locked
NAP Connection Problem RRS feed

  • Question

  • Hi all,

    I have setup a TS Gateway server for remote access on Windows Server 2008. Have no problems with anyone connecting.

    Decided to add more protection by using NAP so followed the steps in the Step by Step Guide and now noone can connect. I have run the client configuration and verified it the service is running and the server has been added to Trusted Server Gateway list.

    Error message I get says the PC did not pass NAP authentication. I tried this on a Windows XP SP3 computer and a Vista SP1 computer with same result. I have posted below the netsh outputs I am getting but not sure I understand where the problem is.

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Client
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Pro
    tection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79620
    Name                   = Wireless Eapol Quarantine Enforcement Client
    Description            = Provides wireless Eapol based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent checks the compliance
     of a computer with an administrator-defined policy.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has fi
    nished updating its security state.

    Compliance results     =
    Remediation results    =

    Ok.


    NAP client configuration:
    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
    ider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Disabled

    Name            = Remote Access Quarantine Enforcement Client
    ID              = 79618
    Admin           = Disabled

    Name            = IPSec Relying Party
    ID              = 79619
    Admin           = Disabled

    Name            = Wireless Eapol Quarantine Enforcement Client
    ID              = 79620
    Admin           = Disabled

    Name            = TS Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Enabled

    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Disabled

    Client tracing:
    ----------------------------------------------------
    State = Disabled
    Level = Disabled

    Any help would be appreciated. Thanks

    Wednesday, March 11, 2009 6:40 PM

Answers

  • Hi,

    One of the limitations of SHV configuration in Server 2008 that is fixed in Server 2008 R2 is that you can only have one set of SHV requirements per health policy server (per NPS). So, if you have some computers that require Security Update Protection and others that do not, you would need to have them evaluated by different health policy servers. In Server 2008 R2, you can configure two profiles for the same SHV, thus allowing you to customize requirements.

    However, you should be able to use either WSUS or Microsoft Update for all computers. The non-domain-joined computers would use Microsoft Update. There is a good explanation of how this works here.

    I hope this helps,
    -Greg

    Friday, March 27, 2009 7:32 PM

All replies

  • Hi,

    Do you have a network policy for non-NAP capable computers?

    Please provide the event displayed in Event Viewer on NPS under Custom Views\Server Roles\Network Policy and Access Services

    You are looking for events in the range 6272-6278. I am guessing you will see event 6273 (access denied) which occurs if the access request fails to match a policy. Please let me know.

    -Greg

    Thursday, March 12, 2009 5:34 AM
  • I found part of the problem the certificates were being installed under the user account not the Computer Account as it needs to be. Once the certficate was put in the right spot The Vista PC logged in ok. I now have several Vista PC's loggin in with no problem. I also have several XP SP3 that log in ok but I still have a few that won't connect. Funny thing is the event entry on server says the PC has not sunchronized with WSUS and security patches need installing. These PC's are not domain PC's and I have gone to windows Update and verified All important updates and above are installed. If I turn off the requirement for Important Patches and above to be installed they connect fine. So not sure if I missed another step somewhere.
    Saturday, March 21, 2009 2:51 PM
  • Hi,

    One of the limitations of SHV configuration in Server 2008 that is fixed in Server 2008 R2 is that you can only have one set of SHV requirements per health policy server (per NPS). So, if you have some computers that require Security Update Protection and others that do not, you would need to have them evaluated by different health policy servers. In Server 2008 R2, you can configure two profiles for the same SHV, thus allowing you to customize requirements.

    However, you should be able to use either WSUS or Microsoft Update for all computers. The non-domain-joined computers would use Microsoft Update. There is a good explanation of how this works here.

    I hope this helps,
    -Greg

    Friday, March 27, 2009 7:32 PM