locked
Network Policy Selection RRS feed

  • Question

  • I am hoping someone can provide some wisdom in regards to a NAP issue I am running into in the lab.

     

    For some reason the NPS is not selecting the correct Network Policy during authentication and such remediation is not occuring. Regardless or the policy order or match conditions I define in each policy, the NPS server always selects the 'Connections to other access servers' policy. As such the client is always granted access regardless of Health Status (see below):

     

    User marshal2@example.com was granted access.
     Fully-Qualified-User-Name = example.com/Users/Kevin L. Marshall
     Machine-Name = ibmt30-2.example.com
     OS-Version = 6.0.6000 0.0 x86 Workstation
     Fully-Qualified-Machine-Name=EXAMPLE\IBMT30-2$
     NAS-IP-Address = 192.168.10.50
     NAS-IPv6-Address = <not present>
     NAS-Identifier = <not present>
     Client-Friendly-Name = ERS5510-48T
     Client-IP-Address = 192.168.10.50
     Client-IPv6-Address = <not present>
     Calling-Station-Identifier = 00-09-6B-13-23-89
     NAS-Port-Type = Ethernet
     NAS-Port = 14
     Connection-Request-Policy-Name = Wired PEAP-TLS
     Policy-Name = Connections to other access servers
     Authentication-Provider = Windows
     Authentication-Server = w8kserver.example.com
     Authentication-Type = PEAP
     EAP-Type = Microsoft: Smart Card or other certificate
     Account-Session-Identifier=<not present>
     Quarantine-State=Full Access

     

    Machine ibmt30-2.example.com was given full access.
     OS-Version = 6.0.6000 0.0 x86 Workstation
     Fully-Qualified-Machine-Name = EXAMPLE\IBMT30-2$
     Fully-Qualified-User-Name = example.com/Users/Kevin L. Marshall
     NAS-IP-Address = 192.168.10.50
     NAS-IPv6-Address = <not present>
     NAS-Identifier = <not present>
     Called-Station-Identifier = <not present>
     Calling-Station-Identifier = 00-09-6B-13-23-89
     Account-Session-Identifier = <not present>
     Connection-Request-Policy-Name = Wired PEAP-TLS
     Policy-Name = Connections to other access servers
     Extended-Quarantine-State = No Data
     Quarantine-Session-Identifier = {706A0B1B-8FFB-4471-9AF1-3EDE8AA18599} - 2007-08-02 19:33:42.536Z
     Quarantine-System-Health-Result =
    Windows Security Health Validator

     NonCompliant
     NoData
     None
     (0x0-)
     (0xc0ff0002-A system health component is not installed.
    )
     (0x0-)
     (0x0-)
     (0x0-)
     (0x0-)
     (0x0-)
     (0x0-).

     

    I suspect that I am missing something obvious but I am at a loss as to what. Any suggestions would be appreciated !

    Thursday, August 2, 2007 7:45 PM

Answers

  • Can you ensure that you have configured your Connection Request Policy (CRP) to 'Override Authentication' for requests coming from your Network Access Device?

     

    In order to do 802.1x PEAP-based NAP, you must instruct the server to gather health information as part of the EAP authentication process, but also to have it gathered prior to entering the Network Policy stage of the authentication.  You do this by configuring your Connection Request Policy to override the authentication settings of the Network Policies.  In the CRP's properties dialog, select the 'Settings' tab, and choose 'Authentication Methods' from the list on the left.  Then check the first box 'Override network policy authentication settings'.

     

    Add 'Microsoft: Protected EAP (PEAP)' as the EAP type, then select PEAP and click the Edit button.  Within the PEAP properties, ensure that you check the box that instructs the server to perform Quarantine checks.

     

     

    The other item that might be conflicting is the 'Policy Source' tagging - For 802.1x PEAP-based NAP, ensure that all policies have a 'Source' setting of 'Unspecified'.

     

    This should get you on your way...

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, August 6, 2007 8:55 PM

All replies

  • How have you Configured the Windows Security Health Validator (WSHV) or installed and configured other system health agents (SHAs) and system health validators (SHVs)?

     

    I would suggest temporally disabling the “Connections to other access servers” policy , then see whether your policies work.

    Friday, August 3, 2007 11:41 AM
  •  

    From what I can tell both the WSHV and SHA components are installed and configured corectly. If you look at the event log I posted you can actually see the WSHV component reporting that the policy check failed so I assume its working (but could be mistaken).

     

    If I disabled the 'Connections to other access servers' Network Policy, client authentication fails with a 'The connection attempt did not match any remote access policy' message. I have checked the match conditions in my Network Policies and have defined everything I can think of.

     

    No matter what I do NPS refuses to select one of the defined Network Policies I have defined. I have defined them manually following the 'NAP_802.1X_StepByStep.doc' as well as used the Wizard..

     

    I'm stumped...

    Friday, August 3, 2007 1:59 PM
  • Can you ensure that you have configured your Connection Request Policy (CRP) to 'Override Authentication' for requests coming from your Network Access Device?

     

    In order to do 802.1x PEAP-based NAP, you must instruct the server to gather health information as part of the EAP authentication process, but also to have it gathered prior to entering the Network Policy stage of the authentication.  You do this by configuring your Connection Request Policy to override the authentication settings of the Network Policies.  In the CRP's properties dialog, select the 'Settings' tab, and choose 'Authentication Methods' from the list on the left.  Then check the first box 'Override network policy authentication settings'.

     

    Add 'Microsoft: Protected EAP (PEAP)' as the EAP type, then select PEAP and click the Edit button.  Within the PEAP properties, ensure that you check the box that instructs the server to perform Quarantine checks.

     

     

    The other item that might be conflicting is the 'Policy Source' tagging - For 802.1x PEAP-based NAP, ensure that all policies have a 'Source' setting of 'Unspecified'.

     

    This should get you on your way...

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, August 6, 2007 8:55 PM