Chapter 10 Network Access Protection 331 –Wai-O Hui Software Development Engineer in Test, Network Access Protection –Harini Muralidharan Software Development Engineer in Test, Network Access Protection Now let’s look at troubleshooting NAP 802.1X enforcement. Once again, we’ll begin on the client side, as problems most often begin there—especially if only some clients and not all of them have difficulties. From the Experts: Debugging NAP 802.1x Enforcement Using Client-Side Troubleshooting These instructions are designed to be a support aid to diagnose Network Access Protection issues in 802.1x enforcement. They are meant to provide additional information to the administrator to identify the root cause of the problem and refer to Microsoft troubleshooting procedures and related information. Network Access 29 Error The Health Registration Authority denied the certificate request with the correlation-id %1 at %2 for (principal: %3). Either no Certification Authorities are configured or none are available. Verify the Health Registration Authority configuration or contact its administrator for more information. Certification Authority Configuration error. Verify that Certification Authorities are configured in HRA by doing the following: In a command window run netsh nap hra show configuration If Certification Authorities are configured, all of them might be blacked out. Contact the CA administrator, and examine whether the current configura- tion meets the traffic require- ments for the network. 30 Error The Health Registration Authority was unable to connect to the Certification Authority to remove expired records. The Certification Authority [ca-name] denied the request with the following error: [ca-error-number]. Contact the Certification Authority administrator to check the permissions and for more information. Health Registration Authority (HRA) does not have the proper permissions to delete expired certificates on the Cer- tification Authority (CA). Con- tact the CA administrator, and configure to grant the HRA permission to delete expired certificates. Event Number Event Type Event Text Resolution Steps 332 Introducing Windows Server 2008 Protection diagnostics involve the Vista/XP client (we will use the term NAP Client to refer to them), the 802.1x switch, and the Network Policy Server. Is NAP the Problem? The goal of this section is to collect the information to help classify the problem. The first step in diagnosing the NAP system is collecting the following information for diagnosis: 1. Client Operating system and the corresponding version (Example: Is it Windows Vista or Windows XP?) 2. Network connection information (ipconfig /all details) 3. NAP Client configuration 4. Event logs for the NAP and corresponding enforcement components 802.1x Enforcement 802.1x provides client authentication to the network devices. When diagnosing 802.1x issues, information can be gathered from the NAP Client, the network device, and the Network Policy Server (NPS). NAP utilizes the PEAP authentication to pass health data, enabling the use of 802.1x as a NAP enforcement. 802.1x NAP health policy is enforced on the network access device through the use of VLANs, which are assigned through RADIUS attributes from NPS to the switch. Information Gathering Use the following steps to gather the necessary information: 1. Open the “services.msc,” and verify that the following services are running (this can also be verified using the command line by using the command 3c – sc query): ❑ NAP Agent ❑ EAP Host ❑ Wired AutoConfig (for wired scenarios) ❑ WLAN AutoConfig (for wireless scenarios) 2. Open a command prompt with administrator credentials, and issue the following commands: netsh nap client show config > C:\napconfig.txt netsh nap client show state > C:\state.txt sc.exe query > C:\services.txt Troubleshooting Flowchart The following is the troubleshooting flowchart that administrators can use to debug the 802.1x NAP system. Chapter 10 Network Access Protection 333 Yes No Yes Verify that Network Access Protection Agent is started and running Verify that EAPHost is started and running Verify that dot3svc and/or wlansvc is started and running Start the Network Access Protections Agent Start EAPHost Start dot3svc and/or wlansvc No No Yes Yes Check the event viewer for events corresponding to the client failure and continue the investigation on the server side Verify that Enable Quarantine Checks in authentication settings on the connection is enabled Yes Verify that the EAP/802.1x QEC is enabled No Enable EAP/802.1x QEC No Enable the Quarantine check on the corresponding connection 334 Introducing Windows Server 2008 Detailed Investigation The administrator has to first verify the configuration of the client: 1. The following services are enabled: ❑ Network Access Protection Agent (“napagent”) ❑ Extensible Authentication Protocol (“eaphost”) ❑ Wired AutoConfig (“dot3svc”). This service is used if the administrator is setting up a wired 802.1x environment. AND/OR ❑ WLAN AutoConfig (“wlansvc”). This service is used if the administrator is setting up a wireless 802.1x environment. 2. The EAP/802.1x QEC is enabled. 