locked
"netsh nap client show grouppolicy" showing no result RRS feed

  • Question

  • Hi - I'm running W7 on the client computer and wanting to connect to Windows Server 2008 R2 running VPN server. I've followed the "step by step guide: demonstrate VPN NAP Enforcement in test lab" to page pg 35 but when I run "netsh nap client show grouppolicy" all i get is:

    NAP client configuration <Group policy>:
    ---------------------------------------------------
    NAP client configuration:
    ----------------------------------------------------

    And that's about it. No other details. I've noted that under W7 they no longer use Remote Access Quarantine Enforcement, instead using EAP enforcement. I've also tried running " gpupdate /force" on the client computer but no luck.  Running "netsh nap client show client" gets me the desired result. I'm stumped. I think this is the reason the VPN is not working. When I try to log-in via VPN i get "Error 629: The connection was closed by the remote computer" and I'm guessing the above problem is the reason.

    Any help would be really appreciated. Thanks Heaps.

    Long
    Sunday, December 13, 2009 4:29 AM

Answers

  • Hi,

    It would appear that the user is part of a NAP client computer group. This won't work - you must make the computer part of the security group, not the user.

    If the WSHA isn't showing this could be because Security Center isn't running, or perhaps the "Enforce Network Access Protection" checkbox isn't set on either the client or the server. In Vista this used to be "Enable Quarantine Checks" - see below.

    Disclaimer: I haven't set this up in a while for Windows 7, but I think these are the correct settings displayed:



    Note: I un-checked Validate Server Certificate because it isn't required, only recommended.

    -Greg
    Monday, December 14, 2009 11:54 PM

All replies

  • Another thread (for a different problem) suggested manually copying in the computer certificate from the server to the client machine and that seems to have done the trick. SO HAPPY! I don't understand why the "netsh nap client show grouppolicy" doesn't work on my machines but i guess it's not a necessary step (despite what the step-by-step guide says). time to celebrate!
    Sunday, December 13, 2009 10:58 AM
  • Maybe I celebrated too early. Maybe "netsh nap client show grouppolicy" is still required. The client computer gets in but is granted "Not NAP-capable" or "restricted" (depending on the Network Policy i configure). The system message from the connection is as follows:

    Network Policy Server granted access to a user.

    User:
    Security ID: REDZONEDOMAIN\SinovietWS2
    Account Name: REDZONEDOMAIN\SinovietWS2
    Account Domain: REDZONEDOMAIN
    Fully Qualified Account Name: REDZONEDOMAIN\SinovietWS2

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 192.168.1.2
    Calling Station Identifier: *.*.*.*

    NAS:
    NAS IPv4 Address: 192.168.1.2
    NAS IPv6 Address: -
    NAS Identifier: RZDOMAINSERVER
    NAS Port-Type: Virtual
    NAS Port: 128

    RADIUS Client:
    Client Friendly Name: RZDOMAINSERVER
    Client IP Address: 192.168.1.2

    Authentication Details:
    Connection Request Policy Name: NAP VPN
    Network Policy Name: NAP VPN Non NAP-Capable
    Authentication Provider: Windows
    Authentication Server: RZDomainServer.redzonedomain.*.com
    Authentication Type: PEAP
    EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
    Account Session Identifier: 3937
    Logging Results: Accounting information was written to the local log file.

    Quarantine Information:
    Result: Full Access
    Session Identifier: -

    AND THEN THE FOLLOWING QUARANTINE MESSAGE:

    Network Policy Server granted full access to a user because the host met the defined health policy.

    User:
    Security ID: REDZONEDOMAIN\SinovietWS2
    Account Name: REDZONEDOMAIN\SinovietWS2
    Account Domain: REDZONEDOMAIN
    Fully Qualified Account Name: REDZONEDOMAIN\SinovietWS2

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 192.168.1.2
    Calling Station Identifier: *.*.*.*

    NAS:
    NAS IPv4 Address: 192.168.1.2
    NAS IPv6 Address: -
    NAS Identifier: RZDOMAINSERVER
    NAS Port-Type: Virtual
    NAS Port: 128

    RADIUS Client:
    Client Friendly Name: RZDOMAINSERVER
    Client IP Address: 192.168.1.2

    Authentication Details:
    Connection Request Policy Name: NAP VPN
    Network Policy Name: NAP VPN Non NAP-Capable
    Authentication Provider: Windows
    Authentication Server: RZDomainServer.redzonedomain.*.com
    Authentication Type: PEAP
    EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
    Account Session Identifier: 3937

    Quarantine Information:
    Result: Full Access
    Extended-Result: -
    Session Identifier: -
    Help URL: -
    System Health Validator Result(s): -

    Any suggestions would be greatly appreciated. Thanks very much.
    Monday, December 14, 2009 3:23 AM
  • Hi,

    In order to get Group Policy settings, the client must be joined to the domain and the correct GPO must be applied. You can see which GPOs are applied using gpresult /r. If the client isn't getting any Group Policy settings it can still work by enabling local settings (which are displayed when you type netsh nap client show config). Either type of settings will work, but if both are present then the Group Policy ones will override the local ones.

    However, I think your client is not joined to the domain because of this:

    Client Machine:
    Security ID: NULL SID

    The blank security ID usually is because the client machine is not a member of the domain. Therefore, Group Policy settings will have no effect.

    Start the NAP agent using the services console (services.msc) and enable the EAP enforcement client using the nap client configuration console (napclcfg.msc).

