locked
IPsec NAP Configuration RRS feed

  • Question

  • I have set up and configured DC1, NPS1 and CLIENT1 systems using Windows Server 2003 Enterprise Edition, Windows Longhorn Beta 2 and Windows Vista Ultimate (released version) respectively, created the xxxxx.com domain and joined both NPS1 and CLIENT1 to the domain.  I set up the CA on DC1 and the sub-CA on NPS1 and have successfully issued certificates from both CA, including certificates that use the both the Subordinate Certificate Authority and the System Health Authentication templates.

     

    As this is in a lab, CLIENT1 requires a proxy to connect with the Internet with the proxy server bypassed for local addresses.  I have verified that CLIENT1 has http access to NPS1 by creating a simple web page in c:\windows\system32\hcs and accessing it using IE from CLIENT1.

     

    The first problem that I see is that on CLIENT 1 in the MMC Certificates (Local Computer)->Personal->Certificates, no health certificated issued by the sub-CA on NPS1 are created.  However, I can manually execute the Request New Certificate… command and create both a Computer and System Health Authentication certificate issued by the Root CA.  In the Request Certificates Details-> Properties->Certificate Authorities window, only the Root CA is available as a CA, not the sub-CA, even if I check the Show all CAs in the forest.

     

    The second problem that I see is that the firewall remediation example in the document fails to work, even after I temporarily disable the both the IPsec Secure Policy and the Boundary Policy on NPS1. 

      

    I have include relevant netsh output files from NPS1 and CLIENT1 as nps1.config and client1.config. 

     

    Any suggestions?

     

    CLIENT1 Configuration

     

    COMMAND: netsh nap client show configuration

     

    NAP client configuration:

    ----------------------------------------------------

     

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

     

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

     

    Enforcement clients:

    ----------------------------------------------------

    Name            = DHCP Quarantine Enforcement Client

    ID              = 79617

    Admin           = Disabled

     

    Name            = Remote Access Quarantine Enforcement Client

    ID              = 79618

    Admin           = Disabled

     

    Name            = IPSec Relying Party

    ID              = 79619

    Admin           = Disabled

     

    Name            = TS Gateway Quarantine Enforcement Client

    ID              = 79621

    Admin           = Disabled

     

    Name            = EAP Quarantine Enforcement Client

    ID              = 79623

    Admin           = Disabled

     

    Client tracing:

    ----------------------------------------------------

    State = Enabled

    Level = Verbose

     

    Trusted server group configuration:

    ----------------------------------------------------

    Group            = Trusted HRA Servers

    Require Https    = Disabled

    URL              = http://NPS1/domainhra/hcsrvext.dll

    Processing order = 1

     

    User interface settings:

    ----------------------------------------------------

    Title       = NAP Test Text

    Description = 

    Image       = 

     

    Ok.

     

    COMMAND: netsh advfirewall show domainprofile

     

    Domain Profile Settings:

    ----------------------------------------------------------------------

    State                                 ON

    Firewall Policy                       BlockInbound,AllowOutbound

    LocalFirewallRules                    N/A (GPO-store only)

    LocalConSecRules                      N/A (GPO-store only)

    InboundUserNotification               Enable

    RemoteManagement                      Disable

    UnicastResponseToMulticast            Enable

     

    Logging:

    LogAllowedConnections                 Disable

    LogDroppedConnections                 Disable

    FileName                              C:\Windows\system32\LogFiles\Firewall\pfirewall.log

    MaxFileSize                           4096

     

    Ok.

     

    COMMAND: netsh interface ipv4 show config

     

    Configuration for interface "Local Area Connection"

        DHCP enabled:                         No

        IP Address:                           10.7.0.102

        Subnet Prefix:                        10.7.0.0/24 (mask 255.255.255.0)

        Default Gateway:                      10.7.0.4

        Gateway Metric:                       256

        InterfaceMetric:                      10

        Statically Configured DNS Servers:    10.7.0.100

        Register with which suffix:           Both primary and connection-specific

        Statically Configured WINS Servers:   None

     

    Configuration for interface "Loopback Pseudo-Interface 1"

        DHCP enabled:                         No

        IP Address:                           127.0.0.1

        Subnet Prefix:                        127.0.0.0/8 (mask 255.0.0.0)

        InterfaceMetric:                      50

        Statically Configured DNS Servers:    None

        Register with which suffix:           Primary only

        Statically Configured WINS Servers:   None

      

    NPS1 Configuration

     

    COMMAND: netsh nps show config

     

    Connection request policy configuration:

    ---------------------------------------------------------

    Name             = Use Windows authentication for all users

    State            = Enabled

    Processing order = 1

    Policy source    = 0

     

