locked
Network access protection not working RRS feed

  • Question

  • Dear Experts,

    We are using Network policy server for assigning IP address to different VLAN using Windows 2008 DHCP server based on user groups. We have our Wi-Fi controller setup for 802.1x authentication and NPS as RADIUS. Now we need to enable Network Access Protection in same setup. The NPS have enterprise CA and DHCP on same box. So we configured NAP with wirelless enforcement as follows:

    • EAP Qurantine NAP enforcement clients enabled
    • NAP Agent service set to automatic
    • Wired Autoconfig service set to automatic
    • Security Center user interface enabled
    • Wifi policy for Windows XP and VISTA configured in GPO with PEAP access and to trust NPS server

    After these settings are configured in the GPO and linked to NPS OU. We have created a global security group and added the computer name to same on which we want to enable NAP. Then NAP was configured using wizard on NPS for wireless network as follows:

    1. Wi-Fi controller added as RADIUS client

    2. 2 VLAN configured for COMPLIANT and NON_COMPLIANT client

    3. Non NAP capable system denied access to networks

    4. New test user created to validate NAP

    5. Same user added in productiuon group so that it can take production VLAN IP through DHCP if compliant

    We are facing below issues:

    1. On windows 7 32-bit, system is behaving properly but didnt display any NAP messeage in action center, e.g. if compliant it takes prodction IP but if we disable antivirus then goes out of production network and takes non compliant VLAN

    2. On Windows XP, even after disabling firewall, antivirus, it still remians in prodcution VLAN. Even command "netsh nap client show grouppolicy" and netsh nap client show state" shows correct output but nothing happens for NAP, no message, no error

    3. On windows 7 64-bit, even group policy setting are not getting deployed. Can anyone see what can be wrong?

    Please help!!! also recommend if the way we are doing isw correct.

    thanks in advance......

    Monday, July 23, 2012 5:28 PM

Answers

  • Thank you for the post.

    1. On windows 7 32-bit, system is behaving properly but didnt display any NAP messeage in action center, e.g. if compliant it takes prodction IP but if we disable antivirus then goes out of production network and takes non compliant VLAN
    You could run "napstat" command to show the NAP message. The message will show the WSHA.
     
    2. On Windows XP, even after disabling firewall, antivirus, it still remians in prodcution VLAN. Even command "netsh nap client show grouppolicy" and netsh nap client show state" shows correct output but nothing happens for NAP, no message, no error
    It's a known issue about Wireless EAP Enforcement Client on Windows XP client. You need enable the wireless EAPOL enforcement client in Group Policy.
    http://technet.microsoft.com/en-us/library/dd348439(WS.10).aspx
     
    3. On windows 7 64-bit, even group policy setting are not getting deployed. Can anyone see what can be wrong?
    Please ensure the clients computers added into the NPS global security group. Confirm the configuration with command "netsh nap client show grouppolicy".

    Here are 802.1x wireless NAP checklist and troubleshooting guide. Hope it helps you.
    http://technet.microsoft.com/en-us/library/cc753793(WS.10).aspx
    http://technet.microsoft.com/en-us/library/dd348443(WS.10).aspx
    http://technet.microsoft.com/en-us/library/dd348446(WS.10).aspx

    If there are more inquiries on this issue, please feel free to let us know.
     
    Regards


    Rick Tan

    TechNet Community Support


    • Edited by Rick Tan Wednesday, July 25, 2012 5:42 AM
    • Proposed as answer by DushYant P Friday, July 27, 2012 5:06 AM
    • Marked as answer by Rick Tan Monday, July 30, 2012 4:25 AM
    Wednesday, July 25, 2012 5:40 AM