You are on page 1of 26

NetworkAccessProtection Support Case

16 December 2011 11:19

A huge amount of trouble sharing files. Email with  attachments are bouncing.

FTP does not provide progress feedback or  seem to work.

Security Page 1

Eventually I opted for sharing via Skydrive but  this created a concern that I may be exposing  sensitive data on the internet.

Security Page 2

Configure NAP with a wizard
The NAP configuration wizard helps you set up NPS as a NAP health policy server. The wizard provides commonly used settings for each NAP enforcement method, and automatically creates customized NAP

Security Page 3

policies for use with your network design. You can access the NAP configuration wizard from the NPS console.

To configure NPS using the NAP wizard 1. 2. Click Start, click Run, type nps.msc, and then press ENTER. In the Network Policy Server console tree, click NPS (Local).

3. In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. See the following example.

4. On the Select Network Connection Method for Use with NAP page, under Network connection method, select IEEE 802.1X (Wired), and then click Next. 5. On the Specify 802.1X Authenticating Switches page, click Add. 6. In the New RADIUS Client dialog box, under Friendly name, type 802.1X Switch. Under Address (IP or DNS), type 192.168.0.3. 7. 8. Under Shared secret, type secret. Under Confirm shared secret, type secret, click OK, and then click Next.

9. On the Configure User Groups and Machine Groups page, click Next. You do not need to configure groups for this test lab. 10. On the Configure an Authentication Method page, confirm that a computer certificate obtained in the previous procedure is displayed under NPS Server Certificate, and that Secure Password (PEAPMSCHAP v2) is selected under EAP types. Click Next. 11. Use the following steps to configure VLAN properties for compliant computers. In this lab, VLAN ID 3 will be used for compliant computers. a. On the Configure Virtual LANs (VLANs) page, under Organization network VLAN, click Configure.

Note If you are running Windows Server 2008 R2, this page is titled Configure Traffic Controls. On the Configure Traffic Controls page, under Full access network, click Configure. b. In the Virtual LAN (VLAN) Configuration dialog box (if you are running Windows Server 2008 R2, this dialog box is titled Configure RADIUS Attributes), on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit. c. In the Attribute Information dialog box, click Add. d. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice. e. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), on the RADIUS standard attributes tab, click Tunnel-Medium-Type, and then click Edit. f. In the Attribute Information dialog box, click Add. g. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected, and then click OK twice.

Security Page 4

h. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), on the RADIUS standard attributes tab, click Tunnel-Pvt-Group-ID, and then click Edit. i. In the Attribute Information dialog box, click Add. j. Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 3, and then click OK twice. This value represents the compliant VLAN ID used in this lab. k. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), click the Vendor Specific attributes tab, and then click Add. l. In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.

Note If you are running Windows Server 2008 R2, in the Add Vendor Specific Attribute dialog box, under Vendor, select Custom. m. In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then click Add. n. In the Attribute Information dialog box, under Attribute value, type 1, and then click OK.

Note The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group these attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch. a. Click Close, and then click OK. 12. Use the following steps to configure VLAN properties for noncompliant computers. These steps are identical to those used for compliant computers with the exception that VLAN ID 2 is configured for noncompliant computers. a. On the Configure Virtual LANs (VLANs) page, under Restricted network VLAN, click Configure.

Note If you are running Windows Server 2008 R2, this page is titled Configure Traffic Controls. On the Configure Traffic Controls page, under Restricted access network, click Configure. b. In the Virtual LAN (VLAN) Configuration dialog box (if you are running Windows Server 2008 R2, this dialog box is titled Configure RADIUS Attributes), on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit. c. In the Attribute Information dialog box, click Add. d. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice. e. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box, if you are running Windows Server 2008 R2), on the RADIUS standard attributes tab, click TunnelMedium-Type, and then click Edit. f. In the Attribute Information dialog box, click Add. g. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected, and then click OK twice. h. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box, if you are running Windows Server 2008 R2), on the RADIUS standard attributes tab, click Tunnel-PvtGroup-ID, and then click Edit. i. In the Attribute Information dialog box, click Add. j. Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 2, and then click OK twice. This value represents the compliant VLAN ID used in this lab. k. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box, if you are running Windows Server 2008 R2), click the Vendor Specific attributes tab, and then click Add. l. In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.