3. The Enable Quarantine Checks option in the Authentication settings for the corresponding connection is configured. ( Enable Quarantine Checks is a setting in the connection profile; this setting is new and enables NAP.) 4. Verify the PEAP configuration on the wired connection profile. (Verify the EAP method configuration, and also verify that the certificate is chained back to the same root for validation of the server certificate.) Once the administrator verifies that the client is configured accurately, he can use the following steps to help identify failures and misconfigurations in the 802.1x/EAP scenario. The administrator can start the investigation by looking at the various Wired AutoConfig (for wired 802.1x scenarios) and Wireless AutoConfig (for wireless 802.1x scenarios) events, particularly looking for events 15505 and/or 15514 (for wired 802.1x scenarios) and events 12013 and/or 12011 (for wireless 802.1x scenarios) in the event log. Events 15505 and 12011 indicate “Authentication success.” Events 15514 and 12013 indicate “Authentication failures.” For authentication failures, look for the reason code and reason text to help with further debugging. (The investigation needs to continue on the NPS server.) –Tom Kelnar Lead Software Design Engineer, Network Access Protection –Chris Edson Software Development Engineer in Test, Network Access Protection Chapter 10 Network Access Protection 335 Finally, here’s the server side of NAP 802.1X troubleshooting. Once again, Event Viewer will be of invaluable use in determining the nature of the problem. From the Experts: Troubleshooting the Network Policy Server for 802.1x PEAP-Based NAP Use these instructions if you have already configured 802.1x PEAP-based NAP and have attempted authentication, but you do not see the expected behavior on the client. It is expected that the client-side troubleshooting procedure outlined in the previous sidebar has already been used. Information Gathering Use the following steps to gather the necessary information: 1. Dump all NPS events into an Event viewer file for later analysis: wevtutil.exe epl System NPS.evtx /q:"*[System[Provider[@Name='NPS'] and TimeCreated[timediff(@SystemTime) <= 86400000]]]" Or create a custom (or filtered) view folder in the Event Viewer that displays only the NPS events. 2. Open the Network Policy Server snap-in for examining policy configuration. Troubleshooting Flowchart Most 802.1x PEAP-based NAP troubleshooting is done by analyzing the Events posted by NPS into the System event log store. Take a look at the events, and proceed along the flowchart, referring back to the events as needed. 336 Introducing Windows Server 2008 Yes No Yes Is the Network Policy service (ias) running? Is NPS generating events? Do the events indicate that the message authenticator attribute is not valid? Start the service and try again Ensure that the Switch/Access Point to NPS connection is configured properly. See Switch/AP connection section No No Ensure that the shared secret settings match. See Switch/AP connection section. This error could also indicate problems with the certificate selected for use with the PEAP Yes No See System Health Validator Issues section See “Successful Authentications” section Do the events indicate that an error has occurred with a System Health Validator? Analyze the events. Is client authentication failing or succeeding? See “Failed Authentications” section Yes Succeeding Failing Chapter 10 Network Access Protection 337 Switch/Access Point Connection Several issues can prevent the switch or access point from properly communicating with the Network Policy Server: 1. The Network Policy Server machine must have the correct ports open in the firewall to allow the RADIUS requests through to the NPS service: ❑ UDP:1812 for authentication ❑ UDP:1813 for accounting 2. The switch or access point must be configured to forward 802.1x authentication requests to the Network Policy Server; this includes setting the correct IP address for the NPS machine, as well as the proper ports (for some switches). 3. The Network Policy Server must also be configured to recognize the switch or access point; this is done by configuring a RADIUS client table entry within the NPS snap-in, and it requires the IP address of the switch or access point. 4. The Network Policy Server and the switch or access point must both be configured with a common “shared secret.” If the secrets do not match, they will not be able to correctly communicate. System Health Validator (SHV) Issues Some common causes and paths of investigation for System Health Validator errors are as follows: 1. Perhaps the most common cause for System Health Validator failures occurs when the versions of Validator (server side) and System Health Agent (client side) do not match. Always ensure that the SHV/SHA pairs in use are matching versions. 2. Another common cause for System Health Validator–related errors is a failure to correctly register with the Network Policy Server. If this occurs, contact the SHV developer. 