Professional Documents
Culture Documents
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intel's Web Site. Intel Active Management Technology requires the computer system to have an Intel AMT-enabled chipset, network hardware and software, as well as connection with a power source and a corporate network connection. Setup requires configuration by the purchaser and may require scripting with the management console or further integration into existing security frameworks to enable certain functionality. It may also require modifications of implementation of new business processes. With regard to notebooks, Intel AMT may not be available or certain capabilities may be limited over a host OS-based VPN or when connecting wirelessly, on battery power, sleeping, hibernating or powered off. For more information, see www.intel.com/technology/platform-technology/intel-amt/ Intel, the Intel logo, Intel Core, Intel Centrino, and Intel vPro are trademarks or registered trademarks of Intel Corporation in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright 2009, 2010 Intel Corporation. All rights reserved.
ii
Contents
Introduction ......................................................................................1
What is 802.1x authentication? ............................................................................... 1 Why is 802.1x important? ...................................................................................... 1 Supplicants .......................................................................................................... 2 RADIUS Servers .................................................................................................... 2 Authentication Protocols ......................................................................................... 3 Public Key Infrastructure ........................................................................................ 3 Posture Validation ................................................................................................. 4
Implementation .................................................................................5
Workflow overview ................................................................................................ 5 How to use an 802.1x network connection ............................................................... 6
Debug ..............................................................................................11
Tracing .............................................................................................................. 11 Tracing from network access device ............................................................... 11 Tracing from the RADIUS server .................................................................... 11 How to use Ethereal\Wireshark ..................................................................... 12 Tracing from the client ................................................................................. 13
Common Problems...........................................................................14
Logging ...................................................................................................... 14 Wrong protocol type .................................................................................... 14 User not found ............................................................................................ 14 Quarantined ................................................................................................ 14 CA not configured ........................................................................................ 15 Settings being lost in ACS ............................................................................. 15 Intel AMT Active Directory object does not exist .............................................. 15 Active Directory object allows remote access .................................................. 15 RADIUS server certificate and certificate signing chain should not contain any certificates with key size >2048-bits ........................................................ 16 RADIUS server is providing the full and correct certificate chain ........................ 16 Intel AMT is using correct EAP-RADIUS protocol. ............................................. 16 Intel AMT must be provisioned with root CA certificate of RADIUS server certificate signing chain. ........................................................................................ 16 Intel AMT checking RADIUS server certificate subject CN information correctly. ... 16 Intel AMT is providing correct client credentials to RADIUS server. ..................... 17 Verify the PKI.............................................................................................. 17
iii
Introduction
The purpose of this paper is to share key learnings acquired while getting up to speed on 802.1x and Radius servers. This section of the paper describes 802.1x authentication and provides overview information on Radius servers, supplicants, authentication protocols, and public key infrastructure.
Supplicants
When a client connects to a network access device (WAP or wired switch requiring 802.1x authentication), the network access device notifies the client that 802.1x authentication is required. A supplicant on the client is then required to provide authentication data. There are several supplicants to keep in mind: Cisco NAC* supplicant: This is a program created by Cisco to allow Windows XP clients to execute 802.1x authentication via Ciscos NAC solution. Windows wired interface: Windows Vista* and Window 7* have a built-in 802.1x supplicant. Windows wireless: Windows Vista and Window7 have built-in wireless connectivity components that are equipped with 802.1x authentication functionality. Third party wireless connection software: Most widely available wireless connection software (Intel* Proset, Lenovo* Thinkvantage etc.) is equipped with 802.1x authentication functionality. Wired Intel AMT: Intel Active Management Technology (Intel AMT) version 3+ is configured with wired 802.1x authentication functionality such that Intel AMT can maintain wired network access while OS based supplicants are unavailable. Wireless Intel AMT: Intel AMT versions 2.5\6, 4.x and 6.x are configured with wireless 802.1x authentication functionality such that Intel AMT can maintain wireless network access while OS based supplicants are unavailable.
