locked
RADIUS for wireless Windows 7 clients: NPS says YES, client says NO RRS feed

  • Question

  • I've setup 802.1x NAP for Wireless connections and Windows XP clients work fine.

    But I have problem with Windows 7 Enterprise clients. NPS grants access but Windows 7 says it cannot connect to WiFi.

    There're not any error/warning message in client's Event Viewer.

     

    Saturday, November 12, 2011 2:52 PM

Answers

  • Windows 7 works with these settings (no need for importing certificate of Root CA):

    • Marked as answer by marianh Tuesday, November 22, 2011 9:27 AM
    Tuesday, November 22, 2011 9:27 AM

All replies

  • Hi,

    Thank you for your post.

    Please following steps below to troubleshooting:
    1. Install KB980295 on your Windows 7 client and restart, check if some event logged for NAP
    2. On Windows 7 client connection properties, enable Enforce Network Access Protection option (in your sixth screenshot)
    3. Try Fixing NAP Client Settings Problems article
    4. Run command "netsh nap client show state" and "netsh nap client show config", post the result to us for analysis

    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan

    Monday, November 14, 2011 8:12 AM
  • 1. installed

    2. enabled

    3. n/a

    4.

     

    Client state: 
    ---------------------------------------------------- 
    Name                   = Network Access Protection Client 
    Description            = Microsoft Network Access Protection Client 
    Protocol version       = 1.0 
    Status                 = Enabled 
    Restriction state      = Not restricted 
    Troubleshooting URL    =  
    Restriction start time =  
    Extended state         =  
    GroupPolicy            = Not Configured 
    
    Enforcement client state: 
    ---------------------------------------------------- 
    Id                     = 79617 
    Name                   = DHCP Quarantine Enforcement Client 
    Description            = Provides DHCP based enforcement for NAP 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 
    
    Id                     = 79619 
    Name                   = IPsec Relying Party 
    Description            = Provides IPsec based enforcement for Network Access Protection 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 
    
    Id                     = 79621 
    Name                   = RD Gateway Quarantine Enforcement Client 
    Description            = Provides RD Gateway enforcement for NAP 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 
    
    Id                     = 79623 
    Name                   = EAP Quarantine Enforcement Client 
    Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies. 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 
    
    System health agent (SHA) state: 
    ---------------------------------------------------- 
    Id                     = 79744 
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent monitors security settings on your computer.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      =  
    Initialized            = Yes 
    Failure category       = None 
    Remediation state      = Success 
    Remediation percentage = 0 
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
     
    Compliance results     = 
    Remediation results    = 
    
    Ok.
    
    NAP client configuration: 
    ---------------------------------------------------- 
    
    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 
    
    Hash algorithm = sha1RSA (1.3.14.3.2.29) 
    
    Enforcement clients: 
    ---------------------------------------------------- 
    Name            = DHCP Quarantine Enforcement Client 
    ID              = 79617 
    Admin           = Disabled 
    
    Name            = IPsec Relying Party 
    ID              = 79619 
    Admin           = Disabled 
    
    Name            = RD Gateway Quarantine Enforcement Client 
    ID              = 79621 
    Admin           = Disabled 
    
    Name            = EAP Quarantine Enforcement Client 
    ID              = 79623 
    Admin           = Disabled 
    
    Client tracing: 
    ---------------------------------------------------- 
    State = Disabled 
    Level = Disabled 
    
    Ok.
    
    Monday, November 14, 2011 2:29 PM
  • Hi,

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Initialized            = No

    The log shows your client have not enabled 802.1x NAP.

    Name                   = Network Access Protection Client
    GroupPolicy            = Not Configured

    This means your client haven't get NAP group policy or NAP group policy haven't set in your Domain.
    To get NAP group policy, connect Windows 7 with wired cable, run "gpupdate /force" command.
    To set NAP group policy in your domain, please read Configure NAP Enforcement Clients in Group Policy article.

    NPS grants access but Windows 7 says it cannot connect to WiFi.
    First, please ensure you unplug wired cable to connect WiFi.
    Run RSOP.msc command to verify 802.1x wireless group policy.
    Here is wired 802.1X NAP step by step guide, hope it helps you. 

    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan

     

     


    • Edited by Rick Tan Wednesday, November 16, 2011 3:24 AM
    Wednesday, November 16, 2011 3:24 AM
  • This means your client haven't get NAP group policy or NAP group policy haven't set in your Domain.

    WiFi access is meant for non-domain users.
    Wednesday, November 16, 2011 4:44 AM
  • Hi,

    Well, NAP 802.1x with PEAP-EAP-MSCHAPv2 for a NON-domain computer.
    Configure your client with steps below:
    1. Export Root CA from server and import to Windows 7
    2. Enable 802.1x nap with this command,
    netsh nap client set enforcement ID = "79623" admin = "ENABLE"
    3. Un-check the option Automaically use my Windows logon name and password option
    4. When connect to AP, input the domain account.

    Here is a similar thread about NAP 802.1x with a NON-domain user.

    Regards,
    Rick Tan

    • Marked as answer by Rick Tan Monday, November 21, 2011 5:21 AM
    • Unmarked as answer by marianh Tuesday, November 22, 2011 9:20 AM
    Wednesday, November 16, 2011 6:52 AM
  • Windows 7 works with these settings (no need for importing certificate of Root CA):

    • Marked as answer by marianh Tuesday, November 22, 2011 9:27 AM
    Tuesday, November 22, 2011 9:27 AM