Hello All,

I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):

Event ID: 6273
******************************************************************************
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: real_username
Account Domain:real_domain
Fully Qualified Account Name:real_domain\real_username

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name:-
OS-Version: -
Called Station Identifier:-
Calling Station Identifier:-

NAS:
NAS IPv4 Address:10.0.0.10
NAS IPv6 Address:-
NAS Identifier:radius1.real_domain
NAS Port-Type:-
NAS Port: 101451540

RADIUS Client:
Client Friendly Name:sbc1mgmt
Client IP Address:10.0.0.10

Authentication Details:
Connection Request Policy Name:SBC Authentication
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:RADIUS1.real_domain
Authentication Type:MS-CHAPv2
EAP Type: -
Account Session Identifier:-
Logging Results:Accounting information was written to the SQL data store and the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
******************************************************************************

Event ID: 4625
******************************************************************************
An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: RADIUS1$
Account Domain:REAL_DOMAIN
Logon ID: 0x3E7

Logon Type:3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: real_username
Account Domain:REAL_DOMAIN

Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID:0x2cc
Caller Process Name:C:\Windows\System32\svchost.exe

Network Information:
Workstation Name:
Source Network Address:-
Source Port: -

Detailed Authentication Information:
Logon Process:IAS
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:-
Package Name (NTLM only):-
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
******************************************************************************

So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?

Here are the specs for our RADIUS configuration:

• Windows Server 2012 R2
• SQL Server 2012 Back End Database for accounting.
• The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
• The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
• RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
• Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
• Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any time, any day.
• The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override the authentication method of the Network Policy.
• We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
• All other configurations are set to the defaults.

The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.

All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

I am trying to get Direct Access setup but I am getting an error. There was no match for the specified key in the index.

We are using the Behind an edge device (with two network adapters) configuration.

Everything looks to be setup correctly but I can't seem to find the answer to this error.

Any help here would be great.

SHarepoint GUy

Hello everyone,

Can anyone help me regarding the address pool and reservations. If you happen to reserve range of numbers does it affect with the address pool range of distribution? since I have to know the the difference when to have the address in the reservation lists and to add it in the address pool distribution range? Need some suggestions here. Thanks

Hi there,

I have implemented a Windows 2012R2 DirectAccess with IP-HTTPS only. The clients can connect and I can ping the DC's with a IPv6 responce. I can also browse the SYSVOL and NETLOGON shares, no problem.

The problem I am having is that this is where access stop - I cannot browse to any internal web servers (i.e. OWA) or other DFS shares at all.

Anyone seen this before? I have checks all the firewall logs and I cannot why I can't browse the LAN resources...

Any help/pointers would be appreciated!

hi friends

i have configured WinRM on 2 system & it works fine.

but one problem is, i execute the following command to open an application on the remote system (in my LAN & in my subnet)

nothing happens & cursor continue blinking at cmd windows

C:\winRS -r:http://10.1.1.3:5985 -u:administrator -p:P@ssw0rd mspaint  

is it possible to open an application on another system ?

thanks in aadvanced

Hi, I've done a fair bit of reading and cbt videos, and have experimented for quite a bit in test environments, and I haven't come up with a best path for what I want to do.  If someone could put me on the path to accomplish my goal, I would appreciate it greatly.

I'm operating in an active directory environment at the 2008R2 functional level.  I have a member server processing sensitive data which it receives from clients.  My goal is to have all traffic between the member server and its clients encrypted with IPSEC, but can't quite find what I'm looking for after spending a fairly embarrassing bit of time looking.  Do I want:

1. IPSEC via group policy, whereby I apply a gpo with the IP Security policy "Server (request security)", to the server and apply a gpo to the clients with "Client (respond only)" set?   If so, I haven't gotten this working, is there more configuration needed?
2. Configure IPSEC  Advanced firewall connection security rules?
3. Both 1. and 2. above?
4. Server and domain isolation? (This appears to be a lot of reading on whether or not it's a subset of the above methods, or a combination of them, or more).

If someone could point me to some documentation on the simplest way to do this, I would appreciate it greatly!!

