configure an SSTP VPN connection using a VPN connection request policy and the condition being SSTP, along with the network policy of "Connections to Microsoft Routing and Remote Access server" that comes with the RRAS installation (which seemed to fix that issue). BUT! I want to make a VPN connection and configure network policies to perform system health checks on the connecting client machines. So i have created 3 network policies also, Compliant VPN connections, Non Compliant and Non NAP Capable, the only condition is that they are either granted or not granted access based off the health policy results which corresponds to Windows Security Health Validator. Everything seems to be setup right and when i remove the "Health Policy" condition and replace it with another arbitrary one such as a user group, it works again, so it seems to be something with the health policy it doesn't like, the error message is "Error 649 the account does not have permission to dial in", I'm not quite sure why i'm getting this error now since it was working before with the same users logging in before.
-
Robbo777 Member Posts: 331 ■■■□□□□□□□Okay, so i have finally managed to fix it through problems with the health authroity etc... thankfully its done now, but wouldnt you know one last problem arises.
After the VPN connects, i get a message saying that the SHA is not installed and therefore network connectivity automatically becomes limited. Why does windows give me this message and is there anything i can do to stop it?
It's my DC that i'm using the VPN on.