    The computer is being evaluated as non NAP-capable, which means that either the NAP agent is off, the EAP enforcement client isn't initialized, or health checks aren't enabled on the client or server side. Issue a "netsh nap client show state" to see if NAP agent is on and the EAP enforcement client is enabled. Below is an example of what you should see on a non domain-joined client:

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    = 
    Restriction start time = 
    Extended state         = 
    GroupPolicy            = Not Configured

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79619
    Name                   = IPsec Relying Party
    Description            = Provides IPsec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = Yes

    Id                     = 79621
    Name                   = RD Gateway Quarantine Enforcement Client
    Description            = Provides RD Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
     
    Initialized            = Yes

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent monitors security settings on your computer.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      = 
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
     
    Compliance results     = (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -

    Monday, December 14, 2009 5:18 AM
  • Hi Greg - really appreciate your reply. You've basically nailed precisely the situation i'm in i think. My result for "netsh nap client show state" returns exactly what you've got above except my compliance results below "System health agent (SHA)" is blank.


    In an effort to try to remediate not having a SECURITY ID i tried to drop out of the domain back into a workgroup and then rejoin the domain, hoping that the system will somehow fix it. But even after these steps and a VPN connection the Server still displays SECURITY ID: NULL SID. I'm stumped. Might it be related to the fact that I joined this domain before I set up NAP, VPN server and certificate server and the rest? Is there a way to flush the old domain setup files on my client computer (besides reinstalling the OS)?

    Results of the "gpresult /r" is listed below:

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0

    Copyright (C) Microsoft Corp. 1981-2001

    Created On 14/12/2009 at 6:52:16 PM

    RSOP data for REDZONEDOMAIN\SinovietWS2 on SINOVIETWS2-PC : Logging Mode

    -------------------------------------------------------------------------

    OS Configuration:            Member Workstation

    OS Version:                  6.1.7600

    Site Name:                   N/A

    Roaming Profile:             N/A

    Local Profile:               C:\Users\SinovietWS2.REDZONEDOMAIN

    Connected over a slow link?: No

    USER SETTINGS

    --------------

        CN=SinovietWS2,CN=Users,DC=redzonedomain,DC=***,DC=com

        Last time Group Policy was applied: 14/12/2009 at 6:32:21 PM

        Group Policy was applied from:      RZDomainServer.redzonedomain.***.com

        Group Policy slow link threshold:   500 kbps

        Domain Name:                        REDZONEDOMAIN

        Domain Type:                        Windows 2000

        Applied Group Policy Objects

        -----------------------------

            N/A

        The following GPOs were not applied because they were filtered out

        -------------------------------------------------------------------

            NAP Client Settings

                Filtering:  Not Applied (Empty)

            Local Group Policy

                Filtering:  Not Applied (Empty)

            Default Domain Policy

                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups

        ---------------------------------------------------

            Domain Users

            Everyone

            BUILTIN\Users

            BUILTIN\Administrators

            NT AUTHORITY\INTERACTIVE

            CONSOLE LOGON

            NT AUTHORITY\Authenticated Users

            This Organization

            LOCAL

            Domain Admins

            NAP client computers

            Denied RODC Password Replication Group

            High Mandatory Level

    Monday, December 14, 2009 11:04 AM
  • One good thing has come out of the manoeuvres involved above - my client computer via VPN has access to the server's resources and server has access to the client's. Before today the client could access server's drives but server could not access client's drives. I can definitely live with this setup. 
    Monday, December 14, 2009 3:45 PM
  • Hi,

    It would appear that the user is part of a NAP client computer group. This won't work - you must make the computer part of the security group, not the user.

    If the WSHA isn't showing this could be because Security Center isn't running, or perhaps the "Enforce Network Access Protection" checkbox isn't set on either the client or the server. In Vista this used to be "Enable Quarantine Checks" - see below.

    Disclaimer: I haven't set this up in a while for Windows 7, but I think these are the correct settings displayed:



    Note: I un-checked Validate Server Certificate because it isn't required, only recommended.

    -Greg
    Monday, December 14, 2009 11:54 PM
  • Absolutely brilliant! "netsh nap client show grouppolicy" now works, Windows Server now allocates a Security ID and the status on the VPN server is "unrestricted". I swear I read the Microsoft step-by-step guide inside out and upside down but there was only mention of adding the user rather the computer to the "NAP client security group". Thanks a million Greg!
    Tuesday, December 15, 2009 9:27 AM
  • Dear

    I am running DHCP with NAP, when client connect not getting full access.My system granted to Non compliant DHCP only.Client state attached for your reference. Please help me where I am wrong.

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =
    GroupPolicy            = Configured

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes

    Id                     = 79619
    Name                   = IPsec Relying Party
    Description            = Provides IPsec based enforcement for Network Access Pro
    tection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = RD Gateway Quarantine Enforcement Client
    Description            = Provides RD Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides Network Access Protection enforcement for EAP
    authenticated network connections, such as those used with 802.1X and VPN techno
    logies.
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------

    Thanks

    Jijo

    Wednesday, July 4, 2012 4:49 PM
  • Hi,

    It would be better to start a new question for this instead of using this one, because it is already answered. When a question is already answered it can cause people to not look for new questions and thus ignore it.

    However, since I see your question I should ask what operating system you are running. Are you using Windows Server as a NAP client?

    Thanks,

    -Greg

    Thursday, July 5, 2012 8:27 AM