Thanks,

Kevin

Hi All,

I've been doing some reading on Direct Access in server 2012 R2 and I'd just like a few things clarified:

1. The DA server MUST be domain joined, yes? Not keen on this if so.
2. Toredo and 6to4 are faster and more efficient than IP-HTTPS but require incoming and outgoing ports opened on whatever firewall device the traffic traverses?
3. Toredo and 6to4 do NOT require the internal network to be IPv6?
4. IP-HTTPS can ONLY work if the internal network is IPv6? If so what is required to make the network IPv6?
5. When a client is behind a proxy server it will ONLY attempt to use IP-HTTPS?

Cheers
C

Hi,

I would like to know if it is still supported to change to perference of IPv4 (first) and IPv6 (second) in Windows Server 2012 R2 ? It seems like this was supported in Server 2008 R2, but not anymore in server 2012 R2. I would like to have confirmation about this.

Also, if it still is supported, is it the same registry key as in Server 2008 R2 or something different ?

Thanks,

Rochen

Ill start off by saying i am just learning DNSSEC so maybe im way off course.

I have turned on DNSSEC on my server 2012 r2 server and found that i can not get to ipower-inc.com. There is NOT a DS record for ipower-inc.com (or ipower.com) so i would expect the dns request to complete without a DNSSEC failure (like microsoft.com...).

In looking at the debug logs with DNSSEC ON i see the request to the dns forwarder (ISP DNS Server) returns a CNAME for ipower-inc.com that points to ipower.com which has an A record. If i look at the response back to my client my dns server tells the client there is NO A record found for ipower-inc.com, well that IS correct, there isnt an A record, there is a CNAME that points to ipower.com.

If i look at the debug logs with DNSSEC OFF i see my dns server responds back to the client with the same info my ISP responded to me with. i did clear the cache between tests.

SO my question, is this just bad dns setup on ipower's side where they are breaking some rule that i dont know of because i didnt read all the RFC's OR is this a unexpected behavior (bug) in the windows DNS Server? OR is it door number 3?

thanks

tim

I currently have security network consisting of five physically separated locations connected. Each location has 50 to 100 devices requiring IP addresses. These devices are network cameras, alarm control components and access control devices. 

Each location has either a dual Sonicwall TZ 215's or dual 2400's in failover configurations. For additional redundancy three of the locations also have two ISP's.

Each location is a subnet. The subnets are connected using VPN tunnels configured between each Sonicwall. The Sonicwall on each subnet also provides DHCP and other services needed for its subnet.

Subnet Configuration:

???.???.100.1 Primary Location

???.???.101.1

???.???.102.1 Secondary Location

???.???.103.1

???.???.104.1 

There is now a need to configure Windows 2012 Network services, DC, DHCP, DNS, File Services Keeping in mind that this system will remain a closed network with minimal requirements for internet access (upgrades, utility services, etc...).

Would like to have high availability (load balancing and failover) spread between Primary and Secondary locations. Will only have 15 to 20 Users Logging on and accessing video servers and other security assets.

Hello,

I have a question related to DirectAccess and OTP. As far as I understand, when OTP is setup, the One Time Password has to be entered after the user opened his session with his Windows credentials.

My question is about the behaviour of the computer before the user opens his session: Is the computer already connected to the corporate network when a user tries to connect his session? I mean the biggest advantage of DirectAccess is to connect seemlessly to the corporate network before user logs on: that allows to deal easily with password expiration, account lockout, etc. on roaming users.

Thanks for your answers.

Kind regards

David

I'm pretty sure that when I get an answer, it's going to be one of those "duh moments"...

So I've got seven VMs running on an isolated virtual network segment.  This is a test AD/Exchange/Lync thing, so I want it as isolated as I can from my production network.  However our developers want to be hitting it with their development tools directly from their production workstations.  One of these VMs has a second virtual NIC on it that ties to our production LAN, and I've installed the Routing role on this machine.  NICs are identified with meaningful labels ("corpnet" and"Internet"), the "inside" one is in the domain profile and the "internet" one is in a public profile, all firewalls are turned off on all of the VMs.  I have seven IP addresses that I've allocated on the production network and all I'm after here is a simple one-to-one mapping.

Here's what I've done so far:

• Configure for LAN Routing and NAT
• Under IPV4 -> NAT, create Public interface with Internet NIC
• Under IPV4 -> NAT, create Private interface with Corpnet NIC
• Under IPV4 -> NAT -> Internet -> Address Pool, add small production network address range.
• Under IPV4 -> NAT -> Internet -> Address Pool -> Reservations, create one-to-one mappings of public to private addresses with "Allow Incoming Sessions" enabled
• All VMs are set with the edge server as the gateway.  The edge server is set with my production LAN's gateway on the "Internet" network interface.