Note If you are running Windows Server 2008 R2, in the Add Vendor Specific Attribute dialog box, under Vendor, select Custom. m. In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then click Add. n. o. In the Attribute Information dialog box, under Attribute value, type 1, and then click OK. Click Close, and then click OK.

13. This completes the configuration of VLAN properties for compliant and noncompliant computers. Click Next. 14. On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next. 15. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish. 16. Leave the NPS console open for the following procedure.

Security Page 5

Configuring Full Access/Compliant Network

Security Page 6

Security Page 7

The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group these attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch.

Configuring Restricted Access Network
Security Page 8

Verify Settings

Security Page 9

Security Page 10

Disable fast reconnect. Recommendation is to  not enable fast reconnect.

Security Page 11

Check WiredAutoConfig Service is running.

When this service is running, authentication tab  appears in the LAN Settings.

Security Page 12

Disable Fast reconnect and select CA's possible  to select multiple

Select Configure for Authentication Methods

Security Page 13

Log Name:      Security Source:        Microsoft‐Windows‐Security‐Auditing Date:          12/21/2011 1:31:34 PM Event ID:      6273 Task Category: Network Policy Server Level:         Information Keywords:      Audit Failure User:          N/A Computer:      TFS.effective‐computing.com Description: Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: NULL SID Account Name: ‐ Account Domain: ‐ Fully Qualified Account Name: ‐ Client Machine: Security ID: EC\SQL1$ Account Name: SQL1.effective‐computing.com Fully Qualified Account Name: EC\SQL1$ OS‐Version: 6.1.7601 1.0 x64 Server Called Station Identifier: ‐ Calling Station Identifier: ‐ NAS: NAS IPv4 Address: NAS IPv6 Address: NAS Identifier: NAS Port‐Type: NAS Port: RADIUS Client:

192.168.0.6 ‐ TFS.effective‐computing.com Ethernet ‐

Security Page 14

Client Friendly Name: Client IP Address:

‐ ‐

Authentication Details: Connection Request Policy Name: NAP 802.1X (Wired) Network Policy Name: NAP 802.1X (Wired) Noncompliant Authentication Provider: Windows Authentication Server: TFS.effective‐computing.com Authentication Type: Unauthenticated EAP Type: ‐ Account Session Identifier: 6CFBE9471357B4459B0C8CE8676621385B2F9C5337BFCC01 Logging Results: Accounting information was written to the local log file. Reason Code: 66 Reason: The user attempted to use an authentication method that is not enabled on  the matching network policy. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">   <System>     <Provider Name="Microsoft‐Windows‐Security‐Auditing" Guid="{54849625‐5478‐4994‐A5BA‐3E3B0328C30D}"  />     <EventID>6273</EventID>     <Version>1</Version>     <Level>0</Level>     <Task>12552</Task>     <Opcode>0</Opcode>     <Keywords>0x8010000000000000</Keywords>     <TimeCreated SystemTime="2011‐12‐21T13:31:34.793040700Z" />     <EventRecordID>95408518</EventRecordID>     <Correlation />     <Execution ProcessID="544" ThreadID="2180" />     <Channel>Security</Channel>     <Computer>TFS.effective‐computing.com</Computer>     <Security />   </System>   <EventData>     <Data Name="SubjectUserSid">S‐1‐0‐0</Data>     <Data Name="SubjectUserName">‐</Data>     <Data Name="SubjectDomainName">‐</Data>     <Data Name="FullyQualifiedSubjectUserName">‐</Data>     <Data Name="SubjectMachineSID">S‐1‐5‐21‐2958826572‐3304703673‐2514800256‐3617</Data>     <Data Name="SubjectMachineName">SQL1.effective‐computing.com</Data>     <Data Name="FullyQualifiedSubjectMachineName">EC\SQL1$</Data>     <Data Name="MachineInventory">6.1.7601 1.0 x64 Server</Data>     <Data Name="CalledStationID">‐</Data>     <Data Name="CallingStationID">‐</Data>     <Data Name="NASIPv4Address">192.168.0.6</Data>     <Data Name="NASIPv6Address">‐</Data>     <Data Name="NASIdentifier">TFS.effective‐computing.com</Data>     <Data Name="NASPortType">Ethernet</Data>     <Data Name="NASPort">‐</Data>     <Data Name="ClientName">‐</Data>     <Data Name="ClientIPAddress">‐</Data>     <Data Name="ProxyPolicyName">NAP 802.1X (Wired)</Data>     <Data Name="NetworkPolicyName">NAP 802.1X (Wired) Noncompliant</Data>     <Data Name="AuthenticationProvider">Windows</Data>     <Data Name="AuthenticationServer">TFS.effective‐computing.com</Data>     <Data Name="AuthenticationType">Unauthenticated</Data>     <Data Name="EAPType">‐</Data>     <Data Name="AccountSessionIdentifier">6CFBE9471357B4459B0C8CE8676621385B2F9C5337BFCC01</Data>     <Data Name="ReasonCode">66</Data>     <Data Name="Reason">The user attempted to use an authentication method that is not enabled on the  matching network policy.</Data>     <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>   </EventData> </Event>

