Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
NAP troubleshooting basics

Sticky NAP troubleshooting basics

  • Tuesday, December 15, 2009 1:30 AM
    Owner
     
     
    Sign In to Vote
    1

    The following is a short guideline for troubleshooting basic problems with your NAP deployment. This information is provided in more detail in the NAP troubleshooting guide.

    Troubleshooting: Server-side
    Use these commands to view and provide configuration information:
    * NPS configuration information (all enforcement methods): netsh nps show config
    * HRA configuration information (IPsec only): netsh nap hra show config

    Use the following view in Event Viewer: Custom Views\Server Roles\Network Policy and Access Services

    The most common problem that can be detected immediately when viewing server events and configuration is that the client computer didn't match the correct policy. Before you look at anything else, you should first verify that the client computer's network access request reached NPS and subsequently matched the correct connection request policy AND network policy. Each client computer can match one and only one of each type of policy.

    Troubleshooting: Client-side
    Use these commands to view and provide configuration information:
    * Client Group Policy configuration: netsh nap client show group
    * Client local policy configuration: netsh nap client show config
    * Client NAP state: netsh nap client show state

    Use the following view in Event Viewer (Vista and Windows 7): Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational
    Use the following view in Event Viewer (XP SP3): System (napagent) and Application (MSSHA).

    When troubleshooting the client, it is often helpful to restart the NAP agent service. You can do this from an elevated command prompt using the command: net stop napagent && net start napagent.

    After restarting NAP agent, use Event Viewer to see where an error occurs. If no error occurs but you are not acquiring network access, commonly the correct enforcement client is not enabled. The netsh nap client show state command will tell you which enforcement client is initialized and if the installed SHAs are reporting health status. It will also tell you if the client is currently granted full or restricted access.

    Using these basic commands with Event Viewer should provide enough information to either resolve the problem, or lead you in the correct direction for further troubleshooting.

    -Greg

     

All Replies

  • Saturday, June 09, 2012 3:22 PM
     
     
    Sign In to Vote
    0

    Hi,

    sometimes Security Center service not get started, try to start it manually if fail, start it thru gpedit.msc in client.