NAP – How to connect workstations using Network Access Protection to a RADIUS server
Setup:
Radius Server – Windows server 2012 R2 Standard with NAP installed and configured
Wireless – Cisco Meraki M32 Wireless Access Points connected to a MX firewall.
Issue:
When Clients are connecting to a Wireless network using 802.11 or WPA2 Enterprise they are showing in the event viewer on the radius server as Non-NAP Capable and quarantined.
Event ID: 6276
Authentication Details:
Connection Request Policy Name: NAP 802.1X (Wireless)
Network Policy Name: NAP 802.1X (Wireless) Non NAP-Capable
Authentication Provider: Windows
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Quarantine Information:
Result: Quarantined
Cause:
This occurs if the client is not setup correctly causing them to show as Non-NAP Capable.
Resolution:
There are a few Settings that need to be enabled on the client and most/all of the settings below can be pushed out by a group policy.
1) Make Sure the Network Access Protection Service is running
2) As there is a delay when the wireless network connects you need to start the NAP service after the wireless.
This can be done by going to the following entry in the registry and making the change below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WlanSvc
Update the DependOnService entry and add napagent.
The entry should look similar to the below. You will need to reboot the client for the registry change to take effect.
NOTE: The service WCMSVC below is only required for Windows 8 workstations.
3) Enable the Following Setting in:
GPO Manager > Computer Configuration > Policies > Windows Settings > Security Settings > Network Access Protection > NAP Client Configuration > Enforcement Clients
4) On the Client Machine go to Network and Sharing
Select adaptor settings > Right click the Wireless connection once connected to the wireless connection > Select Status > Wireless Properties > Security Tab > Settings > Select Enforce Network Access Protection > Select OK on all open windows.
Office 365 – Emails marked as private are not appearing in a shared mailbox
Setup:
Exchange 2010 and Office 365 Hybrid deployment with multiple shared mailboxes on office 365
Problem:
We have a shared mailbox for a number of users and if anyone internally/externally sends emails marked as private to that shared mailbox they do not appear in the inbox. You just see an unread number next to the inbox.
Solution:
If this was a normal mailbox then all you would need to do is to log into the mailbox and delegate permissions for the shared mailbox to the users who need access to the private emails. In a shared mailboxes the user accounts are marked as disabled so this is not possible.
The way round this problem is:
1) Convert the mailbox to a user mailbox in the office 365
Login as Admin on the Office 365 portal > Select Exchange > Mailboxes > Shared Mailboxes > Select the mailbox > Select convert under convert to regular mailbox
This will bring up the message below. Click OK.
2) Assign a licence and reset the user’s passwords
Login as Admin on the Office 365 portal >Select users > Active Users > Search for the mailbox > Select reset Password and assign Licence on the right hand side
3) Log into the web portal with the temporary password created in step 2 above and reset with a password of your choice
4) Create a new outlook profile using this mailboxes details and log into outlook.
5) Assign permissions to the groups/users that need to have access to the private emails
Outlook > File > Accounts Settings > Delegate Access > Add > Select the users/distribution groups > Assign the relevant permissions you require and make sure you select Delegate can see my private emails.
6) You can then remove the office 365 licence and convert back to a shared mailbox in the admin portal.
Users will now be able to see the privat emails sent to the shared mailbox.
Read MoreMicrosoft – Licencing
We were audited last year by Microsoft as we were on the software assurance (SA) program and our 3 year agreement was coming to an end. Speaking to a Microsoft licensing specialist during the audit I found out some interesting information about licensing Microsoft Software. Some I already knew others I did not. This post may be useful if you are being audited or looking to purchase software. Only some of the information below was relevant to the company I work for but thought I would add everything I found out as it may help someone in the future.
Physical/Virtual Server Licences
If you purchase a server licence (e.g. server 2012 standard open/SA licence) most people know that you are licenced to install the operating system on a physical server with up to 2 CPUs. You can also use that licence on a Virtual platform such as VMware to create two virtual servers (on the same host).
VDA Licences
If you are on the software assurance program and you have purchased the Microsoft Professional Desktop Platform (Which includes OS, Office, Core CAL suite). This includes licences for you to also run a virtual instance of Windows Desktop OS at no additional charge as being on the SA program includes a VDI licence. Once the SA finishes and you do not renew your SA subscription then you either have to remove the virtual desktop images or pay a VDI licence for every physical desktop/user that wants to connect to the virtual instance. So if you have 20 users that may connect to a single virtual windows 8 VM now and again then you need to buy 20 VDI licences which are quite expensive (about £90 per user/device per year)
Virtual Servers with Multiple Hosts and Shared Storage
This is one of the most interesting bits of information I found from the Microsoft licencing specialist. If you have let’s say you have 2 hosts with shared storage and you have 5 server 2008/2012 VM’s running on each host. With SA you are allowed to move the VM’s (i.e. vMotion/HA failover) as many times as you like. You also need to licence the VM for each host. Example, if you have 2 hosts and you purchase a server 2008/2012 licence. The licence allows you 2 VM instances. But you need to Licence the VM for each host as you can move the VM from host to host so where you could have 2 VM’s running on a single host, if you have 2 hosts with shared storage you can only have a single VM with the 2 VM licences (One licence per host).