3. System Health Validator errors can also appear when the Network Policy Server is unable to load the SHV, or when the SHV terminates unexpectedly. If either of these situations occurs, contact the SHV developer. Failed Authentications Failed authentications can occur for a number of reasons, many of which are not specifically related to the NAP portion of the transaction. Reason #1 – No matching policy Some common causes and solutions for this reason are: ■ A client request arrived that did not exactly match any of the Network Policies configured on the NPS. Always ensure that you have policies in place that will 338 Introducing Windows Server 2008 match all possible client requests. Or you might consider making your existing policies slightly less specific by removing nonrequired conditions from the policies. ■ The NPS policy configuration does not include a policy that will match “not NAP capable” clients. When a client machine first boots, the authentication services will start prior to the NAP Agent service, and an authentication will be performed before health information is available. This client will therefore not match any pol- icies with health-based conditions. Whether you grant full access with this policy or not, it still needs to be included in the configuration. Also, know that clients will re-authenticate once the NAP Agent service starts. Reason #2 – User is denied access A common cause and solutions for this reason are that, by default, the Network Policy Server will perform an Active Directory account look-up to verify the authenticating user’s dial-in privileges. If the user’s account does not allow dial-in access, the user will be denied access (regardless of the NPS policy settings). If you want to grant the user access, you can do either of the following things: ■ Ensure that the user’s account in the Active Directory is set to allow dial-in access. ■ Select the Ignore User Account Dial-in Properties box for the policy in NPS, which allows NPS to ignore the dial-in access setting and check only whether the user account is active in Active Directory. Successful Authentications Because of the possible complexities of 802.1x and the authentications it allows, there are cases in which clients could be successfully authenticating, yet not gaining the expected level of access. Problem #1 – Client is NAP enabled but matches the “not NAP capable” policy Two common reasons and solutions for this problem are: ■ Network Policy Server policy evaluation occurs in two stages: Connection Request policies first, and then Network Policies. Because Health is a condition for Network policy evaluation, the health data must be gathered prior to entering the Network Policy stage. Therefore, ensure that the Connection Request Policy being used is configured to Override Authentication and to do PEAP authentication. Also ensure that the PEAP configuration settings include selecting the Perform Quarantine Checks check box. Also ensure that the conditions on the Connection Request Pol- icy are such that only requests from your switches or access points will be matched by that policy. Chapter 10 Network Access Protection 339 ■ At client boot, the authentication services start prior to the NAP Agent. Thus, for the first authentication, there is no health data for evaluation. Therefore, the client will not match any policies in which health criteria are used as conditions. The cli- ent will match only policies with the “not NAP capable” condition. However, once the NAP Agent starts, a second authentication will be initiated, and the client will then be able to match the expected policy. Problem #2 – Client is placed on the wrong VLAN The solution to this problem will vary, depending upon the switch or access point hardware and sometimes the firmware that you are using. Consult the documentation or support contacts for your hardware, and determine what RADIUS standard or vendor-specific attributes need to be given to that hardware to achieve the functionality you desire. Once you have determined the values that need to be passed to the hardware, ensure that each policy on the Network Policy Server has these values configured in the Profile Settings section. –Chandra Nukala Program Manager, Network Access Protection –Chris Edson Software Development Engineer in Test, Network Access Protection Pretty cool stuff, eh? My thanks to the NAP team for contributing these insights. Product teams tend to be especially proud of the features they develop, and NAP is obviously prouder than most because they took the time out of their busy schedule (Ship! Ship!!) to provide this content for my book—thanks, team! Conclusion I’m excited about NAP. The days of unrestricted access to Windows networks are coming to an end, and Microsoft has displayed its ongoing commitment to its Trustworthy Computing Initiative by developing the NAP platform that we’ve described in this chapter. And with industry support by over a hundred different third-party ISVs and IHVs, NAP is likely to be the dominant player in the network access platform marketplace. If you haven’t started testing NAP, you should being doing so using the latest build of Windows Server 2008 available to your enterprise because this is one technology you really don’t want to be without. 340 Introducing Windows Server 2008 Additional Resources The best place to start looking for resources about NAP is the Network Access Protection page on TechNet, which can be found at http://www.microsoft.com/technet/network/nap/ default.mspx. There you’ll find overviews, webcasts, Live Meeting presentations, links to Step by Step guides (which go into more detail of how to set up NAP than we could go into in this brief chapter), and more. The Microsoft Download Center also has great resources on NAP; just go to http://www.microsoft.com/downloads/ and search for NAP and you’ll find many. There’s also a TechNet Forum where you can ask questions and help others trying out NAP; see http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17 for this forum (Windows Live registration required). For ISVs and IHVs who want to NAP-enable their product, the NAP APIs can be found on MSDN at http://msdn2.microsoft.com/en-us/library/aa369712.aspx. And don’t forget to check out the NAP blog at http://blogs.technet.com/nap/default.aspx as this is a terrific and timely resource for all things NAP. Finally, be sure to turn to Chapter 14, “Additional Resources,” for more sources of information concerning NAP, and also for links to webcasts, whitepapers, blogs, newsgroups, and other sources of information about all aspects of Windows Server 2008. Well I’ve been working hard on this chapter, and now it’s done. So I better rest a bit and take a nap before I start writing my next chapter. Uh-oh, another bad pun. Better stick to my day job (IT pro) and avoid the nighttime comedy circuit. [...]