RADIUS Servers
When a network access device that requires 802.1x receives 802.1x authentication data from a connecting supplicant, it forwards that data to a RADUIS server. RADIUS stands for Remote Authentication Dial-in User Service. The RADIUS server evaluates the clients 802.1x authentication data and notifies the network access device of the authentication outcome and access level to be assigned to the client. There are three RADIUS servers that receive validation attention with respect to Intel AMT. 1. Microsoft* IAS: IAS (Internet Authentication Service) is a very basic RADIUS server that was included as part of Windows Server 2003. 2. Microsoft* NPS: NPS (Network Policy Service) is an advanced RADIUS server that is included as part of Windows Server 2008. 3. Cisco* ACS: ACS (Access Control Server) is an advanced RADIUS server created by Cisco.
Authentication Protocols
An 802.1x authentication schema can be implemented using a number of authentication protocols. The authentication protocol determines the structure and content of the 802.1x authentication data the client must provide to the RADIUS server. Authentication protocols offer varying degrees of convenience and security strength. Three of them are discussed here: 1. EAP-TLS: Extensible Authentication Protocol Transport Layer Security. This is the most secure protocol. It requires use of a user or machine certificate issued from a Certificate Authority trusted by the RADIUS server. This certificate is used to establish the accessing user or machines identity. It is supported by ACS, NPS and IAS RADIUS servers. 2. EAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunneling. This protocol is only used when ACS is used as the RADIUS server. It can use either Active Directory or certificates for authentication. 3. PEAP: Protected Extensible Authentication Protocol. This method can use either certificates or Active Directory credentials to establish the identity of the accessing user. Given the option of using Active Directory credentials, PEAP is quite convenient in Windows environments.
Certificates rely on a concept called signing. When a certificate is issued by a CA, it is also signed by that CA. By using cryptographic processes, CAs make it nearly impossible to spoof the signing of certificates. Signing serves the following purposes: 1. Makes it extremely difficult to spoof which CA issued a certificate. For example if a targeted computer trusts a certain CA, it will be extremely difficult to create a certificate the targeted computer will think is from the trusted CA. 2. Insures that the data in an issued certificate cannot be altered. For example, if a certificate is issued to a particular user or computer, it would be impossible to change the subject names listed in the issued cert to provide false identification for another user or computer without the targeted computer being able to easily detect it.
Posture Validation
In addition to the authentication aspects of a wired or wireless 802.1x schema, posture validation is also used by the RADIUS server to decide what level of network access to grant a system. Posture validation is essentially evaluation of other attributes of the accessing system. Posture validation can be used to require that anti-virus, firewall, operating system etc. are all up to date and properly configured. Integrating 802.1x authentication with posture validation is called an EAC (Endpoint Access Control) Solution. There are two common EAC solutions Microsoft NAP and Cisco NAC.
Implementation
Workflow overview
A high level workflow of a basic 802.1x authentication process is illustrated below.
m. In the middle pane, right-click EAP Quarantine Enforcement Client, and then click Enable. n. In the left pane, double-click Local Computer Policy, double-click Computer Configuration, double-click Administrative Templates, double-click Windows Components, and then click Security Center.
o. In the middle pane, double-click Turn on Security Center (Domain PCs only). p. Select Enabled, and then click OK. q. Close the Console1 window. r. Click No when prompted to save console settings. 4. Configure Wired Network Connection a. Click Start, right-click Network, and then click Properties. b. Click Manage network connections. c. Right-click the connection that needs to be configured for 802.1x, and then click Properties. d. Click the Authentication tab, and verify that Enable IEEE 802.1X authentication is selected. e. Click Settings. In the Protected EAP Properties dialog box, verify that the following check boxes are selected: i. ii. iii. iv. Validate server certificate Enable Fast Reconnect Enable Quarantine checks The root of the CA that issued the certificate that the RADIUS server uses to identify itself to clients that are attempting to authenticate must be checked. Authentication method = EAP-MSCHAP v2
v. f.