If you terminate your SA subscription or you don’t have SA and you purchase open licences then you can only move a VM from one host to another every 90 days. So if a host fails and the HA failover kicks in then you will have 10 VM’s running on a single host. When the failed host is repaired you are not allowed to move the VM’s back until the 90 days has been reached! You could move them back and Microsoft will not know unless they ask for you Virtual hypervisor log files. However if you want to make sure you are covered then the way to go is to purchase Windows server Datacentre edition for each host. This is because the data centre edition allows you to run as many VM’s as you like on each host and according to the specialist I spoke to is not effected by the 90 day limit.
SharePoint – On premise
Before moving to Office 365 we were trialling SharePoint internally. What I found was that if you are going to be hosting SharePoint yourselves internally then you need to be aware that you will need a SQL CAL for each user that will be using SharePoint and also have a SharePoint CAL.
Terminal Server CAL’s
If you have Terminal Server then Terminal Server CAL’s are required for every user that will use the terminal server. So if you have a 50 employees and a single terminal server which they may log into now and again but only about 5 users will ever be on the server at the same time then you still need to purchase 50 CAL’s.
Conclusion
This post only covers a tiny bit of the very large world of Microsoft licences so it does not cover everything about licensing and all the benefits of a SA subscription. However if you are taking part in the SAM audit or looking at not renewing your SA subscription. Then it may help in your decision.
As Microsoft licences are constantly changing make sure you check with a licensing specialist with what you require before purchasing/renewing any licences as the below maybe incorrect at time of reading.
Useful Links:
Core Cal Suite
http://www.microsoft.com/licensing/about-licensing/briefs/cal-suites.aspx
VDA
Software Assurance
http://www.microsoft.com/en-gb/licensing/software-assurance/default.aspx
http://www.microsoft.com/licensing/software-assurance/by-benefits.aspx
Read More
Office 365 – Fast Track Network Analysis (EMEA) Connectivity/Bandwidth tester
If you are having issues with connecting to office 365 services in your office I recommend running the following tool to test your connectivity. Its quite a thourgh test
http://em1-fasttrack.cloudapp.net/o365nwtest
- The first check is a port test to see if the ports are open.
- SMTP – (TCP-25)
- HTTP – (TCP-80)
- https – (TCP-443)
- imap – (TCP-993)
- pop – (TCP-995)
- stun – (UDP-3478)
- lyncpush – (TCP-5223)
- rtp-audio – (UDP-50000-50019)
- rtp-video (UDP – 50020-50039)
- lyncft – (TCP – 50040-50059)
- The second test is a route (hop) test
- The third test is a speed test.
- VoIP Test which is a jitter and packet loss test
- Capacity test which shows the amount of packets the upload/download can handle without packet lost.
- Round Trip time
- Packet loss
- The next three tabs show the data in graphical, summary and advanced forms. If you click on the summary tab and select test audit report this will bring up a URL you can copy and use later to bring back the results of this report.
- Having a high consistency of service is required to make sure you do not get outlook connection dropouts (80%+)
Office 365 – Azure Active Directory Sync Tool (password changes)
If you are using office 365 you may be using the Azure Active Directory Sync Tool to sync up your active directory to office 365.
You are probably aware that by default DirSync runs by default every three hours. I have seen various websites showing how to change the default setting in the Config. file (Microsoft.Online.DirSync.Scheduler) to make the sync happen faster. The main reason is to sync up the changes faster. I have found that this is not necessary to sync password changes up faster as the DirSync tool will sync up the passwords within about 3 minutes in the background. It won’t sync the AD changes such as a change in name but will sync the password in the background.
The details of the sync can be found in the event viewing searching for event ID 656 which is the password sync request ID. You will see the time stamp a couple of minutes after the password is reset.
There are various IDs that you can search for regarding the sync. The list below is taken from the Microsoft site (http://support.microsoft.com/kb/2855271)
Office 365 – Azure Active Directory Sync Tool (Synchronisation Service Manager)
You can monitor and see the status of previous syncs to see what information has been synced up by the Azure Active Directory Sync using the Synchronisation Service Manager. By default you can find this application in the following folder:
C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
When running the application you will see the screen looking like this:
You can see the previous syncs and the details of what information has been synced by double clicking the relevant name and selecting the relevant export statistics in the bottom left hand corner.
Read More
Cisco Security Advisories
- Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to […]
- Cisco IOS XR Software Command Injection VulnerabilityA vulnerability in the CLI of Cisco IOS XR 64-Bit Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges on the underlying Linux operating system (OS) of an affected device. This vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker […]
- Cisco Small Business RV Series Routers Link Layer Discovery Protocol VulnerabilitiesMultiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business RV Series Routers. An unauthenticated, adjacent attacker could execute arbitrary code or cause an affected router to leak system memory or reload. A memory leak or device reload would cause a denial of service (DoS) condition on an affected device. For […]
- Cisco AnyConnect Secure Mobility Client Denial of Service VulnerabilityA vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected device. To exploit this vulnerability, the attacker would need to have valid credentials on the device. The vulnerability is due to insufficient validation of user-supplied […]
Recent Comments