Security Page 15

Checking the Cisco Router Settings also. I added  VLAN 2 and 3 just now.

Security Page 16

Case Ref 111 121 543 042 674

Troubleshooting 23.01.2012

Security Page 17

Log Name:      Security Source:        Microsoft‐Windows‐Security‐Auditing

Security Page 18

Date:          1/23/2012 3:29:11 PM Event ID:      6273 Task Category: Network Policy Server Level:         Information Keywords:      Audit Failure User:          N/A Computer:      TFS.effective‐computing.com Description: Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: NULL SID Account Name: ‐ Account Domain: ‐ Fully Qualified Account Name:

Client Machine: Security ID: EC\SQL1$ Account Name: SQL1.effective‐computing.com Fully Qualified Account Name: EC\SQL1$ OS‐Version: 6.1.7601 1.0 x64 Server Called Station Identifier: ‐ Calling Station Identifier: ‐ NAS: NAS IPv4 Address: NAS IPv6 Address: NAS Identifier: NAS Port‐Type: NAS Port: RADIUS Client: Client Friendly Name: Client IP Address:

192.168.0.6 ‐ TFS.effective‐computing.com Ethernet ‐

‐ ‐

Authentication Details: Connection Request Policy Name: NAP 802.1X (Wired) Network Policy Name: NAP 802.1X (Wired) Noncompliant Authentication Provider: Windows Authentication Server: TFS.effective‐computing.com Authentication Type: Unauthenticated EAP Type: ‐ Account Session Identifier: 4527F31BCE51CD49A79F3FD387E1AAFB5B7226ABAFD9CC01 Logging Results: Accounting information was written to the local log file. Reason Code: 66 Reason: The user attempted to use an authentication method that is not enabled on the matching  network policy. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">   <System>     <Provider Name="Microsoft‐Windows‐Security‐Auditing" Guid="{54849625‐5478‐4994‐A5BA‐3E3B0328C30D}" />     <EventID>6273</EventID>     <Version>1</Version>     <Level>0</Level>     <Task>12552</Task>     <Opcode>0</Opcode>     <Keywords>0x8010000000000000</Keywords>     <TimeCreated SystemTime="2012‐01‐23T15:29:11.926990400Z" />     <EventRecordID>110956128</EventRecordID>     <Correlation />     <Execution ProcessID="504" ThreadID="632" />