Click Configure, verify that automatically use my Windows logon name and password (and domain if any) is selected, and then click OK. (PEAP can use certificates or Active Directory, this setting makes it use Active Directory.)
g. Click OK, and then click OK again. 5. Configure Wireless Network Connection a. Click Start, right-click Network, click Properties, click Manage wireless networks. b. Click Add > Manually create c. Add settings appropriate to wireless network and choose next. Click the Change Network Settings button and choose the security tab. d. Click Settings. In the Protected EAP Properties dialog box, verify that the following check boxes are selected: i. ii. iii. iv. Validate server certificate Enable Fast Reconnect Enable Quarantine checks The root of the CA that issued the certificate that the RADIUS server uses to identify itself to clients that are attempting to authenticate must be checked. Authentication method = EAP-MSCHAP v2
v.
e. Click Configure, verify that automatically use my Windows logon name and password (and domain if any) is selected, and then click OK. (PEAP can use certificates or Active Directory, this setting makes it use Active Directory.) f. Click OK, and then click OK again. 6. Connect to the network a. Connect the wired NIC to an 802.1x enabled port or associate the wireless adaptor to an 802.1x configured wireless network. 7. Observe RADIUS logs a. Access the NPS server. b. Right click Computer > Manage > Diagnostics > Event Viewer > Custom Views > Server Roles > Network Policy Server. c. Refresh the event list. d. Browse the list for events pertaining to the test client. (Hopefully a message with title Network Policy Server granted full access to is listed.) 8. Verify client connection a. Open Manage Network Connections. There will be listed something like Local Area Connection for the local wired interface. When the connection is activated, the middle line of text beside the icon will say attempting to authenticate. b. When successful it will say enabled and then detecting. Once you see enabled the 802.1x authentication has taken place successfully. c. If posture validation is being used: If Windows* Firewall is enabled you should have access to the entire network. Find out by pinging the domain controller. If Windows Firewall is not enabled, then the NIC will still say enabled. However, the client will be unable to ping the domain controller, or anything else that is not in the quarantine VLAN.
iii.
b. Provision the client. c. With the client in the OS access Network and Sharing > Change Adaptor settings. d. Trigger Intel AMT authentication i. Right click the desired connection and choose disable. (For wireless it is not sufficient to simply disconnect.) Disabling the adaptor stops the network driver which signals Intel AMT to take over the connection. When Intel AMT detects an 802.1x equipped network, it will attempt to authenticate using the configuration parameters set during provisioning. Access the NPS server. Right click Computer > Manage > Diagnostics > Event Viewer > Custom Views > Server Roles > Network Policy Server. Refresh the event list. Browse the list for events pertaining to the test client. (Hopefully a message with title Network Policy Server granted full access to is listed.)
f.
Verify client connection i. Ping the interface on the client that is being tested. Intel AMT will likely have the IP address the OS acquired. (It is difficult to verify a successful address acquisition for Intel AMT without looking at the DHCP server, so address acquisition must be observed by accessing Intel AMT features like a ping response or webui access.)
10
Debug
Tracing
When debugging 802.1x authentication failures, it is often necessary to perform network traces when available logs are not populated and communication between components needs to be verified.
11
In this example, a simple ICMP ping exchange is observed between the RADIUS server at 192.168.0.95 and a domain controller at 192.168.0.2.
12
13
Common Problems
Logging
RADIUS Server Logs ACS and NPS both have an aspect of logging that can make debug more difficult: When an authentication request is too messed up it will not be logged in detail in the standard log. Instead it will be logged only as a line item in a separate log file. The log files are located here: NPS: C:\windows\system32\logfiles ACS: C:\windows\ACS\CSAuth\auth.log With ACS for example, if an EAP-TLS authentication request arrives utilizing a certificate that does not chain back to a trusted root CA, that authentication request will not be placed in the main logs and will only be logged in auth.log. Network Access Device Logs If no logs appear on the RADIUS server for a particular access request and no meaningful data is present
Quarantined
A client sometimes can pass authentication, but the RADIUS server will quarantine it resulting in limited or no connectivity. This is usually the result of a posture validation failure. A posture validation failure can have the following causes:
14
1. Posture data is transmitted, but the system has legitimately violated posture requirements. 2. Posture data is not transmitted at all because the supplicant has not been configured to send posture data. With NPS this causes the log to state that the system is non-NAP capable. 3. Use of EAP-TLS with NPS. Problems have been seen where this configuration causes the log to state that the system is non-NAP capable. It seems the Windows native supplicant might have a problem transmitting posture data when EAP-TLS is used. 4. MS ConfigMgr currently has an error the causes the EAC type set in AMT to be set as to that of NAC. If a NAP solution is used the NPS server will quarantine the system and say that it is non-NAP capable due to the mis-configuration.