... Web sites on our server: C: \Windows\ System32\inetsrv>appcmd list site SITE "Default Web Site" (id:1,bindings:http/* :80 :,state:Started) 356 Introducing Windows Server 20 08 There’s the Default Web Site running on the machine Now let’s add another site and get it up and running: C: \Windows\ System32\inetsrv>appcmd add site /name:"Second Site" /id:2 /bindings:http://www.woodgrovebank.com :80 /serverAutoStart:true... TracingModule Reports events to Microsoft Event Tracing for Windows (ETW) You can install these modules by adding role services and features to the Web Server (IIS) role using Server Manager (Note that some of these modules cannot be selectively installed or uninstalled unless you uninstall the entire w3svc.) When you add the Web Server (IIS) role to your Windows Server 20 08 server, a subset of available... default.aspx?tabid=2&subtabid=25&i=1040 on IIS.NET 350 Introducing Windows Server 20 08 If you have a large library of expressions you want to block and you don’t want to add each of these expressions into the new configuration files, you might still want to use URLScan version 2.5 with IIS 7.0 You can do this, but the installer for URLScan version 2.5 does not work on Windows Vista or Windows Server 20 08 To work around this issue,... that are coming in Windows Server 20 08 (though we’ll actually mention some of these during the earlier part of our tour) And finally, I’ll talk briefly about the Application Server role in Windows Server 20 08 summarizing what it’s about and how it ties in with IIS And for those of you who are still unsatisfied at the end of our journey and want to see more, I’ll list additional resources you can use... Writer Windows PowerShell Another great tool for managing IIS 7.0 is Windows PowerShell A great primer on the capabilities of using PowerShell to administer IIS 7.0 is “An Introduction to Windows PowerShell and IIS 7.0,” which can be found on the IIS.NET site at http://www.iis.net/ default.aspx?tabid=2&subtabid=25&i=1212&p=1 We can’t get into it any deeper here because 3 58 Introducing Windows Server 20 08. .. Console Look under the Security role service in the preceding list—no Basic authentication, right? Remember that for later Windows Process Activation Service When you add the Web Server (IIS) role to your Windows Server 20 08 server, you’re also required to install a feature called Windows Process Activation Service (WPAS), together with its three subfeatures: Process Model, NET Environment, and Configuration... Editing Server- Level Configuration Files Sometimes user accounts that are part of the Administrators group cannot view or edit server- level IIS 7.0 configuration files because they are denied access In Windows Vista and Windows Server 20 08, User Account Control (UAC) requires that all users run in standard user mode unless a task or application requires administrator privileges The IIS 7.0 server- level... 374 Additional Resources .375 Watching Microsoft Internet Information Services (IIS) evolve over the last decade or so has been exciting While a high point for end-user experience was probably the worldwide release of Microsoft Windows 95, for an IT pro like me, one of the high points in Windows platform development was the Microsoft Windows NT 4.0 Option... is not installed in a default Web Server (IIS) role installation? Well, if you now select the icon for the Authentication feature (the first one in the IIS section of the Details pane in the preceding figure) and click Open Feature in the Actions pane, you get a list of authentication settings you can configure for your Web server: 352 Introducing Windows Server 20 08 Note that there’s no option available... features at this time or later) 346 Introducing Windows Server 20 08 Note in the preceding figure that the Basic Authentication role service (that is, BasicAuthModule) is not included in a default install of the Web Server (IIS) role Keep this in mind, as we’ll come back to it later To get an idea of how “minimal” IIS 7.0 is out of the box, when you add the Web Server (IIS) role using the defaults . latest build of Windows Server 20 08 available to your enterprise because this is one technology you really don’t want to be without. 340 Introducing Windows Server 20 08 Additional Resources The. in Windows Server 20 08 (though we’ll actually mention some of these during the earlier part of our tour). And finally, I’ll talk briefly about the Application Server role in Windows Server 20 08 summarizing. that for later. Windows Process Activation Service When you add the Web Server (IIS) role to your Windows Server 20 08 server, you’re also required to install a feature called Windows Process