Module 10: Troubleshooting Network Access

Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote Access

Lesson: Troubleshooting Network Access Resources Network Access Logs Network Access Events Network Access Tools Process for Troubleshooting Resources for LAN Connections Process for Troubleshooting Resources for Remote Connections

Network Access Logs LogUse Windows Authentication and Windows Accounting logs Used to track network access usage and authentication attempts; especially useful for troubleshooting remote access policy issues PPP logs Used to troubleshoot the failure of a PPP connection IAS logs Used to track network access usage and authentication attempts Audit and Oakley logging Used to monitor IPSec-related events and troubleshoot unsuccessful L2TP/IPSec connections IKE tracing log Used to troubleshoot IKE interoperability under controlled circumstances

Network Access Events Event LogUse System log Contains information from various services that run on the system and log information regarding their status Records errors and warnings related to network access problems Security log Used to troubleshoot Kerberos or IPSec authentication failures Shows logging failures when a user tries to authenticate

Network Access Tools ToolUse Remote access diagnostics Used to collect detailed logs and information about a remote access connection Network Monitor Used to find answers to network access problems and possible solutions Netdom Used to verify servers and trusts and to reset trusts Kerbtray Used to see if Kerberos tickets were granted out of the local cache IP Security Monitor Used to view details about an active IPSec policy that is applied to a domain or locally, and to view statistics associated with the key-exchange process Standard network troubleshooting tools Used to view client IP configuration and packet transfers

Process for Troubleshooting Resources for LAN Connections User cannot logon Determine if widespread problem or only one user View system logs to isolate problem Tools to use:  Kerbtray  Standard networking troubleshooting tools  Event logs Set logs and events on local computer WidespreadOne user Verify that standard networking troubleshooting has been completed Trust issues tools:  Netdom Authenticated Switch issue tools:  IAS logs Domain controller issues tools:  Standard networking troubleshooting tools  Netdom DNS issues tools:  DNS troubleshooting tools Kerberos and certificate issues tools:  Kerbtray

Process for Troubleshooting Resources for Remote Connections User cannot logon Determine if widespread problem or only one user View Routing and Remote Access system log to isolate problem Tools to use:  Windows accounting and authentication logs  IAS logs Set logs and events on remote access server WidespreadOne user Authentication issues tools:  Sys log  IAS log  Windows accounting and authentication logs  PPP logs Resource access issue tools:  Standard networking troubleshooting tools Certificates issues tools:  Event logs  IAS logs  Windows accounting and authentication logs Remote access policy issues tools:  Event logs  IAS logs  Windows accounting and authentication logs Verify that standard networking troubleshooting has been completed

Practice: Identifying Network Access Troubleshooting Resources In this practice, you will identify network access troubleshooting resources

Lesson: Troubleshooting LAN Authentication Causes of LAN Authentication Errors Security Event Logging Audit Account Logon Events Audit Logon Events Guidelines for Troubleshooting LAN Access

Causes of LAN Authentication Errors No connectivity to network resources Inability to reach domain controller Physical device problems Trust paths for NTLM and Kerberos

Security Event Logging Audit CategoryDescription Audit Account Logon Events Determine whether to audit each instance of a user logging on to or logging off from another computer in which the domain controller is used to validate the account. Generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Audit Logon Events Determine whether to audit each instance of a user logging on to or logging off from a local computer. Generated when a local user is authenticated on a local computer. The event is logged in the local security log.