CA not configured
ACS has a known issue where all of the CAs in client certificates cert chain must be added to ACS as trusted root CAs. Cisco acknowledged this should not be a requirement. If a client presents the RADIUS server a certificate that is issued by or does not chain to a CA that is in the trusted root list, authentication will fail and the authentication attempt will not be logged in the main logs.
15
RADIUS server certificate and certificate signing chain should not contain any certificates with key size >2048-bits
This should be checked on the RADIUS server by locating the RADIUS server certificate and inspecting the certificate and each certificate in the signing chain. Newer AMT firmware may support 4096-bit keys, but it remains an area to focus on if there are any keys >2048-bits. If there are certificates with key sizes that are too big, this does not mean a PKI rebuild. It is possible to do some cross-certification stuff to enable things to work and avoid costly rebuild of an existing PKI
Intel AMT must be provisioned with root CA certificate of RADIUS server certificate signing chain.
This is not normally a problem in environments with a single stable root CA or where the provisioning software verifies a root certificate is being used during provisioning. However if the environment contains more than one root CA or the environment is under development and the root CA certificate may have been re-issued, this should be checked
16
General Information
1. When using Intel SCS or Microsoft ConfigMgr SP2 as the provisioning software, Active Directory objects representing Intel AMT have SAM account name format hostname$iME. It can be helpful when examining RADIUS log files to locate this name to determine if authentication succeeded / failed with credentials of this type. 2. Be careful when re-provisioning an Intel AMT client where the 802.1X network port is being held open by Intel AMT. If this happens, it can lead to port closure before provisioning completes and loss of network connectivity. 3. Intel AMT event log contains details of 802.1X authentication failures if Intel AMT does not trust the RADIUS server. This information can be used to identify if authentication failures are caused by Intel AMT rejecting the RADIUS server or RADIUS rejecting Intel AMT. Knowing this helps focus further debug efforts. The Intel AMT event log is available from Intel AMT WebUI
17
Appendix
Microsoft NAP Configuration
This document will outline steps required to configure Microsoft NAP with 802.1X enforcement. Upon completion of these steps a client running the NAP agent will be require to have Windows Firewall turned on. If it is the client will gain full network access. If it is not the client will be placed in an access limited VLAN until the setting is corrected. This document was written and baselined on the Brand Promise Validation (BPV) network infrastructure. Although the steps should be generic enough for any infrastructure, your mileage may vary. Configuring NAP has some baseline requirements of the network infrastructure. From there is involves three steps. Baseline requirements: 802.1x capable switch 1. Recommend Cisco 2960, 3560, 3750, 4900, or 6500 series switches, or any other vendors switch supporting 802.1x network access control. 2. Domain controller running Windows 2003 server or higher with a domain level of Windows Server 2003. Below are details to set the domain level: a. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts. b. In the left pane of the Active Directory Domains and Trusts dialog box, right-click your domain and then click Raise Domain Functional Level. c. From the drop-down list box, choose Windows Server 2003, and then click Raise. d. In the dialog box that warns this change cannot be reversed, click OK. o In the dialog box that confirms the functional level was raised successfully, click OK. 3. Enterprise CA running Windows 2003 server or higher, joined to the domain 4. System to run Long Horn Server 5. Client PC with Windows Vista, joined to the domain Main Steps: 1. Configure the 802.1x capable switch 2. Add a DHCP scope 3. Install and Configure the Long Horn Server 4. Configure the client Configure the 802.1x capable switch
18
