Hi, I have a Cisco WLC4402 configured with NPS/NAP 802.11X. Using Cisco WLC V7 SW.
Supplicant is Windows 7 computer, I have enabled the NAP client and the EAP enforcement agent. All looks good. Action Center says NAP is active. I authenticate but keep getting chucked into the non-capable quarantine LAN. WLAN AutoConfig service running
also.
Just to be on the safe side, in NPS I changed the error codes to report as compliant. But changed nothing....
Note: PC is not a member of the domain but I dont think that would affect it.
Everytime I attempt, there are 2 items in the NPS log file (shown below).
I'm stumped. NPS rules created using the wizards. Any help appreciated.
ITEM 2 in NPS LOG FILE----------------------------------------------------------
Network Policy Server quarantined a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: TAZ\taz
Account Name: TAZ\taz
Account Domain: TAZ
Fully Qualified Account Name: TAZ\taz
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 18-ef-63-fc-3d-a0:TAZ-WLC
Calling Station Identifier: 00-25-9c-dc-a3-45
NAS:
NAS IPv4 Address: 192.168.60.2
NAS IPv6 Address: -
NAS Identifier: WLC
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: Cisco WLC
Client IP Address: 192.168.60.2
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections from WLC
Network Policy Name: NAP 802.1X (Wireless) Non NAP-Capable
Authentication Provider: Windows
Authentication Server: DC1.taz.com
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Quarantine Information:
Result: Quarantined
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
ITEM 1 in NPS LOG FILE----------------------------------------------------------
Network Policy Server granted access to a user.
User:
Security ID: TAZ\taz
Account Name: TAZ\taz
Account Domain: TAZ
Fully Qualified Account Name: TAZ\taz
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 18-ef-63-fc-3d-a0:TAZ-WLC
Calling Station Identifier: 00-25-9c-dc-a3-45
NAS:
NAS IPv4 Address: 192.168.60.2
NAS IPv6 Address: -
NAS Identifier: WLC
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: Cisco WLC
Client IP Address: 192.168.60.2
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections from WLC
Network Policy Name: NAP 802.1X (Wireless) Non NAP-Capable
Authentication Provider: Windows
Authentication Server: DC1.taz.com
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Quarantine Information:
Result: Quarantined
Session Identifier: -
NETSH STATUS ON CLIENT ----------------------------------------------------------
C:\Windows\system32>netsh nap client show config
NAP client configuration:
----------------------------------------------------
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name = DHCP Quarantine Enforcement Client
ID = 79617
Admin = Disabled
Name = IPsec Relying Party
ID = 79619
Admin = Disabled
Name = RD Gateway Quarantine Enforcement Client
ID = 79621
Admin = Disabled
Name = EAP Quarantine Enforcement Client
ID = 79623
Admin = Enabled
Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled
Ok.
C:\Windows\system32>netsh nap client show state
Client state:
----------------------------------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
GroupPolicy = Not Configured
Enforcement client state:
----------------------------------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79619
Name = IPsec Relying Party
Description = Provides IPsec based enforcement for Network Access Protection
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79621
Name = RD Gateway Quarantine Enforcement Client
Description = Provides RD Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those
d with 802.1X and VPN technologies.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
System health agent (SHA) state:
----------------------------------------------------
Id = 79744
Name = Windows Security Health Agent
Description = The Windows Security Health Agent monitors security settings on your computer.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (3237937214) - The Windows Security Health Agent has finished updating the security state of this comput
Compliance results =
Remediation results =
Ok.
Event Log on PC Shows:
System Isolation State Change. Extended State details:
Previous :
Extended State : No Data (0)
Current :
Extended State : No Data (0)
