locked
RADIUS for wireless Windows 7 clients: NPS says YES, client says NO RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I've setup 802.1x NAP for Wireless connections and Windows XP clients work fine.

    But I have problem with Windows 7 Enterprise clients. NPS grants access but Windows 7 says it cannot connect to WiFi.

    There're not any error/warning message in client's Event Viewer.

     

    Saturday, November 12, 2011 2:52 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Windows 7 works with these settings (no need for importing certificate of Root CA):

    • Marked as answer by marianh Tuesday, November 22, 2011 9:27 AM
    Tuesday, November 22, 2011 9:27 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Thank you for your post.

    Please following steps below to troubleshooting:
    1. Install KB980295 on your Windows 7 client and restart, check if some event logged for NAP
    2. On Windows 7 client connection properties, enable Enforce Network Access Protection option (in your sixth screenshot)
    3. Try Fixing NAP Client Settings Problems article
    4. Run command "netsh nap client show state" and "netsh nap client show config", post the result to us for analysis

    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan

    Monday, November 14, 2011 8:12 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    1. installed

    2. enabled

    3. n/a

    4.

     

    Client state: 
---------------------------------------------------- 
Name                   = Network Access Protection Client 
Description            = Microsoft Network Access Protection Client 
Protocol version       = 1.0 
Status                 = Enabled 
Restriction state      = Not restricted 
Troubleshooting URL    =  
Restriction start time =  
Extended state         =  
GroupPolicy            = Not Configured 

Enforcement client state: 
---------------------------------------------------- 
Id                     = 79617 
Name                   = DHCP Quarantine Enforcement Client 
Description            = Provides DHCP based enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79619 
Name                   = IPsec Relying Party 
Description            = Provides IPsec based enforcement for Network Access Protection 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79621 
Name                   = RD Gateway Quarantine Enforcement Client 
Description            = Provides RD Gateway enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79623 
Name                   = EAP Quarantine Enforcement Client 
Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies. 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

System health agent (SHA) state: 
---------------------------------------------------- 
Id                     = 79744 
Name                   = Windows Security Health Agent
 
Description            = The Windows Security Health Agent monitors security settings on your computer.
 
Version                = 1.0
 
Vendor name            = Microsoft Corporation
 
Registration date      =  
Initialized            = Yes 
Failure category       = None 
Remediation state      = Success 
Remediation percentage = 0 
Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
 
Compliance results     = 
Remediation results    = 

Ok.

    NAP client configuration: 
---------------------------------------------------- 

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 

Hash algorithm = sha1RSA (1.3.14.3.2.29) 

Enforcement clients: 
---------------------------------------------------- 
Name            = DHCP Quarantine Enforcement Client 
ID              = 79617 
Admin           = Disabled 

Name            = IPsec Relying Party 
ID              = 79619 
Admin           = Disabled 

Name            = RD Gateway Quarantine Enforcement Client 
ID              = 79621 
Admin           = Disabled 

Name            = EAP Quarantine Enforcement Client 
ID              = 79623 
Admin           = Disabled 

Client tracing: 
---------------------------------------------------- 
State = Disabled 
Level = Disabled 

Ok.
    Monday, November 14, 2011 2:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Initialized            = No

    The log shows your client have not enabled 802.1x NAP.

    Name                   = Network Access Protection Client
    GroupPolicy            = Not Configured

    This means your client haven't get NAP group policy or NAP group policy haven't set in your Domain.
    To get NAP group policy, connect Windows 7 with wired cable, run "gpupdate /force" command.
    To set NAP group policy in your domain, please read Configure NAP Enforcement Clients in Group Policy article.

    NPS grants access but Windows 7 says it cannot connect to WiFi.
    First, please ensure you unplug wired cable to connect WiFi.
    Run RSOP.msc command to verify 802.1x wireless group policy.
    Here is wired 802.1X NAP step by step guide, hope it helps you. 

    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan

     

     


    • Edited by Rick Tan Wednesday, November 16, 2011 3:24 AM
    Wednesday, November 16, 2011 3:24 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    This means your client haven't get NAP group policy or NAP group policy haven't set in your Domain.

    WiFi access is meant for non-domain users.
    Wednesday, November 16, 2011 4:44 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Well, NAP 802.1x with PEAP-EAP-MSCHAPv2 for a NON-domain computer.
    Configure your client with steps below:
    1. Export Root CA from server and import to Windows 7
    2. Enable 802.1x nap with this command,
    netsh nap client set enforcement ID = "79623" admin = "ENABLE"
    3. Un-check the option Automaically use my Windows logon name and password option
    4. When connect to AP, input the domain account.

    Here is a similar thread about NAP 802.1x with a NON-domain user.

    Regards,
    Rick Tan

    • Marked as answer by Rick Tan Monday, November 21, 2011 5:21 AM
    • Unmarked as answer by marianh Tuesday, November 22, 2011 9:20 AM
    Wednesday, November 16, 2011 6:52 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Windows 7 works with these settings (no need for importing certificate of Root CA):

    • Marked as answer by marianh Tuesday, November 22, 2011 9:27 AM
    Tuesday, November 22, 2011 9:27 AM