locked
Network Access protection not working with new devices. RRS feed

  • Question

  • We have a Network Access protection server on a windows server 2012 box configured against 20 devices. and it works perfectly for all but 2 devices that won't work with it no matter what we do. these use a configuration Template that is the same as 13 of the working devices (cisco meraki devices).

    The testing we have done. is as follows

    From a working Device.

    • tested a valid account , followed the traffic across our network to the server ,at each stage we can see the Valid Traffic, on NAP logs we can see the Request  being approved and in Event Viewer we can follow the request policies . and we can follow the traffic back.
    • tested a invalid account , again we can see all stages and in the NPS log the deny in event viewer the Deny event.

    from the not working device.

    • testing a valid account We can see the request traffic across the network we can see it reach the server , but neither the NAP log or Event viewer show request completed or failed. and no traffic is returned to the device.
    • test from a invalid account. We can see the request traffic across the network we can see it reach the server, and we can see the invalid request in the logs and event viewer.

    As you can see this is an oddity that we currently can't explain we know the traffic can respond to invalid requests so communication is there. the device uses a default configuration that works else where and all the same firewall rules are applied to working sites and the broken sites. I've had Microsoft investigate the server and they say the configuration is correct and there is nothing wrong and CISCO have confirmed the device configuration is valid and correct.

    so basically we are at wits end has anyone come across anything similar and if so how did you resolve.

    thanks in advance.

     

    Wednesday, September 28, 2016 10:43 AM

All replies

  • Hi,

    >>testing a valid account We can see the request traffic across the network we can see it reach the server , but neither the NAP log or Event viewer show request completed or failed. and no traffic is returned to the device.

    If the NAP service receives and drops the request, then it should log the reason why this request is discarded.

    You may try to enable the NAP trace logging to check the detailed NAP process.

    Here is a good guide about the NAP trace logging:

    https://msdn.microsoft.com/en-us/library/dd348461(v=ws.10).aspx#logfiles

    Also, you may try to perform a network capture on the NAP server and check the detailed information of the request packets. Then you can compare the working request and the not working request.

    If all these don't help, I would suggest you to open a case with Microsoft, so that a dedicated professional will help you with your request.

    Best Regards,


    Steven Lee
    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, October 4, 2016 7:57 AM