NAP – How to connect workstations using Network Access Protection to a RADIUS server
Setup:
Radius Server – Windows server 2012 R2 Standard with NAP installed and configured
Wireless – Cisco Meraki M32 Wireless Access Points connected to a MX firewall.
Issue:
When Clients are connecting to a Wireless network using 802.11 or WPA2 Enterprise they are showing in the event viewer on the radius server as Non-NAP Capable and quarantined.
Event ID: 6276
Authentication Details:
Connection Request Policy Name: NAP 802.1X (Wireless)
Network Policy Name: NAP 802.1X (Wireless) Non NAP-Capable
Authentication Provider: Windows
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Quarantine Information:
Result: Quarantined
Cause:
This occurs if the client is not setup correctly causing them to show as Non-NAP Capable.
Resolution:
There are a few Settings that need to be enabled on the client and most/all of the settings below can be pushed out by a group policy.
1) Make Sure the Network Access Protection Service is running
2) As there is a delay when the wireless network connects you need to start the NAP service after the wireless.
This can be done by going to the following entry in the registry and making the change below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WlanSvc
Update the DependOnService entry and add napagent.
The entry should look similar to the below. You will need to reboot the client for the registry change to take effect.
NOTE: The service WCMSVC below is only required for Windows 8 workstations.
3) Enable the Following Setting in:
GPO Manager > Computer Configuration > Policies > Windows Settings > Security Settings > Network Access Protection > NAP Client Configuration > Enforcement Clients
4) On the Client Machine go to Network and Sharing
Select adaptor settings > Right click the Wireless connection once connected to the wireless connection > Select Status > Wireless Properties > Security Tab > Settings > Select Enforce Network Access Protection > Select OK on all open windows.
Office 365 Updates
- Office 2016 Administrative Template files (ADMX/ADML) and Office Customization ToolThis download includes Group Policy Administrative Template (ADMX/ADML) and Office Customization Tool (OPAX/OPAL) files for Microsoft Office 2016 applications.
- Optimizing network performance for Microsoft Office 365When Microsoft IT began deploying Microsoft Office 365 in 2011, we made strategic plans for network-related technologies and adopted cloud infrastructure services to optimize our network capacity and performance.
- Readiness Toolkit for Office add-ins and VBAThe Readiness Toolkit for Office add-ins and VBA helps you identify compatibility issues with your Microsoft Visual Basic for Applications (VBA) macros and your installed add-ins. Use this tool to inspect VBA macro code and get readiness information for installed Office add-ins.
- Microsoft Research Project Participation Consent FormConsent form to participate in Office 365 Software Adoption Research project.
- Office 365 Centralized Deployment Compatibility CheckerCentralized Deployment Compatibility Checker
Microsoft Security Updates
- Update Rollup 24 For Exchange 2010 SP3 (KB4458321)Update Rollup 24 For Exchange 2010 SP3 (KB4458321)
Cisco Security Advisories
- Cisco Video Surveillance Manager Appliance Default Password VulnerabilityA vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote attacker to log in to an affected system by using the root account, which has default, static user credentials. The vulnerability is due to the presence of undocumented, default, static […]
- Cisco IOS XE Software Static Credential VulnerabilityA vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot. The vulnerability is due to an undocumented user account with privilege level 15 that has a default […]
- Cisco Webex Network Recording Player Remote Code Execution VulnerabilitiesMultiple vulnerabilities in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerabilities are due to improper validation of Webex recording files. An attacker could exploit these vulnerabilities by sending a user a link or email attachment containing a […]
- Linux and FreeBSD Kernels TCP Reassembly Denial of Service Vulnerabilities Affecting Cisco Products: August 2018On August 6, 2018, the Vulnerability Coordination team of the National Cyber Security Centre of Finland (NCSC-FI) and the CERT Coordination Center (CERT/CC) disclosed vulnerabilities in the TCP stacks that are used by the Linux and FreeBSD kernels. These vulnerabilities are publicly known as SegmentSmack. The vulnerabilities could allow an unauthenticated, remote attacker to cause […]
Recent Comments