locked
GPO does not enable EAP enforcment client? RRS feed

  • Question

  • I am configuring NAP with 802.1x and PEAP.  It seems to be working, but on my clients mosts XP Pro SP3 the enforcement client is configured as Admin = Disabled.  However the EAP enforcement client state shows Initialized.  It seems to work ok too.  I can login to the system, and join the compliant VLAN, but it seems odd that the Agent does not enable.

    My GPO is setup to enable this enforcement client, but it does not seem to be working.  I also have Allow the Network Access Protection client to support the 802.1x Enforcement Client component Enabled.

    Name            = EAP Quarantine Enforcement Client
    
    ID              = 79623
    
    
    Admin = Disabled











    Id = 79623 Name = EAP Quarantine Enforcement Client Description = Provides EAP based enforcement for NAP Version = 1.0 Vendor name = Microsoft Corporation Registration date = Initialized = Yes
    • Edited by yaplej Friday, December 4, 2009 9:05 PM
    Friday, December 4, 2009 2:29 AM

Answers

  • Hi,

    What command are you using here? Netsh nap client show group will show the GPO settings that are active. Netsh nap client show config will show the local settings that are active. If GPO settings are configured they will override any local settings. In other words, the enforcement client can be enabled in Group Policy and still show as disabled in local policy. That is OK.

    Netsh nap client show state
    will tell you if the settings that are used have had the effect of initializing the enforcement client. You can also look at the NAP client events and this will record when the enforcement client initializes.

    If you are using Netsh nap client show group and the GPO isn't having an effect, you must be sure that the GPO is being applied. Use gpresult to check this. If you are using a security group to apply the GPO note that the computer must be rebooted before a new security group membership will take effect.

    -Greg
    • Marked as answer by yaplej Saturday, December 5, 2009 12:57 AM
    Friday, December 4, 2009 11:41 PM

All replies

  • I have the GPO set to enable EAP, and when I check my system registry "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Qecs\79623"
    Enabled = 1

    However the enforcement client still shows as disabled.  I have tried to restart the NAP client, but nothing helps.
    Friday, December 4, 2009 7:25 PM
  • Hi,

    What command are you using here? Netsh nap client show group will show the GPO settings that are active. Netsh nap client show config will show the local settings that are active. If GPO settings are configured they will override any local settings. In other words, the enforcement client can be enabled in Group Policy and still show as disabled in local policy. That is OK.

    Netsh nap client show state
    will tell you if the settings that are used have had the effect of initializing the enforcement client. You can also look at the NAP client events and this will record when the enforcement client initializes.

    If you are using Netsh nap client show group and the GPO isn't having an effect, you must be sure that the GPO is being applied. Use gpresult to check this. If you are using a security group to apply the GPO note that the computer must be rebooted before a new security group membership will take effect.

    -Greg
    • Marked as answer by yaplej Saturday, December 5, 2009 12:57 AM
    Friday, December 4, 2009 11:41 PM
  • Thank you so much for clearing that up. 

    I have been wondering why on earth its been working, but not enabled.  I was using Netsh nap client show config.

    Netsh NAP client show state was showing that the enforcement client was Initialized so it was working.
    Saturday, December 5, 2009 1:00 AM