locked
NAP with dhcp enforcement issues RRS feed

  • Question

  • Hi,
    I have successfully depoyed NAP with DHCP on a subnet in my network. i followed the step by step guide. The config seems to be okay, because i have gone over and over it again. But the problem is: NAP does not auto remediate clients on the network as quarantined systems remain restricted until a reboot or manual execution of "net start napagent". The most popular of such error is "windows could not install the required updates, an administrator must install them manually".Meanwhile THE ERROR MESSAGE I USSUALLY SEE ON THE SERVER IS



    The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from.
    A network change or if GP is configured, a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made.
    Contact the HRA administrator for more information.
    Monday, October 19, 2009 6:17 PM

Answers

  • Hi Pheezo,

    In reference to the error message you mentioned in your first post, this can be ignored. The message occurs once when you first start the computer but isn't significant in your situation because you are using DHCP enforcement. It is also possible to eliminate the error by configuring a trusted server group. See this procedure and refer to the section titled Disable HRA discovery close to the bottom of the page.

    Here is what I recommend you do.

    1. Execute a gpresult on the client machine and ensure that the GPO you are using is applied. If this is a vista client you need to type gpresult /r

    I am assuming here that you used a security group to apply the GPO settings. Gpresult will tell you which GPOs were applied and what security groups the computer and user is a member of. Verify that the computer is a member of the correct security group and the GPO you created is getting applied.

    2. Verify configuration of the Windows SHV. Note that there are separate tabs for Vista computers and XP computers.

    3. Remove all requirements from the Windows SHV except Windows Update.

    Some things that can be configured on the Windows SHV cannot be automatically remediated, such as antivirus software installed and up to date.

    4. In the noncompliant Network Policy, verify that automatic remediation is enabled.

    5.  Issue a "netsh nap client show state" on the client machine and note the results.

    6. Issue a "net stop napagent && net start napagent" from an elevated command prompt. This will stop and restart NAP agent. If NAP agent was already off, then just issue a net start napagent.

    7. Issue a "netsh nap client show state" again on the client machine and note the results. At this point the client should be compliant.

    8. Turn off automatic updates on the client machine and verify that it is turned back on again immediately.

    9. Review events on the NPS server to verify that the correct noncompliant and compliant policies are matched. View these events under Custom Views\Server Roles\Network Policy and Access Services.

    -Greg



    Friday, October 23, 2009 4:55 AM

All replies

  • As for the NAP Agent not being started - you will want to ensure that GP is configured to turn the NAP Agent service on on all clients where you want NAP to be applied.

    As for the update issue - the question that comes to mind is:  Do any of the updates being attempted require user interaction (acceptance of EULA, for example) to complete?

    -Chris
    Chris.Edson@online.microsoft.com * SDET II, Network Access Protection * Remove the "online" make the address valid. ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, October 19, 2009 8:29 PM
  • "NAP does not auto remediate clients on the network as quarantined systems remain restricted until a reboot or manual execution of "net start napagent". "

    Can you please run a "netsh nap client show grouppolicy" on the client machine to see if the configuration is good?  Can you try a "gpupdate" instead of the rebooting or manually starting the napagent to see if it can work?

    Sorry. My posting is my personal suggestion, Microsoft won't take any responsibilities for my posting. But I am more than happy to try my best to help you.
    Tuesday, October 20, 2009 4:38 AM
  • i have the nap service started as automatic on client machines. i deployed t with active directory GPO

    Tuesday, October 20, 2009 10:13 AM
  • but despite having it configured on active directory GPO i still have to manually execute net start nap agent on client's machines, before they can have network access. Meanwhile, the error message "windows could not install the required updates, an administrator must update them manually" still occur
    Tuesday, October 20, 2009 3:13 PM
  • Hi ,

    Please is there any way that I can send you my server configuration? Please tell me what file I need to send to enable you view the configuration settings , to see if there is any misconfig. The pressure is highly on me now and a decision is about to be taken.

    Tuesday, October 20, 2009 3:56 PM
  • Please send email to "quzhang at microsoft dot com".
    Sorry. My posting is my personal suggestion, Microsoft won't take any responsibilities for my posting. But I am more than happy to try my best to help you.
    Friday, October 23, 2009 2:52 AM
  • Hi Pheezo,

    In reference to the error message you mentioned in your first post, this can be ignored. The message occurs once when you first start the computer but isn't significant in your situation because you are using DHCP enforcement. It is also possible to eliminate the error by configuring a trusted server group. See this procedure and refer to the section titled Disable HRA discovery close to the bottom of the page.

    Here is what I recommend you do.

    1. Execute a gpresult on the client machine and ensure that the GPO you are using is applied. If this is a vista client you need to type gpresult /r

    I am assuming here that you used a security group to apply the GPO settings. Gpresult will tell you which GPOs were applied and what security groups the computer and user is a member of. Verify that the computer is a member of the correct security group and the GPO you created is getting applied.

    2. Verify configuration of the Windows SHV. Note that there are separate tabs for Vista computers and XP computers.

    3. Remove all requirements from the Windows SHV except Windows Update.

    Some things that can be configured on the Windows SHV cannot be automatically remediated, such as antivirus software installed and up to date.

    4. In the noncompliant Network Policy, verify that automatic remediation is enabled.

    5.  Issue a "netsh nap client show state" on the client machine and note the results.

    6. Issue a "net stop napagent && net start napagent" from an elevated command prompt. This will stop and restart NAP agent. If NAP agent was already off, then just issue a net start napagent.

    7. Issue a "netsh nap client show state" again on the client machine and note the results. At this point the client should be compliant.

    8. Turn off automatic updates on the client machine and verify that it is turned back on again immediately.

    9. Review events on the NPS server to verify that the correct noncompliant and compliant policies are matched. View these events under Custom Views\Server Roles\Network Policy and Access Services.

    -Greg



    Friday, October 23, 2009 4:55 AM