Because different switches use different command sets depending on the model and software running on this switch, it is not possible to provide an exact step-by-step guide on how to configure 802.1x on every possible switch. Please refer to the documentation provided by your switch vendor for instructions on configuring 802.1x. The following list shows the required configuration details for any 802.1x capable switch. Once the values below have been configured, it is recommended that they be written down, as following sections will require many of these details to configure the NAP server. Friendly name / hostname: Assign your switch a hostname. In the BPV network the admin assigns this setting. IP address: Assign your switch a management IP addresses (usually on vlan1). BPV uses <bench subnet>.254 Radius Server Address: Assign the IP address of the radius server, in this case the address of the NAP server. Shared RADIUS key: Assign a shared RADIUS key, this key must be the same on both the switch and the NAP server. Compliant VLAN: Create a VLAN that has full access to the rest of the network. This is the VLAN that a client is assigned to when it passes the NAP check. Write down the name of the VLAN. Also write down the network information (subnet & default route). BPV uses the following values: VLAN Name: <bench#>-NAP-COMPLIANT Subnet: <bench subnet>.2 /24 Default Route: <bench subnet>.2.254 Non-compliant VLAN: Create a non routed Layer 2 VLAN that has no access to the rest of the network. This is the VLAN that a client is assigned to when it fails the NAP check. Write down the name of the VLAN. uses the following values: VLAN Name: <bench#>-NAP-NONCOMPLIANT DHCP Forwarder/Helper: Configure the NAP Compliant VLAN with a DHCP Forwarder/helper if DHCP is desired. BPV uses DHCP. Non 802.1x authentication VLAN(s)/Port(s) for everything else: Configure the switch to permit all servers and non-NAP clients to access the entire network. This may be accomplished by connecting such PCs directly to non 802.1x authenticated ports on this switch or by an uplink port to the rest of the network. BPV uses the uplink method. Note, the uplink port must not have 802.1x enabled.
19
(Optional) Configure Longhorn so its easier to manage (not required for NAP, but must be done in BPV) 1. Login as a domain administrator 2. Configure the desktop to your liking 3. Turn off Shutdown Event Tracking a. Click Start -- > Run b. In the Run box type "gpedit.msc" and click OK & then Continue c. Click the + sign before Administrative Templates (the one in Computer Configuration under Local Computer Policy) d. Click System e. Double click Display Shutdown Event Tracker and select the Disable radio button in the property page and press OK. 4. Turn off User Account Control (UAC) a. Click Start->Settings->Control Panel b. Double Click User Accounts c. Click Turn User Account Control on or off and Continue. d. Uncheck Use User Account Control. And click OK. e. Choose Restart Now. Upon reboot login as a Domain Admin (same one as before). 5. Turn off IE Enhanced Security a. Click Start->Programs->Administrative Tools->Server Manager b. Click Configure IE ESC. c. A dialog titled Internet Explorer Enhanced Security Configuration appears. Set Administrators and Users to off and click OK. 6. Turn off Windows Firewall a. Click Start->Programs->Administrative Tools->Server Manager b. In the left pane expand Configuration and click Windows Firewall with Advanced Security. c. In the right pane click Windows Firewall Properties d. The Windows Firewall with Advance Security Settings box will appear. Set the Firewall state to Off in the following tabs; Domain Profile, Private Profile, Public Profile Install the NPS Role 1. As a domain administrator Click Start->Programs->Administrative Tools>Server Manager 2. Click Roles 3. Click Add Roles 4. Click Server Roles 5. Check Network Policy and Access Services
20
