locked
NAP and VPN Question RRS feed

  • Question

  • Hi,

    I have been trying to set up VPN access so that our users can access their files from home. I followed this tutorial:

    https://technet.microsoft.com/en-us/library/dd182017.aspx

    The VPN is working and I am able to connect, and access the files, however as these are non domain computers, I would like to be able to do a health check to make sure they are compliant. I followed all the steps in the above link, but my health checks are not being enforced. Is it possible to enforce client health checks on non domain computers? Am I missing something simple?

    Thanks,

    Chris

    Wednesday, October 14, 2015 5:40 PM

Answers

  • Hi,

    Do not enable enforcement clients on the server.  This is not needed.  The EAP quarantine enforcement client only needs to be enabled on the Windows 7 client.  The server only needs to have the correct policies configured.

    You might find this more useful: http://www.microsoft.com/en-us/download/details.aspx?id=5536

    Always be sure to check the Event Viewer on NPS and review Custom Views\Server Roles\Network Policy and Access Services -the events here will tell you what policy was matched when the client connected. I see from your screen capture that you have multiple policies. You might be matching the wrong policy.

    When a client tries to connect, it will attempt to match conditions in the policies you have configured, in the priority order you have them listed in the console. The exception to this is if you configure the "Type of network access server" in your policy then clients connecting with that method will try to match that policy before policies that have "Unspecified" chosen.

    Just make sure Event Viewer is telling you that the client matched the correct connection request policy and network policy.

    Wednesday, November 4, 2015 4:27 AM

All replies

  • Hi Wozer,

    Health policies allow us to define client computer configuration requirements for NAP-Capable computers that attempt to connect to network, have you configured NAP capable clients?

    If not, you may refer to the following link to enable NAP enforcement clients:

    https://technet.microsoft.com/en-us/library/cc754296(v=ws.10).aspx

    After enabling NAP capable clients, check if it could work.

    If it still doesn’t work, you may check the event log on NPS server and provide more information about the connection policies and network policies configured in you lab for further troubleshoot.

    Best Regards,

    Anne He


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, October 19, 2015 4:20 AM
  • Hi Anne,

    I went through and enabled NAP Enforcement Clients on the NPS Server. I ended up enabling EAP Quarantine Enforcement Client as it seems that Windows 7+ uses this for VPN Connections. I also created a certificate for the EAP Connection.

    When adding a condition of Health Policy - Compliant I get the following error, if I remove the Health Policy Condition the error does not show up.
     Error 812 The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
    The Connection Policy looks like this:

    Overview:
    Policy Enabled - Yes
    Type of network access server: Remote Access Server(VPN-Dial up)

    Conditions:
    None

    Settings
    Authentication Methods
    Override network policy authentication settings - No
    Authentication
    Authenticate requests on this server

    The Network Policy looks like this:

    Overview:
    Enabled - Yes
    Grant Access
    Type of network access server - Remote Access Server (VPN-Dial up)

    Conditions
    Windows Group - LOCAL\VPN Users
    Health Policy - Compliant

    Constraints
    Authentication Methods
    Microsoft Secured password (EAP - MSCHAP v2)
    Less Secure Methods:
    Microsoft Encrypted Authentication Version 2 (MS-CHAP-v2)

    Settings
    NAP Enforcement
    Allow Full network Access

    For the Health Policies
    Compliant
    Client passes all SHV checks

    Thanks for your help Anne,

    Chris

    Tuesday, October 20, 2015 9:14 PM
  • Hi Wozer,

    Since health policy need to configure NAP-capable client as I have mentioned above, we may check if we have successfully configured NAP capable client.

    In order to test it, we may create a network policy to add the condition "only computers that are nap-capable" and add other basic conditions without health policy. If we couldn't connect VPN with NAP capable condition, we may change it to "only computers that are not nap-capable". 

    Test NAP-capable client and check the result.

    Best Regards,

    Anne He  


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, October 22, 2015 8:53 AM
  • Hi Anne,

    I did the configuration that you suggested. The Non-NAP Capable will connect, the NAP Capable will not, it gived the 812 error.

    I also enabled EAP Quarantine Enforcement Client in napclcfg and Started the Network Access Protection Agent service and set it to automatic, but still no luck

    This is a computer running Windows 7.

    Thanks

    Chris

    Thursday, October 22, 2015 4:28 PM
  • Hi Wozer,

    The result of the test indicates that we didn't successfully configure the win7 client as nap-capable client. Check the configurations about enabling nap client with the article provided above, check if we have missed some configurations.

    Best Regards,

    Anne He 


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Wednesday, October 28, 2015 8:26 AM
  • Hi Anne,

    I went ahead and double checked everything and it all looks correct. I have attached some screenshots

    On the VPN Server, I enabled EAP Quarantine Enforcement Client (From searching, this seemed to be the correct enforcement client for remote, non domain, computers.)

    http://i.imgur.com/KwyXNWX.png

    And on the Remote computer I have enabled Network Access Protection Agent:

    http://i.imgur.com/07OIK1C.png

    But still no luck. Is there something else I could be missing. The Instructions you linked above were pretty straight forward.

    Chris

    Friday, October 30, 2015 2:36 PM
  • Hi,

    Do not enable enforcement clients on the server.  This is not needed.  The EAP quarantine enforcement client only needs to be enabled on the Windows 7 client.  The server only needs to have the correct policies configured.

    You might find this more useful: http://www.microsoft.com/en-us/download/details.aspx?id=5536

    Always be sure to check the Event Viewer on NPS and review Custom Views\Server Roles\Network Policy and Access Services -the events here will tell you what policy was matched when the client connected. I see from your screen capture that you have multiple policies. You might be matching the wrong policy.

    When a client tries to connect, it will attempt to match conditions in the policies you have configured, in the priority order you have them listed in the console. The exception to this is if you configure the "Type of network access server" in your policy then clients connecting with that method will try to match that policy before policies that have "Unspecified" chosen.

    Just make sure Event Viewer is telling you that the client matched the correct connection request policy and network policy.

    Wednesday, November 4, 2015 4:27 AM
  • Thank you so much Greg, that walk through helped me get everything working!
    Monday, November 9, 2015 3:38 PM