Security Page 19

    <Channel>Security</Channel>     <Computer>TFS.effective‐computing.com</Computer>     <Security />   </System>   <EventData>     <Data Name="SubjectUserSid">S‐1‐0‐0</Data>     <Data Name="SubjectUserName">‐</Data>     <Data Name="SubjectDomainName">‐</Data>     <Data Name="FullyQualifiedSubjectUserName">‐</Data>     <Data Name="SubjectMachineSID">S‐1‐5‐21‐2958826572‐3304703673‐2514800256‐3617</Data>     <Data Name="SubjectMachineName">SQL1.effective‐computing.com</Data>     <Data Name="FullyQualifiedSubjectMachineName">EC\SQL1$</Data>     <Data Name="MachineInventory">6.1.7601 1.0 x64 Server</Data>     <Data Name="CalledStationID">‐</Data>     <Data Name="CallingStationID">‐</Data>     <Data Name="NASIPv4Address">192.168.0.6</Data>     <Data Name="NASIPv6Address">‐</Data>     <Data Name="NASIdentifier">TFS.effective‐computing.com</Data>     <Data Name="NASPortType">Ethernet</Data>     <Data Name="NASPort">‐</Data>     <Data Name="ClientName">‐</Data>     <Data Name="ClientIPAddress">‐</Data>     <Data Name="ProxyPolicyName">NAP 802.1X (Wired)</Data>     <Data Name="NetworkPolicyName">NAP 802.1X (Wired) Noncompliant</Data>     <Data Name="AuthenticationProvider">Windows</Data>     <Data Name="AuthenticationServer">TFS.effective‐computing.com</Data>     <Data Name="AuthenticationType">Unauthenticated</Data>     <Data Name="EAPType">‐</Data>     <Data Name="AccountSessionIdentifier">4527F31BCE51CD49A79F3FD387E1AAFB5B7226ABAFD9CC01</Data>     <Data Name="ReasonCode">66</Data>     <Data Name="Reason">The user attempted to use an authentication method that is not enabled on the matching network  policy.</Data>     <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>   </EventData> </Event>

PS C:\Users\Austin.EC> Netsh nap client show grouppolicy NAP client configuration (group policy): ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ NAP client configuration: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 Hash algorithm = sha1RSA (1.3.14.3.2.29) Enforcement clients: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Name            = DHCP Quarantine Enforcement Client ID              = 79617 Admin           = Disabled Name            = IPsec Relying Party ID              = 79619

Security Page 20

Admin           = Enabled Name            = RD Gateway Quarantine Enforcement Client ID              = 79621 Admin           = Disabled Name            = EAP Quarantine Enforcement Client ID              = 79623 Admin           = Enabled Client tracing: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ State = Disabled Level = Disabled Trusted server group configuration: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Group            = NAP Trusted Health Registration Authorities Require Https    = Enabled URL              = https://TFS.effective‐computing.com/DomainHRA/hcsrvext.dll Processing order = 1 Group            = NAP Trusted Health Registration Authorities Require Https    = Enabled URL              = https://ConfigManager.effective‐computing.com/DomainHRA/hcsrvext.dll Processing order = 2 Ok. PS C:\Users\Austin.EC> Netsh nap client show configuration NAP client configuration: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 Hash algorithm = sha1RSA (1.3.14.3.2.29) Enforcement clients: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Name            = DHCP Quarantine Enforcement Client ID              = 79617 Admin           = Disabled Name            = IPsec Relying Party ID              = 79619 Admin           = Disabled Name            = RD Gateway Quarantine Enforcement Client ID              = 79621 Admin           = Disabled Name            = EAP Quarantine Enforcement Client ID              = 79623 Admin           = Disabled
Security Page 21

Client tracing: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ State = Disabled Level = Disabled Ok. PS C:\Users\Austin.EC> Netsh nap client show state Client state: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Name                   = Network Access Protection Client Description            = Microsoft Network Access Protection Client Protocol version       = 1.0 Status                 = Enabled Restriction state      = Not restricted Troubleshooting URL    = Restriction start time = Extended state         = GroupPolicy            = Configured Enforcement client state: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Id                     = 79617 Name                   = DHCP Quarantine Enforcement Client Description            = Provides DHCP based enforcement for NAP Version                = 1.0 Vendor name            = Microsoft Corporation Registration date      = Initialized            = No Id                     = 79619 Name                   = IPsec Relying Party Description            = Provides IPsec based enforcement for Network Access Protection Version                = 1.0 Vendor name            = Microsoft Corporation Registration date      = Initialized            = Yes Id                     = 79621 Name                   = RD Gateway Quarantine Enforcement Client Description            = Provides RD Gateway enforcement for NAP Version                = 1.0 Vendor name            = Microsoft Corporation Registration date      = Initialized            = No Id                     = 79623 Name                   = EAP Quarantine Enforcement Client Description            = Provides Network Access Protection enforcement for EAP authenticated network connections,  such as those used with 802.1X and VPN technologies. Version                = 1.0
Security Page 22

