Re: User authentication IPsec

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


hello using simple password authentication worked immediately, here are
the logs from the IPsec monitor tool installed on one of the 2 client
pcs..

SystemInfo:
--Passed: System information(software, hardware,active processes,
active network connections) collected. View Output Logs for details

Network Interface Diagnosis:
--Passed : Network Interface configured correctly

Ping (Remote Reachability) Diagnosis:
Passed: Remote machine,"celeronpc", is reachable from host

NAP Client Diagnosis:
--Information : NAP client service is installed but turned off. Run
"net start napagent" to start the service

IPsec Service Diagnosis:
--Passed : IPsec services are up and running
----BFE up and running
----IKEext/Policyagent up and running

Live Debugging: Start
--Information: Enabling RRAS Trace

WFPUtil Diagnosis:
(If you did not repro the issue while the tool was running, ignore
WFPUtil Diagnosis)

This Diagnosis report is for negotiation between host and 192.168.0.88
Failed: No IKE negotiaton found between Host machine and 192.168.0.88.
This could be because:
--1.Wrong value was entered for the Desitnation IP Address(Client2 IP)
--2.Wrong log was provided
--3.IPSec is not monitoring traffic between Host machine and
192.168.0.88

Live Debugging: End

RRAS Diagnosis:
--Passed : RRAS is switched off, implying no external policies
--Information: Disabling RRAS trace that was enabled during live
debugging.RRAS logs copied.

Registry and Events Diagnosis:
--Passed: System, Application and Security event logs collected

Windows Firewall Diagnosis:
--Information : Firewall is active

IPsec SA, Filter Diagnosis:
--Passed : Main mode SA exists between 192.168.0.98 and 192.168.0.88.
--Passed : Quick Mode SA exists between 192.168.0.98 and 192.168.0.88
--Information : No Legacy MM policies applied on this system

--Information : Found Rules on this system
--Passed : One or more rules are active on this system
--Information : No Policy assigned on the system
--Information : No Legacy QM policies assigned on the system
--Information : No legacy MM outbound filters between exist between
192.168.0.98 and 192.168.0.88
--Information : No Legacy MM inbound filters between exist between
192.168.0.98 and 192.168.0.88

-----------Local Mode Diagnosis:End -
2006/02/18(15hr:19min:08sec)-----------

Now I will try to solve the big problem of the IPsec with HRA and CA. I
checked (mmc) on the DC controller which has NPS with NAP and HRA
running that under Certificates ( Local Computer ) Personal Certificates
there are 2 certificates installed and under intended purposes one says
Client/Server Authentication and the other says ALL.

To be honest I tought it would be much easier to setup.

to give you a better picture I will explain you what I have done till
now.

first I have installed the CA using default settings, then I installed
the HRA all on the same pc. I have setup the HRA to use the Certificate
authority.

I installed the nap using the wizard and selecting IPsec with HRA.
This automatically created the policies under NPS including the health
policies.

then for IPsec enforcement to client machines in the GPO I am not sure
how I have to setup the Trusted Server group so that client can trust
the HRA. It says that I have to enterr a url does it mean something like
this https://192.168.0.50 ( The ip address of the HRA ) and also I have
ticked the Enable This enforcement Client check box inthe IPsec Relying
Party properties.

thne finally I created an IPsec security rule between 2 pcs connected
to the DC and configured it to use computer certificate with require
health certificate enabled and I selected the CA name.

the process involves many tasks and failing one of them unfortunately
means success or not so hopefully you can tell me what I have done
wrong. The instructions on how to set all this up have been taken from
the book Configuring Windows server 2008 Network Infrastructure from pg
400 - 408

Thank you


--
aconti
------------------------------------------------------------------------
aconti's Profile: http://forums.techarena.in/members/73272.htm
View this thread: http://forums.techarena.in/active-directory/1159636.htm

http://forums.techarena.in

.

Relevant Pages

  • Re: User authentication IPsec
    ... View Output Logs for details ... Ping Diagnosis: ... NAP Client Diagnosis: ... IPsec Service Diagnosis: ...
    (microsoft.public.windows.server.active_directory)
  • Re: User authentication IPsec
    ... Here is the output od the IPsec tool... ... View Output Logs for details ... Ping Diagnosis: ... NAP Client Diagnosis: ...
    (microsoft.public.windows.server.active_directory)
  • Re: User authentication IPsec
    ... Here is the output od the IPsec tool... ... View Output Logs for details ... Ping Diagnosis: ... NAP Client Diagnosis: ...
    (microsoft.public.windows.server.active_directory)
  • Re: User authentication IPsec
    ... View Output Logs for details ... Ping Diagnosis: ... IPsec Service Diagnosis: ... Check if both machines have matching filter operations, ...
    (microsoft.public.windows.server.active_directory)
  • RE: Microsoft IPSec via group policy
    ... IPsec could accomplish this. ... Microsoft IPSec via group policy ... Requiring ipsec between a client and a DC via GPO is problematic. ...
    (Security-Basics)