locked
Wireless 802.1X NAP says my Win7 PC is non-NAP Capable RRS feed

  • Question

  • Hi, I have a Cisco WLC4402 configured with NPS/NAP 802.11X. Using Cisco WLC V7 SW.

    Supplicant is Windows 7 computer, I have enabled the NAP client and the EAP enforcement agent. All looks good. Action Center says NAP is active. I authenticate but keep getting chucked into the non-capable quarantine LAN. WLAN AutoConfig service running also.

    Just to be on the safe side, in NPS I changed the error codes to report as compliant. But changed nothing....

    Note: PC is not a member of the domain but I dont think that would affect it.

     

    Everytime I attempt, there are 2 items in the NPS log file (shown below).

    I'm stumped. NPS rules created using the wizards. Any help appreciated.

     

    ITEM 2 in NPS LOG FILE----------------------------------------------------------

    Network Policy Server quarantined a user.


    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            TAZ\taz
        Account Name:            TAZ\taz
        Account Domain:            TAZ
        Fully Qualified Account Name:    TAZ\taz

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        18-ef-63-fc-3d-a0:TAZ-WLC
        Calling Station Identifier:        00-25-9c-dc-a3-45

    NAS:
        NAS IPv4 Address:        192.168.60.2
        NAS IPv6 Address:        -
        NAS Identifier:            WLC
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            1

    RADIUS Client:
        Client Friendly Name:        Cisco WLC
        Client IP Address:            192.168.60.2

    Authentication Details:
        Connection Request Policy Name:    Secure Wireless Connections from WLC
        Network Policy Name:        NAP 802.1X (Wireless) Non NAP-Capable
        Authentication Provider:        Windows
        Authentication Server:        DC1.taz.com
        Authentication Type:        PEAP
        EAP Type:            Microsoft: Secured password (EAP-MSCHAP v2)
        Account Session Identifier:        -

    Quarantine Information:
        Result:                Quarantined
        Extended-Result:            -
        Session Identifier:            -
        Help URL:            -
        System Health Validator Result(s):    -

    ITEM 1 in NPS LOG FILE----------------------------------------------------------

    Network Policy Server granted access to a user.

    User:
        Security ID:            TAZ\taz
        Account Name:            TAZ\taz
        Account Domain:            TAZ
        Fully Qualified Account Name:    TAZ\taz

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        18-ef-63-fc-3d-a0:TAZ-WLC
        Calling Station Identifier:        00-25-9c-dc-a3-45

    NAS:
        NAS IPv4 Address:        192.168.60.2
        NAS IPv6 Address:        -
        NAS Identifier:            WLC
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            1

    RADIUS Client:
        Client Friendly Name:        Cisco WLC
        Client IP Address:            192.168.60.2

    Authentication Details:
        Connection Request Policy Name:    Secure Wireless Connections from WLC
        Network Policy Name:        NAP 802.1X (Wireless) Non NAP-Capable
        Authentication Provider:        Windows
        Authentication Server:        DC1.taz.com
        Authentication Type:        PEAP
        EAP Type:            Microsoft: Secured password (EAP-MSCHAP v2)
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.

    Quarantine Information:
        Result:                Quarantined
        Session Identifier:            -

     

    NETSH STATUS ON CLIENT ----------------------------------------------------------


    C:\Windows\system32>netsh nap client show config

    NAP client configuration:
    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Disabled

    Name            = IPsec Relying Party
    ID              = 79619
    Admin           = Disabled

    Name            = RD Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Disabled

    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Enabled

    Client tracing:
    ----------------------------------------------------
    State = Disabled
    Level = Disabled

    Ok.


    C:\Windows\system32>netsh nap client show state

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =
    GroupPolicy            = Not Configured

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPsec Relying Party
    Description            = Provides IPsec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = RD Gateway Quarantine Enforcement Client
    Description            = Provides RD Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those
    d with 802.1X and VPN technologies.
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent monitors security settings on your computer.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this comput


    Compliance results     =
    Remediation results    =

    Ok.

     

    Event Log on PC Shows:

    System Isolation State Change. Extended State details:
     Previous :
        Extended State          : No Data (0)
     Current :
        Extended State          : No Data (0)




    Saturday, May 7, 2011 10:28 AM

Answers

  • Problem solved.

    On the wireless connection properties, there is a tick box to enforce NAP. Not ticked by default.

     

    http://ctp.social.technet.microsoft.com/Forums/en/winserverNAP/thread/a152fa5f-f041-4c46-8711-8e40a2d08e28

     

    • Marked as answer by oztasdevil Sunday, May 8, 2011 1:13 AM
    Sunday, May 8, 2011 1:13 AM