Vendor name            = Microsoft Corporation Registration date      = Initialized            = Yes Ok. PS C:\Users\Austin.EC> Netsh nap client dump # ========================================================== # Network Access Protection client configuration # ========================================================== pushd nap client # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ # Trusted server group configuration # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ reset trustedservergroup # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ # Cryptographic service provider (CSP) configuration # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048" # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ # Hash algorithm configuration # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ set hash oid = "1.3.14.3.2.29" # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ # Enforcement configuration # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ set enforcement id = "79617" admin = "disable" id = "79619" admin = "disable" id = "79621" admin = "disable" id =  "79623 " admin = "disable" # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ # Tracing configuration # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ set tracing state = "disable" level = "basic" # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ # User interface configuration # ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ reset userinterface popd # End of NAP client configuration PS C:\Users\Austin.EC> Netsh nap client show hashes
Security Page 23

Available hash algorithms: Name                          OID ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ sha1RSA                       1.2.840.113549.1.1.5 md5RSA                        1.2.840.113549.1.1.4 sha1DSA                       1.2.840.10040.4.3 sha1RSA                       1.3.14.3.2.29 shaRSA                        1.3.14.3.2.15 md5RSA                        1.3.14.3.2.3 md2RSA                        1.2.840.113549.1.1.2 md4RSA                        1.2.840.113549.1.1.3 md4RSA                        1.3.14.3.2.2 md4RSA                        1.3.14.3.2.4 md2RSA                        1.3.14.7.2.3.1 sha1DSA                       1.3.14.3.2.13 dsaSHA1                       1.3.14.3.2.27 mosaicUpdatedSig              2.16.840.1.101.2.1.1.19 sha1NoSign                    1.3.14.3.2.26 md5NoSign                     1.2.840.113549.2.5 sha256NoSign                  2.16.840.1.101.3.4.2.1 sha384NoSign                  2.16.840.1.101.3.4.2.2 sha512NoSign                  2.16.840.1.101.3.4.2.3 sha256RSA                     1.2.840.113549.1.1.11 sha384RSA                     1.2.840.113549.1.1.12 sha512RSA                     1.2.840.113549.1.1.13 RSASSA‐PSS                    1.2.840.113549.1.1.10 sha1ECDSA                     1.2.840.10045.4.1 sha256ECDSA                   1.2.840.10045.4.3.2 sha384ECDSA                   1.2.840.10045.4.3.3 sha512ECDSA                   1.2.840.10045.4.3.4 specifiedECDSA                1.2.840.10045.4.3 Ok. PS C:\Users\Austin.EC> Netsh nap client show csps Available cryptographic service providers (CSPs): Name ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Microsoft Base Cryptographic Provider v1.0 Microsoft Base DSS and Diffie‐Hellman Cryptographic Provider Microsoft Base DSS Cryptographic Provider Microsoft Base Smart Card Crypto Provider Microsoft DH SChannel Cryptographic Provider Microsoft Enhanced Cryptographic Provider v1.0 Microsoft Enhanced DSS and Diffie‐Hellman Cryptographic Provider Microsoft Enhanced RSA and AES Cryptographic Provider Microsoft RSA SChannel Cryptographic Provider Microsoft Strong Cryptographic Provider Ok.
Security Page 24

PS C:\Users\Austin.EC>

The authentication mode was not set, we  changed this.

Unchecked overide network policy settings.

Security Page 25

Security Page 26