Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Controller Login via Windows NPS

This thread has been viewed 7 times

  • 1.  Controller Login via Windows NPS

    Posted Feb 11, 2015 07:53 PM

    Hello All..

     

    Sorry...  So this is a windows problem, but there are some wicked smart guys on here and there is a 7210 involved so here goes.

     

    I have encountered a very aggravating problem with deploying a NPS server to handle hardware login. The controller is acting exactly as it should (communicating with the NPS). NPS is also behaving like it should (detailed logging). Nevertheless auth keeps failing.The reason code I keep getting is 65. This indicates the user account in AD is set to deny access. Seems like an easy fix right? When I finally get to view the account in question it is not set to "deny access" it is in fact set to "allow radius to grant access". Upon some further digging (google) i discover the "ignore user dial in properties" tick box, so NPS wont even check the access settings. This didn't resolve the problem.

     

    Next I discover the user is hitting one of the generic windows polices. I have the configured policy at the top and the value is set to 1. The other policies aren't configured so im not sure why it it triggering those policies. If i disable all policies except the one I configured i get a new error of no policy to handle request.

    *The policy has all of the required groups added for authentication.

     

    Has anyone encountered anything similar? Since the error code is 100% incorrect im not sure where to look next.


    #7210


  • 2.  RE: Controller Login via Windows NPS

    Posted Feb 11, 2015 08:15 PM

    What is the authentication method and conditions you are using in your NPS policy  ?



  • 3.  RE: Controller Login via Windows NPS

    Posted Feb 11, 2015 09:21 PM

    Victor, conditions are very simple. If you are in the group you get access.We are unsing unencrypted PAP, SPAP.



  • 4.  RE: Controller Login via Windows NPS

    EMPLOYEE
    Posted Feb 11, 2015 09:44 PM

    Jamie E, you need to add a check for Nas-Port-Type of "Virtual" to your Admin login rule conditions, so that your admin login rule is not triggered by a regular wireless authentication.  Regular wireless authentication has a Nas Port Type of "Wireless".

    virtual.png



  • 5.  RE: Controller Login via Windows NPS

    Posted Feb 11, 2015 10:05 PM

     

     

    Any ideas on how to troubleshoot this with out AD access?  I can get access but its not constant.

     

    Thanks.



  • 6.  RE: Controller Login via Windows NPS

    EMPLOYEE
    Posted Feb 11, 2015 10:08 PM

    Jamie E,

     

    I do not know, but strip the policy down to the bare essentials, like pap, your windows group and nas-port-type of virtual.  Put it all the way on top so it is hit first.



  • 7.  RE: Controller Login via Windows NPS

    Posted Feb 11, 2015 10:10 PM

    Thank you sir!!! 

     

    Ill give your suggestions a whirl and check back in.



  • 8.  RE: Controller Login via Windows NPS

    Posted Feb 11, 2015 10:54 PM

    First don’t try to decipher the Windows Event Viewer as they are confusing. Windows NPS authenticate hardware logon requires two policies:

    1. Connections request policy: the default is the generic “Use Windows authentication for all users”. It is ok if you hit this policy.
    2. Network Policies: you must hit this policy correctly.  This is my working policy, as Colin mentioned, you need NAS port type Virtual (VPN) (more confusing!)

    1.png

    The successful authentication log:

    Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/11/2015 2:16:11 AM
Event ID:      6278
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC.lab.net
Description:
Network Policy Server granted full access to a user because the host met the defined health policy.

User:
	Security ID:			LAB
    gutri
	Account Name:			ngutri
	Account Domain:			LAB
	Fully Qualified Account Name:	lab.net/Users/Trinh Nguyen

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		000B866148D4
	Calling Station Identifier:		172.18.254.250

NAS:
	NAS IPv4 Address:		172.18.31.246
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		ARUBA-MASTER
	Client IP Address:			172.18.31.246

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	          Network Policy Name:		SSH POLICY
	Authentication Provider:		Windows
	Authentication Server:		DC.lab.net
	Authentication Type:		MS-CHAPv2
	EAP Type:			-
	Account Session Identifier:		-

Quarantine Information:
	Result:				Full Access
	Extended-Result:			-
	Session Identifier:			-
	Help URL:			-

     



  • 9.  RE: Controller Login via Windows NPS

    Posted Feb 11, 2015 11:59 PM

    Just do exactly like cjoseph said 

    In the policy define the AD group you want to allow and the NAS identifier, which should match on the controller side as well

    2015-02-11 23_51_12-Chrome Remote Desktop.png

    2015-02-11 23_54_33-Switch General Configuration.png

     

    Ignore the tacacs ID i used :)

     



  • 10.  RE: Controller Login via Windows NPS

    Posted Feb 12, 2015 10:12 AM

    Thanks for all the help guys.

     

    It turned out to be a matter of "and" and "or". Each of the groups were added as an individual condition instead of as a single condition. Im still not sure why the error code was so far off base.

     

    Again thanks for all of the help.