Remove From My Forums

Restriction state = Restricted for some clients: DHCP NAP

Question
0

Sign in to vote

Hi All,

i have clients and Server on different subnets. Even after 100 % updated SHV and SHA, the state is restricted. I have implemented DHCP NAP, NPS AND DHCP on same server. Remediation servers are also on the same subnet as of the DHCP and NPS server

Logs:

Client state:
----------------------------------------------------
Name                   = Network Access Protection Client
Description            = Microsoft Network Access Protection Client
Protocol version       = 1.0
Status                 = Enabled
Restriction state      = Restricted
Troubleshooting URL    =
Restriction start time =
Extended state         =

Enforcement client state:
----------------------------------------------------
Id                     = 79617
Name                   = DHCP Quarantine Enforcement Client
Description            = Provides DHCP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = Yes

Id                     = 79618
Name                   = Remote Access Quarantine Enforcement Client
Description            = Provides the quarantine enforcement for RAS Client
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79619
Name                   = IPSec Relying Party
Description            = Provides IPSec based enforcement for Network Access Protection
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79620
Name                   = Wireless Eapol Quarantine Enforcement Client
Description            = Provides wireless Eapol based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79621
Name                   = TS Gateway Quarantine Enforcement Client
Description            = Provides TS Gateway enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79623
Name                   = EAP Quarantine Enforcement Client
Description            = Provides EAP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

System health agent (SHA) state:
----------------------------------------------------
Id                     = 79744
Name                   = Windows Security Health Agent

Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.

Version                = 1.0

Vendor name            = Microsoft Corporation

Registration date      =
Initialized            = Yes
Failure category       = None
Remediation state      = Success
Remediation percentage = 0
Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating its security state.

Compliance results     = (0x00000000) -
                         (0x00000000) -
                         (0x00000000) -
                         (0x00000000) -
                         (0x00000000) -
                         (0x00000000) -

Remediation results    =

Id                     = 79745
Name                   = Configuration Manager System Health Agent
Description            = Configuration Manager System Health Agent facilitates enforcement of software update compliance using Network Access Protection.
Version                = 2007
Vendor name            = Microsoft Corporation
Registration date      = 4/20/2012 2:06:59 PM
Initialized            = No
Failure category       = None
Remediation state      = Success
Remediation percentage = 0
Fixup Message          = (0) -

Monday, September 24, 2012 7:11 AM

Answers

0

Sign in to vote
Hi,

Thank you for the post.

I have seen this condition when NAP agent started after client gain the DHCP address. I suggest you
1. Configure DHCP option 003 Router to client if NPS server locates in another subnet
2. Set DHCP service dependency with NAP agent service via command "sc config dhcp depend= napagent" (not recommended)
3. Of course, you could try to fix the issue just restart NAP agent service

Here are some similar threads:
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/bc4656e8-018d-42bc-b038-e28b9f5bd146
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/38351651-ac82-4eea-bf05-05f15c3c9d86

If there are more inquiries on this issue, please feel free to let us know.

Regards

Rick Tan

TechNet Community Support
- Edited by Rick Tan Wednesday, September 26, 2012 3:48 AM
- Marked as answer by Rick Tan Monday, October 1, 2012 3:14 AM
Wednesday, September 26, 2012 3:47 AM
0

Sign in to vote
Hi Rick,

Router was already configured. I'd configured option 121 for Classless Static Route, for all the scope.

The issue got resolved.

Regards,

Arnav Sharma
- Marked as answer by arnavsharma Monday, October 1, 2012 8:21 AM
Monday, October 1, 2012 8:21 AM

All replies

0

Sign in to vote
Hi,

Thank you for the post.

I have seen this condition when NAP agent started after client gain the DHCP address. I suggest you
1. Configure DHCP option 003 Router to client if NPS server locates in another subnet
2. Set DHCP service dependency with NAP agent service via command "sc config dhcp depend= napagent" (not recommended)
3. Of course, you could try to fix the issue just restart NAP agent service

Here are some similar threads:
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/bc4656e8-018d-42bc-b038-e28b9f5bd146
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/38351651-ac82-4eea-bf05-05f15c3c9d86

If there are more inquiries on this issue, please feel free to let us know.

Regards

Rick Tan

TechNet Community Support
- Edited by Rick Tan Wednesday, September 26, 2012 3:48 AM
- Marked as answer by Rick Tan Monday, October 1, 2012 3:14 AM
Wednesday, September 26, 2012 3:47 AM
0

Sign in to vote
Hi Rick,

Router was already configured. I'd configured option 121 for Classless Static Route, for all the scope.

The issue got resolved.

Regards,

Arnav Sharma
- Marked as answer by arnavsharma Monday, October 1, 2012 8:21 AM
Monday, October 1, 2012 8:21 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Restriction state = Restricted for some clients: DHCP NAP

Question

Answers

All replies