locked
Issues with NAP setup/configuration RRS feed

  • Question

  • Hello,
     
    I'm trying to setup network access protection in a test domain environment.  I have configuration manager 2007 installed on one Windows 2003 server, with NAP enabled.  I have a Windows 2008 server with Network Policy Server enabled and configured, which also acts as a domain controller.  Finally, I have one Windows XP SP3 client PC, which has been configured with the configuration manager client agent, with the NAP agent service running.  We are testing with the DHCP enforcement method.

    I setup a new NAP policy in config mgr, knowing that the client PC did not have that particular Windows critical update patch installed.  Currently, I'm not getting any feedback from the client to the NPS.  When I log into the client as a normal user, I don't see any message saying the machine is non-compliant.  I double-checked the system health validator points that were setup in NPS on the 2008 server, they looked okay to me.

    A couple of questions I had that hopefully someone may have ideas on:

    1) In NPS, under Network Access Protection, System Health Validators, it shows both the Windows Security Health Validator as configured, as well as the Configuration Manager System Health Validator.  However, when I highlight the Configuration Manager one, right-click on it and choose Properties, the box title Configure is disabled, I cannot click on it.  Yet, if I do the same for the Windows Security Health Validator one, the Configure option is enabled and I can click on it.  Any idea why it's disabled for the CM one?

    2) Also, in the NPS, under Policies, Health Policies.....I have two policies setup.  One is the NAP DHCP Compliant policy, which lists both the Windows Security Health Validator and Configuration Manager System Health Validator that were mentioned above.  The other one is the NAP DHCP Noncompliant policy, again using both the WSHV and CMSHV.  Is that setup correct?  Should it be looking at both SHVs?

    3) Finally, how do I know if the client PC is truly producing a Statement of Health, and if a System Health Agent exists on the client?

    Thanks in advance for any feedback.  Much appreciated.

    Charles Thomas
    Monday, November 3, 2008 8:51 PM

Answers

  • To initialize DHCP enforcement, you have to set up the policy on the NPS.

    To initialize the configuration manager system health agent on the client side, you just have to start up that SHA.  During the startup of that SHA, it contacts NAP Agent to have itself initialized.
    Howard Lee - Microsoft
    Wednesday, November 5, 2008 11:40 PM
  • Did you check the NAP Step by step guide ?  If not take a look at it and see if you configured everything right.

    http://www.microsoft.com/downloads/details.aspx?FamilyID=ac38e5bb-18ce-40cb-8e59-188f7a198897&displaylang=en

    If seems like you haven't enable the NAP enforcement on the Scope of the client computer that you are testing.

    Cheers
    Wednesday, November 12, 2008 6:29 PM
  • Hi Charles,

    Please check the event log on NPS. These events will tell you what network policy the client is matching. When the client has automatic updates OFF, it should match the noncompliant network policy. If this isn't happening then there is a configuration problem.

    -Greg

    Thursday, November 13, 2008 6:13 AM

All replies

  • To follow up on this, below are some errors I pulled from a command line execution of netsh nap client show state:

    Enforcement client state:

    ----------------------------------------------------

    Id                     = 79617

    Name                   = DHCP Quarantine Enforcement Client

    Description            = Provides DHCP based enforcement for NAP

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =

    Initialized            = No

    How can I initialize DHCP enforcment on the client side?


    System health agent (SHA) state:

    ----------------------------------------------------

    Id                     = 79745

    Name                   = Configuration Manager System Health Agent

    Description            = Configuration Manager System Health Agent facilitates e

    nforcement of software update compliance using Network Access Protection.

    Version                = 2007

    Vendor name            = Microsoft Corporation

    Registration date      = 10/27/2008 12:31:01 PM

    Initialized            = No

    Failure category       = None

    Remediation state      = Success

    Remediation percentage = 0

    Fixup Message          = (0) -

    How do I initialize the configuration manager system health agent on the client side?


    Monday, November 3, 2008 9:02 PM
  • Hi Charles,

    In answer to your questions,

    1) This is expected. If an SHV uses the NAP infrastructure component "health requirement server" then the requirements of that SHV might not be set on NPS. It's still possible that some requirements might be configurable here, but the configuration manager SHV does not work this way.

