NAP – How to connect workstations using Network Access Protection to a RADIUS server
Setup:
Radius Server – Windows server 2012 R2 Standard with NAP installed and configured
Wireless – Cisco Meraki M32 Wireless Access Points connected to a MX firewall.
Issue:
When Clients are connecting to a Wireless network using 802.11 or WPA2 Enterprise they are showing in the event viewer on the radius server as Non-NAP Capable and quarantined.
Event ID: 6276
Authentication Details:
Connection Request Policy Name: NAP 802.1X (Wireless)
Network Policy Name: NAP 802.1X (Wireless) Non NAP-Capable
Authentication Provider: Windows
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Quarantine Information:
Result: Quarantined
Cause:
This occurs if the client is not setup correctly causing them to show as Non-NAP Capable.
Resolution:
There are a few Settings that need to be enabled on the client and most/all of the settings below can be pushed out by a group policy.
1) Make Sure the Network Access Protection Service is running
2) As there is a delay when the wireless network connects you need to start the NAP service after the wireless.
This can be done by going to the following entry in the registry and making the change below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WlanSvc
Update the DependOnService entry and add napagent.
The entry should look similar to the below. You will need to reboot the client for the registry change to take effect.
NOTE: The service WCMSVC below is only required for Windows 8 workstations.
3) Enable the Following Setting in:
GPO Manager > Computer Configuration > Policies > Windows Settings > Security Settings > Network Access Protection > NAP Client Configuration > Enforcement Clients
4) On the Client Machine go to Network and Sharing
Select adaptor settings > Right click the Wireless connection once connected to the wireless connection > Select Status > Wireless Properties > Security Tab > Settings > Select Enforce Network Access Protection > Select OK on all open windows.
Office 365 Updates
- Administrative Template files (ADMX/ADML) and Office Customization Tool for Office 365 ProPlus, Office 2019, and Office 2016This download includes the Group Policy Administrative Template files (ADMX/ADML) for Office 365 ProPlus, Office 2019, and Office 2016 and also includes the OPAX/OPAL files for the Office Customization Tool (OCT) for Office 2016.
- Microsoft uses threat intelligence to protect, detect, and respond to threatsTo combat cyberattacks, Microsoft amasses billions of signals from the security landscape. Threat intelligence is built into Office 365, Office 365 Threat Intelligence, Windows, and Azure, which helps Microsoft and customers with proactive defense.
- Microsoft Office 2019 Volume License PackThis download is needed for administrators to set up activation for volume license editions of Office 2019, Project 2019, or Visio 2019 by using either the Key Management Service (KMS) or Active Directory.
- Office Cheat Sheet: Outlook on the web Mail downloadOffice Cheat Sheet: Outlook on the web Mail download
- Office Cheat Sheet: Outlook Calendar for Mac downloadOffice Cheat Sheet: Outlook Calendar for Mac download
Microsoft Security Updates
- Security Update For Exchange Server 2016 CU10 (KB4459266)Security Update For Exchange Server 2016 CU10 (KB4459266)
- Security Update For Exchange Server 2013 CU21 (KB4459266)Security Update For Exchange Server 2013 CU21 (KB4459266)
- Security Update For Exchange Server 2016 CU9 (KB4459266)Security Update For Exchange Server 2016 CU9 (KB4459266)
Cisco Security Advisories
- libssh Authentication Bypass Vulnerability Affecting Cisco Products: October 2018A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system. The vulnerability is due to improper authentication operations by the server-side state machine of the affected software. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the […]
- Cisco Wireless LAN Controller Software Control and Provisioning of Wireless Access Points Protocol Denial of Service VulnerabilityA vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper input validation on fields within CAPWAP Discovery Request packets by the affected device. […]
- Linux Kernel IP Fragment Reassembly Denial of Service Vulnerability Affecting Cisco Products: August 2018On August 14, 2018, the Vulnerability Coordination team of the National Cyber Security Centre of Finland (NCSC-FI) and the CERT Coordination Center (CERT/CC) disclosed a vulnerability in the IP stack that is used by the Linux Kernel. This vulnerability is publicly known as FragmentSmack. The vulnerability could allow an unauthenticated, remote attacker to cause a […]
- Cisco IOS Access Points Software 802.11r Fast Transition Denial of Service VulnerabilityA vulnerability in the 802.11r Fast Transition feature set of Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a corruption of certain timer mechanisms triggered by specific roaming events. This corruption will eventually cause […]
Recent Comments