Posts by Parm

NAP – How to connect workstations using Network Access Protection to a RADIUS server

Posted by on 31 May, 2015 in Cisco Meraki, Microsoft, Windows Server | 0 comments

Setup:

Radius Server – Windows server 2012 R2 Standard with NAP installed and configured

Wireless – Cisco Meraki M32 Wireless Access Points connected to a MX firewall.

 

Issue:

 

When Clients are connecting to a Wireless network using 802.11 or WPA2 Enterprise they are showing in the event viewer on the radius server  as Non-NAP Capable and quarantined.

 

Event ID: 6276

Authentication Details:

Connection Request Policy Name:   NAP 802.1X (Wireless)

Network Policy Name:  NAP 802.1X (Wireless) Non NAP-Capable

Authentication Provider:  Windows

Authentication Type:  PEAP

EAP Type:  Microsoft: Secured password (EAP-MSCHAP v2)

Quarantine Information:

Result:  Quarantined

 

Cause:

 

This occurs if the client is not setup correctly causing them to show as Non-NAP Capable.

 

Resolution:

 

There are a few Settings that need to be enabled on the client and most/all of the settings below can be pushed out by a group policy.

 

1) Make Sure the Network Access Protection Service is running

nap_01

 

2) As there is a delay when the wireless network connects you need to start the NAP service after the wireless.

 

This can be done by going to the following entry in the registry and making the change below:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WlanSvc

Update the DependOnService entry and add napagent.

 

The entry should look similar to the below.  You will need to reboot the client for the registry change to take effect.

NOTE: The service WCMSVC below is only required for Windows 8 workstations. 

nap_02

 

3) Enable the Following Setting in:

GPO Manager > Computer Configuration > Policies > Windows Settings > Security Settings > Network Access Protection > NAP Client Configuration > Enforcement Clients

 

nap_03

 

4) On the Client Machine go to Network and Sharing

Select adaptor settings > Right click the Wireless connection once connected to the wireless connection > Select Status > Wireless Properties > Security Tab > Settings > Select Enforce Network Access Protection > Select OK on all open windows.

 

nap_04

Read More

VMware – Purple Screen (PSOD) Exception 14 in world

Posted by on 26 Apr, 2015 in Virtualisation, VMware | 0 comments

Problem:

ESXi hosts using version 5.1.0 (Build 799733) purple screen with the error below

2015-03-03T11:41:32.034Z cpu4:8196)@BlueScreen: #PF Exception 14 in world 8196:idle4 IP 0x41801699c3c6 addr 0x0

2015-03-03T11:41:32.034Z cpu4:8196)Code start: 0x418016800000 VMK uptime: 0:01:30:50.071

2015-03-03T11:41:32.035Z cpu4:8196)0x41220011b568:[0x41801699c3c6]E1000PollRxRing@vmkernel#nover+0xdb9 stack: 0x41220011b5c8

2015-03-03T11:41:32.035Z cpu4:8196)0x41220011b5d8:[0x41801699fdd3]E1000DevRx@vmkernel#nover+0x18a stack: 0x412200000000

2015-03-03T11:41:32.036Z cpu4:8196)0x41220011b678:[0x41801693cf40]IOChain_Resume@vmkernel#nover+0x247 stack: 0x310

2015-03-03T11:41:32.037Z cpu4:8196)0x41220011b6c8:[0x41801692c154]PortOutput@vmkernel#nover+0xe3 stack: 0x41000b215a00

2015-03-03T11:41:32.038Z cpu4:8196)0x41220011b728:[0x418016e3976f]EtherswitchForwardLeafPortsQuick@<None>#<None>+0xd6 stack: 0x360011b

2015-03-03T11:41:32.039Z cpu4:8196)0x41220011b928:[0x418016e3afd8]EtherswitchPortDispatch@<None>#<None>+0x13bb stack: 0x412200000018

2015-03-03T11:41:32.039Z cpu4:8196)0x41220011b998:[0x41801692b337]Port_InputResume@vmkernel#nover+0x146 stack: 0x41000b2d2b00

2015-03-03T11:41:32.040Z cpu4:8196)0x41220011b9e8:[0x41801692cab2]Port_Input_Committed@vmkernel#nover+0x29 stack: 0x10011ba68

2015-03-03T11:41:32.041Z cpu4:8196)0x41220011ba68:[0x41801696b541]Vmxnet3VMKDevTQDoTx@vmkernel#nover+0x2f8 stack: 0x41220011baf8

2015-03-03T11:41:32.042Z cpu4:8196)0x41220011bab8:[0x41801696c968]Vmxnet3VMKDev_AsyncTx@vmkernel#nover+0xd7 stack: 0x41220011baf8