    2) You can configure policies this way, or other ways. See the health policies topic in the NAP design guide for details. Bottom line is that it all depends on how you want to process things. If you want a policy to match a client no matter which of the SHVs it does not pass, then you must use both SHVs in a single health policy. If you want to call out which particular SHV it didn't pass, then you need to configure a separate policy for each.

    3) There are several ways of telling if a client is sending an SoH. The most assured way is examining NAP events in event viewer on the client. You should see events 27 and 28 occur. I think these are in the system log on XP.
     
    4) Have you enabled the enforcement client through Group Policy, or did you use the command line (netsh)? It looks like you need to enable the enforcement client.

    Issue a "netsh nap client show group" to see the Group Policy settings, or "netsh nap client show config" to see the local settings. Group Policy settings will override the local settings if you have anything configured in Group Policy.

    -Greg
    Tuesday, November 4, 2008 1:57 AM
  • To initialize DHCP enforcement, you have to set up the policy on the NPS.

    To initialize the configuration manager system health agent on the client side, you just have to start up that SHA.  During the startup of that SHA, it contacts NAP Agent to have itself initialized.
    Howard Lee - Microsoft
    Wednesday, November 5, 2008 11:40 PM
  • You can also try the command on your NAP client pc:
    netsh nap client set enforcement 79617
    to use DCHP enforcement, double check the settings again using netsh nap client show state.

    If that didn't work try:
    netsh nap client set enforcement id=79617 admin="enable"
    (including the "" )  Good luck
    Saturday, November 8, 2008 1:00 AM
  • Thanks for the feedback.  It appears that I do have the DHCP client enforcement method enabled/initialized.  When I run "netsh nap client show state" on the client PC I get the following:

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Client
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Pro
    tection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79620
    Name                   = Wireless Eapol Quarantine Enforcement Client
    Description            = Provides wireless Eapol based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent checks the compliance
     of a computer with an administrator-defined policy.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has fi
    nished updating its security state.

    Compliance results     =
    Remediation results    =

    Id                     = 79745
    Name                   = Configuration Manager System Health Agent
    Description            = Configuration Manager System Health Agent facilitates e
    nforcement of software update compliance using Network Access Protection.
    Version                = 2007
    Vendor name            = Microsoft Corporation
    Registration date      = 10/27/2008 11:31:01 AM
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 100
    Fixup Message          = (90701) - The Configuration Manager System Health Agent
     is compliant with the required software updates.
    Compliance results     =
    Remediation results    = (0x00000000) - (null)


    Ok.


    As a test, on the NPS, I've changed the Health Policies to only check the Windows System Health Validator, as opposed to both the WSHV and the Configuration Manager Health Validator.  On the WSHV, I configured it to only check that "Automatic Updating" is enabled.  On the client PC, I deliberately turned Automatic Updates OFF in the control panel.  In the system Event Viewer on the client, I made sure that event IDs 27, 28 were present and successful (receiving statements of health with 79744 and 79745; sending statements of health to enforcement client 79617 [DHCP]).

    After having checked all of these settings/configurations, whenever I log into the client PC and run "napstat" and I get the following popup message:

    "Your computer is compliant with the requirements of this network: You have full network access."  Again, this occurs even though Automatic Updates is turned OFF and the only restriction I set on the WSHV was that Automatic Updating should be ON.

    I've made sure that the Network Policies and Health Policies on NPS were configured correctly.

    Any further help would be greatly appreciated.

    Thanks,

    Charles Thomas

    Wednesday, November 12, 2008 5:39 PM
  • Ultimately, I would like to run NAP on the test domain I have setup (w/DHCP enforcement) where the main health checks/restrictions on the client PCs will be compliance with Microsoft security updates.  However, right now I'm just trying to get a simple health check working to show a client as non-compliant.

    Charles
    Wednesday, November 12, 2008 5:45 PM
  • Did you check the NAP Step by step guide ?  If not take a look at it and see if you configured everything right.

    http://www.microsoft.com/downloads/details.aspx?FamilyID=ac38e5bb-18ce-40cb-8e59-188f7a198897&displaylang=en

    If seems like you haven't enable the NAP enforcement on the Scope of the client computer that you are testing.

    Cheers
    Wednesday, November 12, 2008 6:29 PM
  • Hi Charles,

    Please check the event log on NPS. These events will tell you what network policy the client is matching. When the client has automatic updates OFF, it should match the noncompliant network policy. If this isn't happening then there is a configuration problem.

    -Greg

    Thursday, November 13, 2008 6:13 AM