none
NAP EAP Quarantine Enforcement Client Will Not Initialize.

    Question

  • Client: Windows 7 Ultimate, joined to a domain.

    Tried enabling EAP in the NAP Client configuration MMC settings on the laptop (this does work from a non domain system)

    Configured Network Access Protection service to automatically start

    I know it's with the EAP Quarantine Enforcement Client not initializing on my domain system - but just can't figure out why.

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =
    GroupPolicy            = Configured

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPsec Relying Party
    Description            = Provides IPsec based enforcement for Network Access Pr
    tection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = RD Gateway Quarantine Enforcement Client
    Description            = Provides RD Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides Network Access Protection enforcement for EAP
    authenticated network connections, such as those used with 802.1X and VPN techn
    logies.
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Anyone ran into something like this before? I've been at this for hours and cannot figure out why my domain systems cannot connect to our NAP VPN server - (server logs always quarantine) but from a home system, it'll work just fine if i tell the non domain system to not verify the certificate and turn on both the settings that i have for my domain system (EAP / NAP services)

    Thanks

    Monday, April 30, 2012 9:01 PM

Answers

  • FIGURED IT OUT!

    I had another group policy for our RADIUS network connection - this gpo was overriding the EAP settings for the domain systems - enabled the EAP enforcment client in the RADIUS gpo - viola! Worked, passed system health validators !! :)

    Now it's time to test out the remediation services and get it into the production network.

    Thanks for your help! :)

    • Marked as answer by JellyGloves Tuesday, May 08, 2012 5:53 PM
    Tuesday, May 08, 2012 5:53 PM

All replies

  • Hi claytonw1980,

    Thank you for your post.

    This is a quick note to let you know that we are performing research on this issue.

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Wednesday, May 02, 2012 8:28 AM
  • Hi Customer,

    Thanks for contacting Microsoft.

    Per your description, your problem is that you are unable to access the VPN server with NAP via a domain joint client. If I misunderstood you, please feel free to let me know.

    You mentioned that you can access it from the non domain system, so I would like to know if you have configured any other policies on your Domain Controller which may cause the trouble?

    And if you remove the NAP, is your domain client able to access the VPN sever? If it can, then the issue may happen with your NAP with the client or the server side. We may need to use the RRAS Trace to capture the information in detail.

    I appreciate your time.

    Best Regards,

    Annie Gu

    Thursday, May 03, 2012 10:01 AM
  • AnnieGu,

    Thanks for your response.

    Yes you are correct - I cannot connect to a VPN server with NAP if it's a domain client. The client will receive it's gpo to enable EAP Enforcement client as well as turn on the NAP network service. 

    If I manually activate these two on a non-domain client (as well as not verify the certificate) the connection can be made and enforcement of NAP takes place.

    If I remove the NAP - my client cannot access the VPN server that does not have NAP installed. I look at the security logs and the VPN server shows the client logged in and logged off. If I look at the security logs on the client - it will say that i'm trying to connect using an unsupported protocol (trust me, i've tried them all).

    Looks like i will need to use RRAS Trace, is this the correct article to start at? http://technet.microsoft.com/en-us/library/dd469757(v=ws.10).aspx

    Thanks!

    Monday, May 07, 2012 5:36 PM
  • Hi Customer,

    Thanks for taking time to response.

    By checking the status of your issue in your description, I would like to clarify the issue with the furhter problem:

    1. You said that the domain client will receive its gpo to enable EAP as well as turn on the NAP netowork service. Could you please show the status by "netsh nap client show states" about the domain client for verifying they have acceptted the gpo.

    2. I'm not sure what you did for "i remove the NAP". Could you please capture some screenshot for showing which part you remove from? And where you remove? Client side or Server side?

    3. About the event logs you mentioned, could you please export the error out for us to gather the further information in detail, we could do some research in our internal database about the error code and error number.

    For how to use the RRAS trace, I'm afraid you need to capture it together with the network trace. Here I provided some steps for your reference:

     

    Please collect RRAS traces and network traces on the client and the IAS server. To do this,

     

    a. Download Microsoft Network Monitor Tool from the following link and install it on the client and the server.

     

    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

     

    b. Start Network Monitor at "Start" ->"Program"-> "Microsoft Network Monitor 3.3" -> "Microsoft Network Monitor 3.3" on the client and the server.

    c. On the left-panel, select LAN connection on the server and select corresponding connection on the client.

    d. Click "Tools", click "Options", switch to the "Capture" tap, and set the "Temporary capture file size (MB)" to 200 on the client and the server.

    e. On the IAS server and the client, run the following command under the command prompt to enable RRAS tracing.

     

    netsh ras set tracing * enabled

     

    f. Click "New Capture", click "Start" on the Capture menu in the two Network Monitor windows.

    g. Now from the client, try to establish the connection to reproduce the problem.

    h. Once the problem occurs, click "Stop" on the Capture menu on the client and the server, and click "File"->"Save as" to save the captured files.

    i. Run the following command under the command prompt on both the IAS server and the client to disable RRAS tracing.

     

    netsh ras set tracing * disabled

     

    j. The tracing files are saved at %systemroot%\tracing folder. On both the IAS server and the client, please compress the "tracing" folder to a zip file.

    If you meet any problem when capturing the trace, please feel free to contact me.

    I appreciate your efforts.

    Best Regards,

    Annie Gu

    Tuesday, May 08, 2012 9:24 AM
  • FIGURED IT OUT!

    I had another group policy for our RADIUS network connection - this gpo was overriding the EAP settings for the domain systems - enabled the EAP enforcment client in the RADIUS gpo - viola! Worked, passed system health validators !! :)

    Now it's time to test out the remediation services and get it into the production network.

    Thanks for your help! :)

    • Marked as answer by JellyGloves Tuesday, May 08, 2012 5:53 PM
    Tuesday, May 08, 2012 5:53 PM