Answered by:
Restriction state = Restricted for some clients: DHCP NAP

Question
-
Hi All,
i have clients and Server on different subnets. Even after 100 % updated SHV and SHA, the state is restricted. I have implemented DHCP NAP, NPS AND DHCP on same server. Remediation servers are also on the same subnet as of the DHCP and NPS server
Logs:
Client state:
----------------------------------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Restricted
Troubleshooting URL =
Restriction start time =
Extended state =Enforcement client state:
----------------------------------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = YesId = 79618
Name = Remote Access Quarantine Enforcement Client
Description = Provides the quarantine enforcement for RAS Client
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = NoId = 79619
Name = IPSec Relying Party
Description = Provides IPSec based enforcement for Network Access Protection
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = NoId = 79620
Name = Wireless Eapol Quarantine Enforcement Client
Description = Provides wireless Eapol based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = NoId = 79621
Name = TS Gateway Quarantine Enforcement Client
Description = Provides TS Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = NoId = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides EAP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = NoSystem health agent (SHA) state:
----------------------------------------------------
Id = 79744
Name = Windows Security Health Agent
Description = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (3237937214) - The Windows Security Health Agent has finished updating its security state.
Compliance results = (0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -Remediation results =
Id = 79745
Name = Configuration Manager System Health Agent
Description = Configuration Manager System Health Agent facilitates enforcement of software update compliance using Network Access Protection.
Version = 2007
Vendor name = Microsoft Corporation
Registration date = 4/20/2012 2:06:59 PM
Initialized = No
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (0) -Monday, September 24, 2012 7:11 AM
Answers
-
Hi,
Thank you for the post.
I have seen this condition when NAP agent started after client gain the DHCP address. I suggest you
1. Configure DHCP option 003 Router to client if NPS server locates in another subnet
2. Set DHCP service dependency with NAP agent service via command "sc config dhcp depend= napagent" (not recommended)
3. Of course, you could try to fix the issue just restart NAP agent serviceHere are some similar threads:
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/bc4656e8-018d-42bc-b038-e28b9f5bd146
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/38351651-ac82-4eea-bf05-05f15c3c9d86If there are more inquiries on this issue, please feel free to let us know.
Regards
Rick Tan
TechNet Community Support
Wednesday, September 26, 2012 3:47 AM -
Hi Rick,
Router was already configured. I'd configured option 121 for Classless Static Route, for all the scope.
The issue got resolved.
Regards,
Arnav Sharma
- Marked as answer by arnavsharma Monday, October 1, 2012 8:21 AM
Monday, October 1, 2012 8:21 AM
All replies
-
Hi,
Thank you for the post.
I have seen this condition when NAP agent started after client gain the DHCP address. I suggest you
1. Configure DHCP option 003 Router to client if NPS server locates in another subnet
2. Set DHCP service dependency with NAP agent service via command "sc config dhcp depend= napagent" (not recommended)
3. Of course, you could try to fix the issue just restart NAP agent serviceHere are some similar threads:
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/bc4656e8-018d-42bc-b038-e28b9f5bd146
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/38351651-ac82-4eea-bf05-05f15c3c9d86If there are more inquiries on this issue, please feel free to let us know.
Regards
Rick Tan
TechNet Community Support
Wednesday, September 26, 2012 3:47 AM -
Hi Rick,
Router was already configured. I'd configured option 121 for Classless Static Route, for all the scope.
The issue got resolved.
Regards,
Arnav Sharma
- Marked as answer by arnavsharma Monday, October 1, 2012 8:21 AM
Monday, October 1, 2012 8:21 AM