NAP – How to connect workstations using Network Access Protection to a RADIUS server
Setup:
Radius Server – Windows server 2012 R2 Standard with NAP installed and configured
Wireless – Cisco Meraki M32 Wireless Access Points connected to a MX firewall.
Issue:
When Clients are connecting to a Wireless network using 802.11 or WPA2 Enterprise they are showing in the event viewer on the radius server as Non-NAP Capable and quarantined.
Event ID: 6276
Authentication Details:
Connection Request Policy Name: NAP 802.1X (Wireless)
Network Policy Name: NAP 802.1X (Wireless) Non NAP-Capable
Authentication Provider: Windows
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Quarantine Information:
Result: Quarantined
Cause:
This occurs if the client is not setup correctly causing them to show as Non-NAP Capable.
Resolution:
There are a few Settings that need to be enabled on the client and most/all of the settings below can be pushed out by a group policy.
1) Make Sure the Network Access Protection Service is running
2) As there is a delay when the wireless network connects you need to start the NAP service after the wireless.
This can be done by going to the following entry in the registry and making the change below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WlanSvc
Update the DependOnService entry and add napagent.
The entry should look similar to the below. You will need to reboot the client for the registry change to take effect.
NOTE: The service WCMSVC below is only required for Windows 8 workstations.
3) Enable the Following Setting in:
GPO Manager > Computer Configuration > Policies > Windows Settings > Security Settings > Network Access Protection > NAP Client Configuration > Enforcement Clients
4) On the Client Machine go to Network and Sharing
Select adaptor settings > Right click the Wireless connection once connected to the wireless connection > Select Status > Wireless Properties > Security Tab > Settings > Select Enforce Network Access Protection > Select OK on all open windows.
Office 365 Updates
- Office Deployment ToolThe Office Deployment Tool (ODT) is a command-line tool that you can use to download and deploy Click-to-Run versions of Office, such as Office 365 ProPlus, to your client computers.
- Identity and Device Protection for Office 365Get an overview of recommended capabilities for protecting identities and devices that access Office 365, other SaaS services, and on-premises applications published with Azure AD Application Proxy.
- Legal Landing Page for Microsoft Dynamics 365 Business CentralMicrosoft Dynamics 365 Business Central service terms: https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx
Microsoft Security Updates
- Security Update For Exchange Server 2013 CU20 (KB4340731)Security Update For Exchange Server 2013 CU20 (KB4340731)
- Security Update For Exchange Server 2016 CU9 (KB4340731)Security Update For Exchange Server 2016 CU9 (KB4340731)
- Security Update For Exchange Server 2013 CU21 (KB4340731)Security Update For Exchange Server 2013 CU21 (KB4340731)
- Security Update For Exchange Server 2016 CU10 (KB4340731)Security Update For Exchange Server 2016 CU10 (KB4340731)
- Update Rollup 23 For Exchange 2010 SP3 (KB4340733)Update Rollup 23 For Exchange 2010 SP3 (KB4340733)
Cisco Security Advisories
- CPU Side-Channel Information Disclosure Vulnerabilities: August 2018On August 14th, 2018, three vulnerabilities were disclosed by Intel and security researchers that leverage a speculative execution side-channel method referred to as L1 Terminal Fault (L1TF) that affects modern Intel microprocessors. These vulnerabilities could allow an unprivileged, local attacker, in specific circumstances, to read privileged memory belonging to other processes. The first vulnerability, CVE-2018-3615, […]
- Cisco IP Phone 7800 Series and 8800 Series and Cisco Wireless IP Phone 8821 Denial of Service VulnerabilityA vulnerability in the Session Initiation Protocol (SIP) call-handling functionality of Cisco IP Phone 7800 Series, IP Phone 8800 Series, and Wireless IP Phone 8821 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected phone. The vulnerability is due to incomplete input validation of SIP Session Description Protocol (SDP) parameters […]
- Vulnerability in Linux Kernel Affecting Cisco Products: October 2016On October 19, 2016, a new vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow unprivileged, local users to gain write access to otherwise read-only memory mappings to increase their privileges on the system. Cisco has released software updates that address this vulnerability. For […]
- Cisco Adaptive Security Appliance Web Services Denial of Service VulnerabilityA vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive […]
Recent Comments