locked
NAP client does not check agains System Health Validators RRS feed

  • Question

  • I have a environment with 2 servers. RAS server and NAP server. Both are in domain. I have setup a rule on the NAP server for the remote client to access only specific resources using IPV4 filters. That is working fine. Now the challange is to validate those computers that are not part of the domain to check for anti virus and security updates. As soon as I add the SHV to the NAP policy for those users they no longer can logon to the resources and are moved to non-nap capable policy even though the workstaiton have up to date anti virus and security patches. The NAP agent is running so is the security service on the remote client. Any ideas why this is happening ?
    Wednesday, October 14, 2009 2:06 PM

Answers

  • Hi,

    For a non-domain joined client, you must enable the NAP enforcement client using local policy. Issue a "netsh nap client show state" on the client and verify that the correct enforcement client is initialized. It sounds like you are using VPN enforcement. You might also need to ensure the client computer trusts the NPS certificate for PEAP authentication. However, if you are successfully connecting and being evaluated as non NAP-capable, this shouldn't be a problem.

    For VPN enforcement, NAP clients can be evaluated as non NAP-capable if one of the following is not true:

    1. NAP agent on.
    2. NAP enforcement client enabled and initialized.
    3. "Quarantine checks" enabled on both client and server in PEAP settings.
    4. "Override network policy authentication settings" enabled in connection request policy.
    5. RADIUS client is marked as NAP-capable in NPS settings.

    -Greg
    Thursday, October 15, 2009 5:24 AM