locked
Auto-remediation problem with NAP 802.1x Wired and Windows Firewall RRS feed

  • Question

  • I have a NAP lab consisting of the following elements:
    1 Windows Server 2003 DC (VM)
    1 Windows Server 2008 SP1 NPS Server (VM)
    1 Cisco 802.1x-capable switch
    1 Windows XP SP3 client
    GPOs containing the appropriate settings to get NAP 802.1x PEAP working with XP SP3
    1 user account that is an administrator on the client machine

    The lab works fine.  When the client is compliant, it is placed in a Compliant VLAN, and when it is not compliant, it is placed in a Non-Complaint VLAN.

    The issue: If you turn off Windows Firewall on the client, but it is required by NPS, and auto-remediation is enabled in NPS, the Firewall turns on and off about every 5 seconds.  As a result, the client is put first in one VLAN and then the other until you start to see DHCP deny messages in the event log.  It appears that auto-remediation is fighting with the local setting.  The only way to make it stop bouncing is to open Windows Firewall from the Control Panel at one of the moments when the Windows Firewall is disabled, and enable it.

    The question: Why is this happening, and is it a bug, or is there a workaround?
    Wednesday, November 18, 2009 11:42 PM

Answers

  • Hi,

    In order to narrow down the cause of this problem, please try the steps below:

    1.    Disable all third party software and services by Clean Boot.
    2.    If no progress, try to create a new user account and test.
    3.    If the problem still occurs, move this Windows XP client to a standalone OU and disable all GPOs.

    And help to collect the MPS report:

    1)    Download proper MPS Report tool from the website below.

    Microsoft Product Support Reports
    http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

    2)    Double-click to run it, if requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select "General", "Server Components", click Next.

    3)    After collecting all log files, choose "Save the results", choose a folder to save <Computername>MPSReports.cab file. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Monday, November 30, 2009 1:54 AM
    Tuesday, November 24, 2009 6:11 AM

All replies

  • Can you try the following command to turn off the firewall and tell us whether you are facing this issue or not ?

    Netsh firewall set opmode mode = DISABLE profile = ALL

    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Thursday, November 19, 2009 1:25 AM
  • Running the command above succeeds in disabling the firewall, and the client is then put into the non-compliant VLAN.  The auto-remediation never kicks in, and the client can't rejoin the compliant VLAN until I run the above command replacing ENABLE for DISABLE.  Does this give you a clue to how I might be able to get auto-remediation to work without it bouncing repeatedly?

    Thanks!
    Thursday, November 19, 2009 5:39 AM
  • Hi,

    In order to narrow down the cause of this problem, please try the steps below:

    1.    Disable all third party software and services by Clean Boot.
    2.    If no progress, try to create a new user account and test.
    3.    If the problem still occurs, move this Windows XP client to a standalone OU and disable all GPOs.

    And help to collect the MPS report:

    1)    Download proper MPS Report tool from the website below.

    Microsoft Product Support Reports
    http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

    2)    Double-click to run it, if requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select "General", "Server Components", click Next.

    3)    After collecting all log files, choose "Save the results", choose a folder to save <Computername>MPSReports.cab file. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Monday, November 30, 2009 1:54 AM
    Tuesday, November 24, 2009 6:11 AM
  • Thank you, I will see if I can get this done tomorrow.
    Wednesday, November 25, 2009 12:53 AM