Remove From My Forums

NAP Connection Problem

Question
0

Sign in to vote

Hi all,

I have setup a TS Gateway server for remote access on Windows Server 2008. Have no problems with anyone connecting.

Decided to add more protection by using NAP so followed the steps in the Step by Step Guide and now noone can connect. I have run the client configuration and verified it the service is running and the server has been added to Trusted Server Gateway list.

Error message I get says the PC did not pass NAP authentication. I tried this on a Windows XP SP3 computer and a Vista SP1 computer with same result. I have posted below the netsh outputs I am getting but not sure I understand where the problem is.

Client state:
----------------------------------------------------
Name                   = Network Access Protection Client
Description            = Microsoft Network Access Protection Client
Protocol version       = 1.0
Status                 = Enabled
Restriction state      = Not restricted
Troubleshooting URL    =
Restriction start time =
Extended state         =

Enforcement client state:
----------------------------------------------------
Id                     = 79617
Name                   = DHCP Quarantine Enforcement Client
Description            = Provides DHCP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79618
Name                   = Remote Access Quarantine Enforcement Client
Description            = Provides the quarantine enforcement for RAS Client
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79619
Name                   = IPSec Relying Party
Description            = Provides IPSec based enforcement for Network Access Pro
tection
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79620
Name                   = Wireless Eapol Quarantine Enforcement Client
Description            = Provides wireless Eapol based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79621
Name                   = TS Gateway Quarantine Enforcement Client
Description            = Provides TS Gateway enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = Yes

Id                     = 79623
Name                   = EAP Quarantine Enforcement Client
Description            = Provides EAP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

System health agent (SHA) state:
----------------------------------------------------
Id                     = 79744
Name                   = Windows Security Health Agent

Description            = The Windows Security Health Agent checks the compliance
of a computer with an administrator-defined policy.

Version                = 1.0

Vendor name            = Microsoft Corporation

Registration date      =
Initialized            = Yes
Failure category       = None
Remediation state      = Success
Remediation percentage = 0
Fixup Message          = (3237937214) - The Windows Security Health Agent has fi
nished updating its security state.

Compliance results     =
Remediation results    =

Ok.

NAP client configuration:
----------------------------------------------------

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
ider, keylength = 2048

Hash algorithm = sha1RSA (1.3.14.3.2.29)

Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Disabled

Name            = Remote Access Quarantine Enforcement Client
ID              = 79618
Admin           = Disabled

Name            = IPSec Relying Party
ID              = 79619
Admin           = Disabled

Name            = Wireless Eapol Quarantine Enforcement Client
ID              = 79620
Admin           = Disabled

Name            = TS Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Enabled

Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Disabled

Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled

Any help would be appreciated. Thanks

Wednesday, March 11, 2009 6:40 PM

Answers

0

Sign in to vote
Hi,

One of the limitations of SHV configuration in Server 2008 that is fixed in Server 2008 R2 is that you can only have one set of SHV requirements per health policy server (per NPS). So, if you have some computers that require Security Update Protection and others that do not, you would need to have them evaluated by different health policy servers. In Server 2008 R2, you can configure two profiles for the same SHV, thus allowing you to customize requirements.

However, you should be able to use either WSUS or Microsoft Update for all computers. The non-domain-joined computers would use Microsoft Update. There is a good explanation of how this works here.

I hope this helps,
-Greg
- Marked as answer by Greg LindsayMicrosoft employee Thursday, April 2, 2009 9:51 PM
Friday, March 27, 2009 7:32 PM

All replies

0

Sign in to vote
Hi,

Do you have a network policy for non-NAP capable computers?

Please provide the event displayed in Event Viewer on NPS under Custom Views\Server Roles\Network Policy and Access Services

You are looking for events in the range 6272-6278. I am guessing you will see event 6273 (access denied) which occurs if the access request fails to match a policy. Please let me know.

-Greg
- Edited by Greg LindsayMicrosoft employee Thursday, March 12, 2009 5:35 AM s
- Proposed as answer by Greg LindsayMicrosoft employee Tuesday, March 17, 2009 9:46 PM
Thursday, March 12, 2009 5:34 AM
0

Sign in to vote

I found part of the problem the certificates were being installed under the user account not the Computer Account as it needs to be. Once the certficate was put in the right spot The Vista PC logged in ok. I now have several Vista PC's loggin in with no problem. I also have several XP SP3 that log in ok but I still have a few that won't connect. Funny thing is the event entry on server says the PC has not sunchronized with WSUS and security patches need installing. These PC's are not domain PC's and I have gone to windows Update and verified All important updates and above are installed. If I turn off the requirement for Important Patches and above to be installed they connect fine. So not sure if I missed another step somewhere.

Saturday, March 21, 2009 2:51 PM
0

Sign in to vote
Hi,

One of the limitations of SHV configuration in Server 2008 that is fixed in Server 2008 R2 is that you can only have one set of SHV requirements per health policy server (per NPS). So, if you have some computers that require Security Update Protection and others that do not, you would need to have them evaluated by different health policy servers. In Server 2008 R2, you can configure two profiles for the same SHV, thus allowing you to customize requirements.

However, you should be able to use either WSUS or Microsoft Update for all computers. The non-domain-joined computers would use Microsoft Update. There is a good explanation of how this works here.

I hope this helps,
-Greg
- Marked as answer by Greg LindsayMicrosoft employee Thursday, April 2, 2009 9:51 PM
Friday, March 27, 2009 7:32 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

NAP Connection Problem

Question

Answers

All replies