6. Click Next twice. 7. Check Network Policy Server and click next. 8. Click Install\ Obtain a computer certificate 1. As a domain administrator Click start->Run 2. Type mmc and click OK 3. Click File->Add/Remove Snap in 4. Choose Certificates and Click Add 5. A Certificates Snap-in dialog appears. Choose computer account and click next and then finish. 6. Click OK. 7. In the left pane expand certificates 8. Right click personal and choose all tasks->request new 9. Click Next 10. Check computer and click Enroll. 11. Click finish. 12. Close Console1 and dont save changes. Configure the Network Policy Server 1. As a domain administrator Click start->Programs->Administrative tools>Network Policy Server 2. Click Configure NAP 3. A Configure NAP Window will appear. Choose the following and click next: a. Network connection method: IEEE 802.1X (Wired) b. Policy Name: NAP 802.1X (Wired) 4. Choose add. On the New RADIUS Client window enter the following and click OK a. Friendly Name: <the friendly name of your 802.1x switch> (iLAB-NAC1 for Switches configured for ilab in DOPD lab.) b. Address: <the IP address of your 802.1x switch> iLAB-NAC1.vprodemo.com MUST USE IP ADDRESS, USING NAME MESSES UP c. Shared Secret: i. ii. Manual (!QAZxsw2 for now. Will be updated to P@ssw0rd for DOPD switches soon) <secret for your 802.1x switch>
5. Click next. Click next again in the Configure User Groups and Machine Groups form. 6. On the Configure an Authentication Method form choose Secure Password (PEAP.. and click next
21
7. On the configure Virtual LANs (VLANs) form click configure for the Organization network VLAN and configure the following, then click OK: d. RADIUS Standard Attributes: i. ii. iii. iv. i. Tunnel-Medium-Type: 802 (includes all 802 media.. Tunnel-Pvt-Group-ID: <name of the good VLAN> interop-nac (bad = NAC Quarantine) Tunnel-Type: Virtual LANs (VLAN) (leave others as not configured) (Microsoft) Tunnel-Tag: 1
e. Vendor Specific attributes 8. On the configure Virtual LANs (VLANs) form click configure for the Restricted network VLAN and configure the following, then click OK: f. RADIUS Standard Attributes: i. ii. iii. iv. Tunnel-Medium-Type: 802 (includes all 802 media.. Tunnel-Pvt-Group-ID: <name of the bad VLAN> Tunnel-Type: Virtual LANs (VLAN) (leave others as not configured) aa. Vendor Specific attributes i. (Microsoft) Tunnel-Tag: 1 9. Click next and next again on the Define NAP Health Policy form. 10. Click finish. 11. In the left pane expand Policies and choose Connection Request Policies. 12. Disable all Policies except NAP 802.1X (Wired) 13. Right click NAP 802.1X (Wired) and go to properties 14. On the Conditions tab remove all conditions. Then add a Day and time restrictions condition that allows 24x7 access. 15. Click OK 16. In the left path choose network policies. a. Disable all policies except the following: i. ii. iii. i. ii. NAP 802.1X (Wired) Compliant NAP 802.1X (Wired) Noncompliant NAP 802.1X (Wired) Non NAP-Capable NAP 802.1X (Wired) Compliant > NAP 802.1X (Wired) Intel AMT Compliant NAP 802.1X (Wired) NonCompliant > NAP 802.1X (Wired) Intel AMT NonCompliant
g. Termination-Action: RADIUS-Request
b. Rename:
22
c. Clone: i. ii. NAP 802.1X (Wired) Intel AMT Compliant > NAP 802.1X (Wired) OS Compliant NAP 802.1X (Wired) Intel AMT NonCompliant > NAP 802.1X (Wired) OS Noncompliant
d. 17.4 Order the Policies as such: NAP 802.1X (Wired) Intel AMT Compliant NAP 802.1X (Wired) Intel AMT NonCompliant NAP 802.1X (Wired) OS Compliant NAP 802.1X (Wired) OS Noncompliant 17. Install Intel SHV via setup file. a. In MMC window, go to Network Access Protection > System health validators. Verify Intel AMT SHV is present. b. Right click Windows Security Health Validator and choose properties. Click Configure. Uncheck all boxes except for Firewall in both tabs. Click OK twice. 18. In Policies > Health Policies, create the following policies: NAP 802.1X (Wired) Intel AMT Compliant NAP 802.1X (Wired) Intel AMT NonCompliant NAP 802.1X (Wired) OS Compliant NAP 802.1X (Wired) OS Noncompliant 19. For all the above policies right click > properties and a. For compliant policies, set the Client SHV checks option to Client passes all b. For non compliant policies, set the Client SHV checks option to Client fails all... c. For Intel AMT polices set SHVs used to Intel AMT SHV. d. For OS polices set SHVs used to Windows security. 20. Under Policies > Network policies, for each NAP 802.1x entry, right click, choose properties and select the conditions tab. a. For OS policies add corresponding system health policy. b. For Intel AMT policies add corresponding system health policy. Also choose add and add an Operating policy. Within the following menu, choose add again and check the Operating system version box and set it to be equal zero. c. Right click all policies and choose enable. Logs for the NPS server can be viewed in the Longhorn Management console: 1. Right click computer and click manage
23
