登录
 
主页技术资源库学习下载支持社区论坛
IT 专业人士的资源 > 论坛主页 > Network Access Protection > Auto-remediation problem with NAP 802.1x Wired and Windows Firewall
提出问题提出问题
搜索论坛:
 

已答复Auto-remediation problem with NAP 802.1x Wired and Windows Firewall

  • 2009年11月18日 23:42helena238 用户奖牌用户奖牌用户奖牌用户奖牌用户奖牌
     
    登录进行投票
    0
    登录进行投票
    I have a NAP lab consisting of the following elements:
    1 Windows Server 2003 DC (VM)
    1 Windows Server 2008 SP1 NPS Server (VM)
    1 Cisco 802.1x-capable switch
    1 Windows XP SP3 client
    GPOs containing the appropriate settings to get NAP 802.1x PEAP working with XP SP3
    1 user account that is an administrator on the client machine

    The lab works fine.  When the client is compliant, it is placed in a Compliant VLAN, and when it is not compliant, it is placed in a Non-Complaint VLAN.

    The issue: If you turn off Windows Firewall on the client, but it is required by NPS, and auto-remediation is enabled in NPS, the Firewall turns on and off about every 5 seconds.  As a result, the client is put first in one VLAN and then the other until you start to see DHCP deny messages in the event log.  It appears that auto-remediation is fighting with the local setting.  The only way to make it stop bouncing is to open Windows Firewall from the Control Panel at one of the moments when the Windows Firewall is disabled, and enable it.

    The question: Why is this happening, and is it a bug, or is there a workaround?
     

答案

  • 2009年11月24日 6:11Mervyn ZhangMSFT, 版主用户奖牌用户奖牌用户奖牌用户奖牌用户奖牌
     已答复
    登录进行投票
    0
    登录进行投票
    Hi,

    In order to narrow down the cause of this problem, please try the steps below:

    1.    Disable all third party software and services by Clean Boot.
    2.    If no progress, try to create a new user account and test.
    3.    If the problem still occurs, move this Windows XP client to a standalone OU and disable all GPOs.

    And help to collect the MPS report:

    1)    Download proper MPS Report tool from the website below.

    Microsoft Product Support Reports
    http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

    2)    Double-click to run it, if requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select "General", "Server Components", click Next.

    3)    After collecting all log files, choose "Save the results", choose a folder to save <Computername>MPSReports.cab file. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.
     

全部回复

  • 2009年11月19日 1:25RamaSubbu SKMSFT用户奖牌用户奖牌用户奖牌用户奖牌用户奖牌
     
    登录进行投票
    0
    登录进行投票
    Can you try the following command to turn off the firewall and tell us whether you are facing this issue or not ?

    Netsh firewall set opmode mode = DISABLE profile = ALL

    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
     
  • 2009年11月19日 5:39helena238 用户奖牌用户奖牌用户奖牌用户奖牌用户奖牌
     
    登录进行投票
    0
    登录进行投票
    Running the command above succeeds in disabling the firewall, and the client is then put into the non-compliant VLAN.  The auto-remediation never kicks in, and the client can't rejoin the compliant VLAN until I run the above command replacing ENABLE for DISABLE.  Does this give you a clue to how I might be able to get auto-remediation to work without it bouncing repeatedly?

    Thanks!
     
  • 2009年11月24日 6:11Mervyn ZhangMSFT, 版主用户奖牌用户奖牌用户奖牌用户奖牌用户奖牌
     已答复
    登录进行投票
    0
    登录进行投票
    Hi,

    In order to narrow down the cause of this problem, please try the steps below:

    1.    Disable all third party software and services by Clean Boot.
    2.    If no progress, try to create a new user account and test.
    3.    If the problem still occurs, move this Windows XP client to a standalone OU and disable all GPOs.

    And help to collect the MPS report:

    1)    Download proper MPS Report tool from the website below.

    Microsoft Product Support Reports
    http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

    2)    Double-click to run it, if requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select "General", "Server Components", click Next.

    3)    After collecting all log files, choose "Save the results", choose a folder to save <Computername>MPSReports.cab file. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
  • 2009年11月25日 0:53helena238 用户奖牌用户奖牌用户奖牌用户奖牌用户奖牌
     
    登录进行投票
    0
    登录进行投票
    Thank you, I will see if I can get this done tomorrow.