2015-03-03T11:41:32.043Z cpu4:8196)0x41220011bb28:[0x4180169518a3]NetWorldletPerVMCB@vmkernel#nover+0xae stack: 0x418016a05d78

2015-03-03T11:41:32.044Z cpu4:8196)0x41220011bca8:[0x41801690af2b]WorldletProcessQueue@vmkernel#nover+0x486 stack: 0x41220011bd58

2015-03-03T11:41:32.045Z cpu4:8196)0x41220011bce8:[0x41801690b5a5]WorldletBHHandler@vmkernel#nover+0x60 stack: 0x10041220011bd68

2015-03-03T11:41:32.045Z cpu4:8196)0x41220011bd68:[0x4180168207fa]BH_Check@vmkernel#nover+0x185 stack: 0x41220011be68

2015-03-03T11:41:32.046Z cpu4:8196)0x41220011be68:[0x4180169bc9dc]CpuSchedIdleLoopInt@vmkernel#nover+0x13b stack: 0x41220011be98

2015-03-03T11:41:32.047Z cpu4:8196)0x41220011be78:[0x4180169c66ae]CpuSched_IdleLoop@vmkernel#nover+0x15 stack: 0x4

2015-03-03T11:41:32.048Z cpu4:8196)0x41220011be98:[0x41801684f6ce]Init_SlaveIdle@vmkernel#nover+0x49 stack: 0x0

2015-03-03T11:41:32.048Z cpu4:8196)0x41220011bfe8:[0x418016ae1f86]SMPSlaveIdle@vmkernel#nover+0x31d stack: 0x0

2015-03-03T11:41:32.051Z cpu4:8196)base fs=0x0 gs=0x418041000000 Kgs=0x0

 

 

Cause:

 

This is down to VM’s having either of the E1000 or E1000E network cards.  The error can an occur when:

  • creating multiple VM’s with E1000/E1000E network cards
  • The error can appear when try and vMotion these VM’s host to host
  • Upgrading VMware Tools

 

Solution:

 

  • Upgrade to ESXi 5.1 Update 2 or later
  • As a work around you can follow the steps below:
    1. Install vSphere PowerCLI
    2. Run the command

 

Connect-VIServer (Server IP address/Hostname)

e.g.

Connect-VIServer vCenter01.domain.com

3. Run the command

ForEach( $VM in (Get-VM) ) { $VM|Where{ $VM|Get-NetworkAdapter|Where{ $_.ExtensionData -like “*e1000*” } } }

 

4. This will bring up a list VM’s containing those network cards. You will need to remove the network cards from these VM’s and replace them with VMXNET3 network cards.

 

 

Read More

Office 365 – Emails marked as private are not appearing in a shared mailbox

Posted by on 9 Mar, 2015 in Microsoft, Office 365 | 2 comments

Setup:

Exchange 2010 and Office 365 Hybrid deployment with multiple shared mailboxes on office 365

 

Problem:

We have a shared mailbox for a number of users and if anyone internally/externally sends emails marked as private to that shared mailbox they do not appear in the inbox. You just see an unread number next to the inbox.

 

Solution:

If this was a normal mailbox then all you would need to do is to log into the mailbox and delegate permissions for the shared mailbox to the users who need access to the private emails. In a shared mailboxes the user accounts are marked as disabled so this is not possible.

The way round this problem is:

1) Convert the mailbox to a user mailbox in the office 365

 

Login as Admin on the Office 365 portal > Select Exchange > Mailboxes > Shared Mailboxes > Select the mailbox > Select convert under convert to regular mailbox

This will bring up the message below. Click OK.

 

shared_mbx_private

2) Assign a licence and reset the user’s passwords

 

Login as Admin on the Office 365 portal >Select users > Active Users > Search for the mailbox > Select reset Password and assign Licence on the right hand side

 

3) Log into the web portal with the temporary password created in step 2 above and reset with a password of your choice

 

4)  Create a new outlook profile using this mailboxes details and log into outlook.

 

5)  Assign permissions to the groups/users that need to have access to the private emails

 

Outlook > File > Accounts Settings > Delegate Access > Add > Select the users/distribution groups > Assign the relevant permissions you require and make sure you select Delegate can see my private emails.

 

shared_mbx_private2

6)  You can then remove the office 365 licence and convert back to a shared mailbox in the admin portal.

 

Users will now be able to see the privat emails sent to the shared mailbox.