2. Expand Diagnostics->Event Viewer->Custom Views->Server Roles->Network Policy and Access Services. For every 802.1x authentication request there will be two information entries. These will give you information on the client, the RADIUS client (aka the switch), success/failure of authentication, and the policy used to measure success. Heres what too look for: If the client has Windows firewall enabled: o o o o Network Policy name: NAP 802.1X (Wired) Complaint Result: Full Access Network Policy name: NAP 802.1X (Wired) Noncomplaint Result: Full Access
Note in both cases full access is granted. This means that full access to the appropriate VLAN was granted. In the case of the no windows firewall full access is granted to the bad VLAN, and thus the client cannot access the rest of the network. If the log shows other policies used double check the settings for all Policies in NPS. It is likely that one is enabled or disabled that should not be or that a condition is not properly set. If the log shows limited access double check NAP enforcement in the Network Policies. They should be set to Allow full network access. If the log looks correct but the client is not connecting to the network try static to eliminate DHCP issues. Also, verify with the switch that the client is being placed in the proper VLAN. If it is not double check the Network Policies Radius Attributes. Ensure the proper Tunnel-Pvt-Group-ID value (the name of the VLAN) is set. It is possible that some switches require the VLAN ID rather than the name. The recommended Cisco 2940 requires the name, not the ID. If the NPS logs are OK, the client is using a static IP, and is being assigned into the proper VLAN then there is likely an issue with VLAN/routing config somewhere on the network. Good luck. 802.1x can always be turned off temporarily to verify all VLAN/routing. Intel AMT Provisioning requirements: 1. 802.1x profile used for wired 802.1x authentication must be configured with EAP-PEAP (MS-CHAP v2). 2. Intel AMT profile used to provision the ME must have NAP enabled. NAP auth requests work as such: A WAP or switch with an entry under RADIUS Clients and Servers receives an access request from a NAP client. This request is then forwarded to the NPS. The NPS compares the request to the configured Connection Request Policies. The list of policies are evaluated in order. Each policy has a set of conditions and a set of constraints. If a connection request matches the conditions of a given policy, it is trapped by that policy. If the connection request does not meet the constraints of a policy that traps it, that connection request is dropped and processing ceases. If a connection request is trapped by a Connection Request policy and meets the constraints of that policy, processing continues to evaluate the access request
24
based on Network Policies. Network Policies are evaluated in order and use the same condition and constraint schema that Connection Request Policies do. System heath validators are custom plug-ins that evaluates system health in arbitrary ways. Their output can be used by Heath Polices. Health Policies are used as conditions in Connection Request Policies and Network Polices. NPS NOTES: NAP posture transmission apparently is only available over PEAP. If the RADIUS server has two IP addresses and authentication data is received on one address and responses sent out on another it messes up the authentication process with the switch. If there are Machine certificates present, it can cause the client not to respond to authentication response from the switch. This is due to a suppressed pop-up balloon that prompts the user to select the appropriate certificate and username. Saw Win7 in band access attempts not being put in the regular log. Restarted wired auto config and NAP services. Disabled\re-enabled adaptor. Adaptor disappeared and had to be re-enabled via HW manager. After that auths worked fine. Changed iLAB-NAC1 Radius client to be NAP-capable. Upon domain rejoin of NPS server: 1. Re-execute register in AD step. Directory Right click NPS(local) > Register in Active
2. Upon domain rejoin of NPS server re-add ias-nap to RAS and IAS servers groups of both parent and child domains 3. Must go to AD and add dial-in for users that are doing nap access and choose allow access. NPS server cert must be requested via MMC. Webui cert request will not work for some reason.
25