Re: User authentication IPsec
- From: "Ace Fekay [Microsoft Certified Trainer]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 14 Apr 2009 21:42:24 -0400
"aconti" <aconti.3qnrbc@xxxxxxxxxxxxx> wrote in message news:aconti.3qnrbc@xxxxxxxxxxxxxxxx
hello using simple password authentication worked immediately, here are
the logs from the IPsec monitor tool installed on one of the 2 client
pcs..
SystemInfo:
--Passed: System information(software, hardware,active processes,
active network connections) collected. View Output Logs for details
Network Interface Diagnosis:
--Passed : Network Interface configured correctly
Ping (Remote Reachability) Diagnosis:
Passed: Remote machine,"celeronpc", is reachable from host
NAP Client Diagnosis:
--Information : NAP client service is installed but turned off. Run
"net start napagent" to start the service
IPsec Service Diagnosis:
--Passed : IPsec services are up and running
----BFE up and running
----IKEext/Policyagent up and running
Live Debugging: Start
--Information: Enabling RRAS Trace
WFPUtil Diagnosis:
(If you did not repro the issue while the tool was running, ignore
WFPUtil Diagnosis)
This Diagnosis report is for negotiation between host and 192.168.0.88
Failed: No IKE negotiaton found between Host machine and 192.168.0.88.
This could be because:
--1.Wrong value was entered for the Desitnation IP Address(Client2 IP)
--2.Wrong log was provided
--3.IPSec is not monitoring traffic between Host machine and
192.168.0.88
Live Debugging: End
RRAS Diagnosis:
--Passed : RRAS is switched off, implying no external policies
--Information: Disabling RRAS trace that was enabled during live
debugging.RRAS logs copied.
Registry and Events Diagnosis:
--Passed: System, Application and Security event logs collected
Windows Firewall Diagnosis:
--Information : Firewall is active
IPsec SA, Filter Diagnosis:
--Passed : Main mode SA exists between 192.168.0.98 and 192.168.0.88.
--Passed : Quick Mode SA exists between 192.168.0.98 and 192.168.0.88
--Information : No Legacy MM policies applied on this system
--Information : Found Rules on this system
--Passed : One or more rules are active on this system
--Information : No Policy assigned on the system
--Information : No Legacy QM policies assigned on the system
--Information : No legacy MM outbound filters between exist between
192.168.0.98 and 192.168.0.88
--Information : No Legacy MM inbound filters between exist between
192.168.0.98 and 192.168.0.88
-----------Local Mode Diagnosis:End -
2006/02/18(15hr:19min:08sec)-----------
Now I will try to solve the big problem of the IPsec with HRA and CA. I
checked (mmc) on the DC controller which has NPS with NAP and HRA
running that under Certificates ( Local Computer ) Personal Certificates
there are 2 certificates installed and under intended purposes one says
Client/Server Authentication and the other says ALL.
To be honest I tought it would be much easier to setup.
to give you a better picture I will explain you what I have done till
now.
first I have installed the CA using default settings, then I installed
the HRA all on the same pc. I have setup the HRA to use the Certificate
authority.
I installed the nap using the wizard and selecting IPsec with HRA.
This automatically created the policies under NPS including the health
policies.
then for IPsec enforcement to client machines in the GPO I am not sure
how I have to setup the Trusted Server group so that client can trust
the HRA. It says that I have to enterr a url does it mean something like
this https://192.168.0.50 ( The ip address of the HRA ) and also I have
ticked the Enable This enforcement Client check box inthe IPsec Relying
Party properties.
thne finally I created an IPsec security rule between 2 pcs connected
to the DC and configured it to use computer certificate with require
health certificate enabled and I selected the CA name.
the process involves many tasks and failing one of them unfortunately
means success or not so hopefully you can tell me what I have done
wrong. The instructions on how to set all this up have been taken from
the book Configuring Windows server 2008 Network Infrastructure from pg
400 - 408
Thank you
Hello Aconti
Unfortunately, I do not have a copy of the book. Following the lab procedure in the MOC training course do work, but this is for the lab computers. I'm not sure if I can legally post the instructions directly from the MOC courseware to a public forum. I know there are many factors to setup, as you've found, and if not setup properly, can fail based on any miscofigured step.
Based on the logs, this one entry stands out:
NAP Client Diagnosis:
--Information : NAP client service is installed but turned off. Run
"net start napagent" to start the service
As for the cert on the machine, you said there were two, one was for client/server authentication. When you duplicated the cert from the templates, did you choose to duplicate the one that says Workstation Authentication?
As for the URL, it is looking for an FQDN in the URL for the health authority, such as https://server.contoso.com/domainhra/hcsrvext.dll.
Also, if using a password instead of a cert, and it works, tells me there is a problem with the cert missing, misconfigured, or wrong type of cert. Maybe that is the whole issue. I believe that was the error in one of your previous posts.
Question, how are you handing out the certificates to the client machines? Through a GPO and autoenrollment?
I do have one question regarding the certificate server. Is it an Enterprise Edition OS?
Ace
.
- Follow-Ups:
- Re: User authentication IPsec
- From: aconti
- Re: User authentication IPsec
- References:
- User authentication IPsec
- From: aconti
- Re: User authentication IPsec
- From: aconti
- User authentication IPsec
- Prev by Date: Re: Thoughts on new replication topology - manual or auto with ADLB?
- Next by Date: Re: Thoughts on new replication topology - manual or auto with ADLB?
- Previous by thread: Re: User authentication IPsec
- Next by thread: Re: User authentication IPsec
- Index(es):
Relevant Pages
|
