locked
NPS Logging missing Non NAP-Capable machine names RRS feed

  • Question

  • Hi,

    Is this by design that when looking at the NAP reports and NPS event viewer that NAP DHCP Non NAP-Capable computer names are missing?
    I only seem to be able to see NAP Capable Compliant and NAP Capable non-compliant computer names in the logs.

    Any ideas?

    Thanks,
    Tom
    Tuesday, September 1, 2009 2:48 PM

Answers

  • Hi Tom,

    I will need to check into what the SQL report is pulling, but you are probably right that it looks for FQDN. So - I think the report just needs to be changed slightly to obtain the host name. In the event above, the computer's host name is queef, so the data is there.

    The domain name isn't reported unless NAP agent is on. If the system is non-Windows, you won't see a host name (at least that's what I've seen so far). One thing that is reported is the MAC address, so you can always identify a compuer that way. I know it's also possible to use the MAC address in policies with pattern matching syntax. It would be simpler if the FQDN was reported for non NAP-capable systems rather than just the host name, but this is a limitation.

    -Greg
    Wednesday, September 2, 2009 7:57 AM

All replies

  • Hi Tom,

    The host name should be showing up as long as this is a Windows system. If NAP agent is off, you won't see the FQDN. See below.



    -Greg
    Wednesday, September 2, 2009 1:59 AM
  • Greg,

    Looking at Event Viewer this is what I get (see below).
    I have installed the NAP Eval and Assessment Beta, and when I look at the reports of the non NAP-Capable machines, the computer name is NOT listed in there.
    I assume the SQL is looking at the FQDN parameter when it builds the Report?
    Also, from that Event Log it's impossible to say whether this is a Microsoft or some other OS computer.

    So let me see if I understand you correctly:
    Forget about non-Microsoft operating systems for a minute.
    Are you saying that if the NAP agent is off, or the client is running a pre-Windows XP SP3 computer, we will not know what that computer's name is in the NPS Event Log or the NAP Reports?

    If the answer to the above question is , YES, then how is a customer meant to locate which machines are problematic?



    Here is the Event Log entry:

    Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

    Contact the Network Policy Server administrator for more information.

    User:
     Security ID:   NULL SID
     Account Name:   -
     Account Domain:   -
     Fully Qualified Account Name: -

    Client Machine:
     Security ID:   NULL SID
     Account Name:   queef
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  10.60.0.0
     Calling Station Identifier:  002020130303

    NAS:
     NAS IPv4 Address:  10.47.2.24
     NAS IPv6 Address:  -
     NAS Identifier:   BLVADS02
     NAS Port-Type:   Ethernet
     NAS Port:   -

    RADIUS Client:
     Client Friendly Name:  RADIUS Client
     Client IP Address:   10.47.2.24

    Authentication Details:
     Connection Request Policy Name: NAP DHCP
     Network Policy Name:  NAP DHCP Non NAP-Capable
     Authentication Provider:  Windows
     Authentication Server:  BLVNPS01.ADS.COM
     Authentication Type:  Unauthenticated
     EAP Type:   -
     Account Session Identifier:  32373830323637333331

    Quarantine Information:
     Result:    On Probation
     Extended-Result:   -
     Session Identifier:   -
     Help URL:   -
     System Health Validator Result(s): -
     Quarantine Grace Time:  2010-01-01 13:11:44.000

    Wednesday, September 2, 2009 7:22 AM
  • Hi Tom,

    I will need to check into what the SQL report is pulling, but you are probably right that it looks for FQDN. So - I think the report just needs to be changed slightly to obtain the host name. In the event above, the computer's host name is queef, so the data is there.

    The domain name isn't reported unless NAP agent is on. If the system is non-Windows, you won't see a host name (at least that's what I've seen so far). One thing that is reported is the MAC address, so you can always identify a compuer that way. I know it's also possible to use the MAC address in policies with pattern matching syntax. It would be simpler if the FQDN was reported for non NAP-capable systems rather than just the host name, but this is a limitation.

    -Greg
    Wednesday, September 2, 2009 7:57 AM
  • Thanks Greg - I have logged this with the NAP Eval & Assessment team - but perhaps you could also mention it to them.

    A large portion of how successful the NAP POC is, that I am currently doing, is dependant on the compliance reports that can be presented to upper management.

    Thanks again,
    Tom
    Wednesday, September 2, 2009 8:14 AM
  • If you don't mind me asking, what was the resolution to this? I have the same issue where the machine host name and IP address of the machine are not being logged in the event viewer. Thank you in advance.
    Monday, June 8, 2015 5:53 PM
  • Hi, there wasn't a resolution per se. The FQDN of the NAP client is transported in the statement of health. If a client machine isn't running NAP agent, then it has no statement of health and will be reported as non NAP-capable.  Since there isn't a statement of health from which to extract the FQDN, there won't be any host and domain name in the event log.

    -Greg

    Monday, June 8, 2015 6:16 PM