Audit Account Logon Events If enabled, an entry is logged for each user who is validated against the domain controller Most common events: EventDescription 672 Authentication service ticket successful 673 A ticket granting service ticket was granted 675 Pre-authentication failed; user typed in wrong password 678 An account was successfully mapped to a domain account

Audit Logon Events If enabled, an entry is logged when a local user is authenticated on a local computer Most common events: EventDescription 528 A user successfully logged on to a computer 529 Logon failure; a logon attempt was made with an unknown user name or a known user name with an invalid password 540 A user successfully logged on to a network

Guidelines for Troubleshooting LAN Access Identify the symptoms of the problem Select resources to use Isolate the problem

Practice: Troubleshooting LAN Network Access In this practice, you will troubleshoot LAN authentication based on a given scenario

Lesson: Troubleshooting Remote Access Certificate Validation Authentication Using IAS Logs Demonstration: Monitoring Remote Access by Using IAS Demonstration: Examining IAS Authentication and Accounting Log Files PPP Logging Remote Access Connections Wireless Access Authentication Common VPN Problems Demonstration: Creating and Testing Outbound VPN Connections Process for Troubleshooting Dial-Up Access Problems Guidelines for Troubleshooting Remote Access

Certificate Validation With client certificates you need to:  Check the date range  Ensure that the certificate has not been revoked  Ensure that the certificate has a valid signature With computer certificates you need to:  Verify that the ROOT CA certificate has been installed

Authentication Using IAS Logs Using IAS logs you can verify that the  Wireless access point can reach the IAS server  IAS server/wireless access point pair is configured with a common shared secret  IAS server can reach a global catalog server and an Active Directory domain controller  Computer accounts of the IAS servers are members for the Routing and Remote Access and IAS servers group for the appropriate domains  User or computer account is not locked out, expired, or disabled  Connection is authorized by a remote access policy  Changes to Active Directory are not impacting the functionality of the IAS servers

Demonstration: Monitoring Remote Access by Using IAS This objective of this demonstration is to explain how an Internet Authentication Service server can log remote access You will learn how to:  Enable logging in IAS  Open log files to view account logs  Explain how to use IAS to monitor remote access usage

Demonstration: Examining IAS Authentication and Accounting Log Files The objective of this demonstration is to examine the raw log file and to show how to use iasparse.exe to parse the log file

PPP Logging PPP connection process  Negotiate the use of the link  Authenticate the remote access client  Use callback  Negotiate the use of network protocols PPP logging  Lack of entries indicates that the connection failed  Authentication failure clues

Remote Access Connections If you have a failed connection attempt, you should check the  Remote access policy settings  User account connection settings If you have a connection attempt that is accepted when it should be rejected, you should check the  Parameters of connection in remote access policy If you are unable to reach locations beyond the remote access server, you should check that  The protocol is enabled  The remote access server’s IP address pool is accurate

Wireless Access Authentication MS-CHAP v2 credentials on a wireless client can  Send a user name and password combination to be validated against a user account in Active Directory Wireless client network can  Use Windows XP to view the properties of the wireless network connection Wireless access point troubleshooting tools can  Troubleshoot low signal strength and coverage area issues  Use standard or proprietary wireless protocols  Support SNMP

Common VPN Problems IssueTroubleshooting strategy TCP connection timeout Check port 1723 Packet filtering Verify that packets are not being blocked Winsock Proxy client Ensure that there is not a proxy client enabled Tunneling protocol Ensure that the server supports the protocol Certificates Verify that machine certificates are installed on the VPN server PPTP connections Verify user password length NAT-T Verify that the client supports IPSec NAT Traversal (NAT-T)

Demonstration: Creating and Testing Outbound VPN Connections The objective of this demonstration is to show how and where VPN tunnels are specified You will learn how to:  Create an outbound VPN connection  Specify the address of the VPN server (host name or IP address)  Specify user account permissions to the VPN server  Verify and test the IP address assigned within the VPN tunnel

Process for Troubleshooting Dial-Up Access Problems IssueTroubleshooting strategy Client computer Check error messages Verify setup of physical hardware Verify network connection configuration Remote access server Check error messages Check Event Viewer logs Trace remote access connections

Guidelines for Troubleshooting Remote Access Identify the symptoms of the problem Select resources to use Isolate the problem

Practice: Troubleshooting Remote Access Authentication In this practice, you will troubleshoot remote access based on a given scenario

Lab A: Troubleshooting Network Access Exercise 1:Troubleshooting LAN Access Exercise 2: Troubleshooting Remote Access Authentication