Video Screencast Help

SEPM to work with Windows Server 2008 NPS Radius

Created: 19 Apr 2012 | 6 comments
Rinoa21's picture

 

 

Hi ,, Can somebody help me with this..because we are having some issues to get our Symantec Endpoint Protection Manager to work with the new Windows Server 2008 NPS (Radius) Sever for the dynamic VLAN (do1x) authentication. The clients’ PC couldn’t grab a proper address according to their network policies defined in the NPS server.Error shows that the client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Thanks much..

Discussion Filed Under:

Comments 6 CommentsJump to latest comment

Rinoa21's picture

done already but same issue. the radius server before was windows 2003, but now we already use windows server 2008 r2 but having problem. it is working fine using windows 2003 radius. 

What we have tried is to ensure that the policy is set to allow user to select the authentication protocol, it is not running in transparent mode.

Is there any settings missed in the sepm or could it be a compatibility issue between 2008 R2 and the SNAC/SEPM (v11 Ru7 MP1/v11 RU7)?

pete_4u2002's picture

With Windows Server 2008, IAS has been replaced with Network Policy Server (NPS). If you are using Server 2008, you must specify that you are using NPS.
check this link and let know if it is helpful

http://www.symantec.com/business/support/index?page=content&id=HOWTO55738

 

Hang5jebat's picture

Rinoa, is there a possiblity for you to place the RADIUS error here? The only changes you migrated is the server. Confirm the following

1) The shared secret key of the switch

2) The shared secret key configured on the NPS

 

I think the problem is more to the communication between the 802.1x switch and the RADIUS (NPS)

Hang5jebat's picture

Rinoa,

Additionally, since you mentioned that this happened on the new built Win2k8 server, can you confirm that you have installed the necessary certificates?

 

cemilebaşak's picture

Hi;

What is your SEPM and Lanenforcer version.

Both of them must be at least Symantec Endpoint Protection version 11.0 RU6 MP2 or higher (including 12.1).

I advice to upgrade 12.1 on both SEPM and lanEnforcer.

And also there is a KB related for IAS but the rules and the others same with NPS. This may be usefull.

Article URL http://www.symantec.com/docs/HOWTO74612

How to configure Microsoft IAS for use with the Symantec LAN Enforcer

This article covers the steps required for configuring the Microsoft Internet Authentication Service (IAS) for use with the Symantec LAN Enforcer.

The Symantec LAN Enforcer in Symantec Network Access Control can forward RADIUS requests from an 802.1x enabled switch for optional user authentication. This configuration is called Basic Mode - for details please see the following article:

The RADIUS user authentication in LAN Enforcer Basic mode can be provided by IAS. The steps below will help enable this configuration in PEAP (Protected EAP) mode.

 
In the Symantec Endpoint Protection Manager (SEPM) console:

  • Configure the Client Group supplicant settings:
    • Navigate to Policies - General Settings - Security Settings.
    • Check the "Enable 802.1x authentication" option, but do not check "Use Symantec Transparent Mode".
  • Configure the LAN Enforcer to use the IAS as RADIUS server:
    • Navigate to Admin - Servers.
    • Select Edit Group Properties for the LAN Enforcer group.
    • On the RADIUS Server Group tab create a new group with the IP address of the IAS server and a shared secret.
    • On the Switch tab edit the Switch Policy and select the new RADIUS Server Group in the dropdown list.

 
In the Active Directory Users and Computers MMC snapin:

  • Allow Remote Access for the user account that is to be authenticated via the LAN Enforcer and IAS server.
    • In the user account properties dialog, select the Dial-in tab and pick the option to allow access under Remote Access Permissions.

 
Create a certificate to use for PEAP:

  • Make sure Certificate Services are installed on the server (in Control Panel - add/remove Windows components).
  • Create a new certificate on http://localhost/certsrv/ following the steps in Microsoft article KB871222.
    • Visit http://localhost/certsrv/ and click Request a certificate.
    • Select Advanced certificate request.
    • Select Create and submit a request to this CA.
    • Select Microsoft RSA SChannel Cryptographic Provider in the CSP dropdown.
    • Check the Store Certificate in the local computer certificate store check box.
    • Leave the default options of 1024 for Key Size, and "Create a new key set" and "Automatic container name" selected.
    • Enter Identifying Information as appropriate.

 
In the Microsoft Internet Authentication Service (IAS) MMC snapin:

  • Configure a new RADIUS Client using the LAN Enforcer IP address:
    • Under RADIUS Clients, select New RADIUS Client and enter the LAN Enforcer IP address.
    • Press Next, and fill in the same shared secret entered in the LAN Enforcer group policy RADIUS Server Group created earlier.
  • Create a new Remote Access Policy:
    • Under Remote Access Policies, select New Remote Access Policy.
    • Using either the wizard option or the custom policy option, create policy conditions and a profile to control network access.
    • Use conditions matching the client requests (for example "Ethernet" or "Domain Users" for an initial test granting access).
    • For the Profile, select Protected EAP (PEAP) as the EAP type.
    • Further edit the Protected EAP (PEAP) method, and select the certificate created earlier from the dropdown list.
    • To access the certificate selection after saving the policy (or if not using the wizard):
      • Click Edit Profile.
      • Select the Authentication tab.
      • Click EAP Methods.
      • Click Add and select PEAP if it is not in the EAP types list already.
      • Select PEAP and click Edit.
      • Pick the correct certificate from the dropdown.

 

Troubleshooting:

  • If any part of the configuration is missing the IAS server will write an entry to the standard Windows System Event Log. The event log entries contain a text description with useful hints to which step has not been configured correctly (such as "invalid RADIUS client IP address" if the LAN Enforcer has not been entered as a trusted client of the IAS).
  • Capturing the traffic and filtering on the RADIUS traffic will also indicate if the requests were received on the server and if any reply was sent. When capturing on the client side a useful filter would be EAP to view the communication between the switch and the local supplicant.
  • The IAS server listens on the RADIUS 1812 UDP port, which is also used by the SEPM. If both are installed on the same machine the IAS needs to be configured to use a separate port.
  • It is recommended that the less complex Transparent mode is configured first with the LAN Enforcer, before the environment is changed to Basic mode with user authentication.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.