From the edge VM, I can get to the production LAN and to the private VMs.  From the production LAN I can get to the edge VM just fine.  However I can't get from the production network to any of the VMs and none of the VMs can get past the edge VM.

What incredibly obvious and simple thing am I missing?  I typically don't use Windows' router, so...  TIA

Hi All,

We are trying to implement an IPsec in Tunnel mode (site-to-site) between Windows 2008 R2 and Checkpoint Firewall. The only option we are finding in the IPsec rules (mmc -> IPsec policy mgmt -> New rule) is to mention one IP Address (IPv4 or v6) as tunnel endpoint. We have multiple Checkpoint Firewalls as tunnel endpoints to manage the load balancing. Is it possible to define multiple IP addresses as tunnel endpoint or is there a way to define the FQDN name so that the IP addresses are resolved using DNS and a tunnel is established between the resolved IP returned.

One more thought - If we define a VIP (Virtual IP) for the checkpoint firewalls, and define that VIP as a tunnel endpoint will it work?

Appreciate any help in this regard.

Respected Members,

I'm student pursuing level-7 IT diploma in Networking. i want to foster my career in servers technology, i'm a beginner. please refer me some good books and online resources. i'm looking for my internship or voluntary work which helps me to develop my subject understanding providing real time exposure. i'm a serious technology student willing to learn and excel. i'm ambitious, my project on opensource virtualization has been accepted by IEEE for publication, thank you.

I have a Mikrotik router model RB751U receiving directly from ISP- feeds 3 Cisco Switches of 24 port each then to Patch panels and to users. I am having internet ups and downs in this way: When i bypass my LAN and log into the router to ping 8.8.8.8 i get clean pings showing there is internet in my router yet myself connected directly to the router all any user on LAN can't browse. Usually the drops happen different times but with an a.v of 5 every day taking less than 2 minutes and the internet comes up again.

What are the possible causes on this problem???

DNS request timed out.
timeout was 2 seconds

I have 2 DCs...

1) Physical Server 2012 - GC, DNS Integrated, DHCP
2) Virtual Server 2012  - GC, DNS Integrated, DHCP, FSMO, RID Master, PDC Master, Infrastructure Master

While troubleshooting network browsing on a 2003 server, I noticed that the Computer Browser service is disabled on both these DCs.  Is this right?  We do have some computers that are workgroup only.

Hello Everyone,

Client of mine is using RRAS for VPN access to the network.

Everything works as it should, I can change the LAN setting to work as dynamic or static with a range of IP's.

Problem

When the server gets rebooted with the weekly Windows updates, this is where I cannot access the LAN.

I can remote into the VPN network and get an IP address, but I cannot get to the LAN.

Only way I can get access to the lan is switch the IPv4 from dynamic to static. I keep it set to static, as the RRAS gives the server an Internal Address inside the scope. So normally, I can connect to this internal address which points to the RRAS server and I can make this change, then the other VPN users can connect to the network, but there are cases where this does not work if it gets left on Dynamic and the RRAS doesn't assign itself an internal address in the ivp4 section.

So, does anyone know why a simple reboot is affecting this, it works fine for weeks until it gets reboot then no one can access the network externally.

Thanks

I am in the process of implementing machine based 802.1x to my company. I have 2 radius servers and 1 CA. The machines get their certificates via group policy. The group policy is working fine and everyone has been issued their certificates that are supposed to have them. I wait til they get their certificates, then enter the commands for 802.1x on their port. I have about 50 machines that are working as they should, but I have three random machines that will not communicate whenever I flip the port on the switch. The three machines have valid certificates and have full connectivity to the two radius servers and the CA. I do not believe it is a switch problem, because I have other machines connected to this switch that are authenticating properly. Also, I have tried the 802.1x hotfix on these machines with no luck. I am wondering if there is anything that I could try on the clients that would keep them from authenticating. All of my clients are Windows 7 SP1 64 bit. Any suggestions would be appreciated! 

I just did a Windows update (too many to list). After the update I executed a command procedure that connects me to a group of servers using RDP. After the procedure completed I noticed that all of the taskbar buttons are highlighted. Does anyone know if this is a new "feature" of RDP?

This was not happening before the recent updates.

I am using 2008 R2 SP1.

Anyone have any ideas?

JPH