Read More

Websense Cloud Security – Users stopped appearing in reports

Posted by on 24 Feb, 2015 in Security, Websense | 1 comment

Setup:

  • Websense Cloud Security Installed and Configured
  • Websense endpoint installed on users machines.
  • Users and groups synced up from Active Directory using DirSyncClient (DSC)

 

Problem:

Users stopped appearing in the Websense reports catalogue and if you run any reports from the reports builder they do not appear in the results

 

Solution:

Log into the Triton portal. Select Account > End Users > Search for all users ending with nosuchdomain.autoregistration.proxy. Delete all users ending with nosuchdomain and run another DSC to make sure there are no more nosuchdomain users appearing.  Wait about 10-15 minutes and the users should start appearing in the reports.

Read More

Microsoft – Licencing

Posted by on 18 Feb, 2015 in Licencing, Microsoft | 0 comments

We were audited last year by Microsoft as we were on the software assurance (SA) program and our 3 year agreement was coming to an end. Speaking to a Microsoft licensing specialist during the audit I found out some interesting information about licensing Microsoft Software. Some I already knew others I did not. This post may be useful if you are being audited or looking to purchase software. Only some of the information below was relevant to the company I work for but thought I would add everything I found out as it may help someone in the future.

 

Physical/Virtual Server Licences

 

If you purchase a server licence (e.g. server 2012 standard open/SA licence) most people know that you are licenced to install the operating system on a physical server with up to 2 CPUs. You can also use that licence on a Virtual platform such as VMware to create two virtual servers (on the same host).

 

VDA Licences

 

If you are on the software assurance program and you have purchased the Microsoft Professional Desktop Platform (Which includes OS, Office, Core CAL suite). This includes licences for you to also run a virtual instance of Windows Desktop OS at no additional charge as being on the SA program includes a VDI licence. Once the SA finishes and you do not renew your SA subscription then you either have to remove the virtual desktop images or pay a VDI licence for every physical desktop/user that wants to connect to the virtual instance. So if you have 20 users that may connect to a single virtual windows 8 VM now and again then you need to buy 20 VDI licences which are quite expensive (about £90 per user/device per year)

 

Virtual Servers with Multiple Hosts and Shared Storage

 

This is one of the most interesting bits of information I found from the Microsoft licencing specialist. If you have let’s say you have 2 hosts with shared storage and you have 5 server 2008/2012 VM’s running on each host. With SA you are allowed to move the VM’s (i.e. vMotion/HA failover) as many times as you like. You also need to licence the VM for each host. Example, if you have 2 hosts and you purchase a server 2008/2012 licence. The licence allows you 2 VM instances. But you need to Licence the VM for each host as you can move the VM from host to host so where you could have 2 VM’s running on a single host, if you have 2 hosts with shared storage you can only have a single VM with the 2 VM licences (One licence per host).

If you terminate your SA subscription or you don’t have SA and you purchase open licences then you can only move a VM from one host to another every 90 days. So if a host fails and the HA failover kicks in then you will have 10 VM’s running on a single host. When the failed host is repaired you are not allowed to move the VM’s back until the 90 days has been reached! You could move them back and Microsoft will not know unless they ask for you Virtual hypervisor log files. However if you want to make sure you are covered then the way to go is to purchase Windows server Datacentre edition for each host. This is because the data centre edition allows you to run as many VM’s as you like on each host and according to the specialist I spoke to is not effected by the 90 day limit.

 

SharePoint – On premise

 

Before moving to Office 365 we were trialling SharePoint internally. What I found was that if you are going to be hosting SharePoint yourselves internally then you need to be aware that you will need a SQL CAL for each user that will be using SharePoint and also have a SharePoint CAL.

 

Terminal Server CAL’s

 

If you have Terminal Server then Terminal Server CAL’s are required for every user that will use the terminal server. So if you have a 50 employees and a single terminal server which they may log into now and again but only about 5 users will ever be on the server at the same time then you still need to purchase 50 CAL’s.

 

Conclusion

 

This post only covers a tiny bit of the very large world of Microsoft licences so it does not cover everything about licensing and all the benefits of a SA subscription. However if you are taking part in the SAM audit or looking at not renewing your SA subscription. Then it may help in your decision.

 

As Microsoft licences are constantly changing make sure you check with a licensing specialist with what you require before purchasing/renewing any licences as the below maybe incorrect at time of reading.

 

Useful Links:

 

 Core Cal Suite

 

http://www.microsoft.com/licensing/about-licensing/briefs/cal-suites.aspx

 

VDA

 

http://searchvirtualdesktop.techtarget.com/feature/Demystifying-Microsoft-virtual-desktop-licensing-SA-vs-VDA-vs-CDL

 

Software Assurance

 

http://www.microsoft.com/en-gb/licensing/software-assurance/default.aspx

http://www.microsoft.com/licensing/software-assurance/by-benefits.aspx

 

 

Read More