    Condition attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

     

    Profile attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    Auth-Provider-Type                      0x1025      "0x1"

     

    Event log configuration:

    ---------------------------------------------------------

    Accepted authentication requests = Enabled

    Rejected authentication requests = Enabled

     

    File log configuration:

    ---------------------------------------------------------

    Accounting      = Enabled

    Authentication  = Enabled

    Periodic status = Enabled

    Directory       = C:\Windows\system32\LogFiles

    Format          = IAS formatting

    Delete old logs = Enabled

    Frequency       = Daily logs

    Max size        = 10 MB

     

    Ports configuration:

    ---------------------------------------------------------

    Accounting ports     = 1813,1646

    Authentication ports = 1812,1645

     

    Remote access policy configuration:

    ---------------------------------------------------------

    Name             = Connections to other access servers

    State            = Enabled

    Processing order = 4

    Policy source    = 0

     

    Condition attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

     

    Profile attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    NP-Allow-Dial-in                        0x100f      "FALSE"

    NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"

    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"

    Framed-Protocol                         0x7         "0x1"

    Service-Type                            0x6         "0x2"

     

    Remote access policy configuration:

    ---------------------------------------------------------

    Name             = Connections to Microsoft Routing and Remote Access server

    State            = Enabled

    Processing order = 3

    Policy source    = 0

     

    Condition attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    Condition0                              0x1033      "^311$"

     

    Profile attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    NP-Allow-Dial-in                        0x100f      "FALSE"

    NP-Allowed-EAP-Type                     0x100a      "0D000000000000000000000000000000"

    NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9"

    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"

    Framed-Protocol                         0x7         "0x1"

    Service-Type                            0x6         "0x2"

    MS-Filter                               0x102f     

     

          ===============================================================

          IPFILTER_IPV4INFILTER   Action: DENY

     

          Action      Address     Mask  Protocol    Src Port    Dst Port

          ---------------------------------------------------------------

          0.0.0.0     0.0.0.0     0     0     0

          ---------------------------------------------------------------

     

    MS-MPPE-Encryption-Policy               0xffffffa7  "0x2"

    MS-MPPE-Encryption-Types                0xffffffa6  "0xe"

     

    Remote access policy configuration:

    ---------------------------------------------------------

    Name             = Compliant-Full-Access

    State            = Enabled

    Processing order = 2

    Policy source    = 0

     

    Condition attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    Condition0                              0x1fbd      "Compliant"

     

    Profile attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    NP-Allow-Dial-in                        0x100f      "TRUE"

    NP-Authentication-Type                  0x1009      "0x7"

    MS-Quarantine-State                     0x1faf      "0x0"

    Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"

    Framed-Protocol                         0x7         "0x1"

    Service-Type                            0x6         "0x2"

     

    Remote access policy configuration:

    ---------------------------------------------------------

    Name             = noncompliant-Restricted

    State            = Enabled

    Processing order = 1

    Policy source    = 0

     

    Condition attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    Condition0                              0x1fbd      "Noncompliant"

     

    Profile attributes:

     

    Name                                    Id          Value

    ---------------------------------------------------------

    NP-Allow-Dial-in                        0x100f      "TRUE"

    NP-Authentication-Type                  0x1009      "0x7"

    MS-Quarantine-State                     0x1faf      "0x1"

    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"

    Framed-Protocol                         0x7         "0x1"

    Service-Type                            0x6         "0x2"

     

    Server registration:

    ---------------------------------------------------------

    Status = Un-registered

     

    SHV configuration:

    ---------------------------------------------------------

    Id                             = 79744

    Name                           = Windows Security Health Validator

     

    Vendor                         = Microsoft Corporation

     

    Description                    = The Windows Security Health Validator defines the policy that client computers must be compliant with.

     

    Version                        = 1.0

     

    Policy server unreachable      = Noncompliant

    Remediation server unreachable = Noncompliant

    System Health Agent failure    = Noncompliant

    NAP server failure             = Noncompliant

    Other errors                   = Noncompliant

     

    SHV template configuration:

    ---------------------------------------------------------

    Name          = Compliant

    Configuration = All must pass

    Id            = 79744

     

    SHV template configuration:

    ---------------------------------------------------------

    Name          = Noncompliant

    Configuration = One or more must fail

    Id            = 79744

     

    SQL log configuration:

    ---------------------------------------------------------

    Connection      = 

    Description     = 

    Accounting      = Enabled

    Authentication  = Enabled

    Periodic status = Enabled

    Max sessions    = 2

     

    Ok.

     

    COMMAND: netsh nps show napserverinfo

     

    NAP server information:

    ---------------------------------------------------------

    Name        = Network Access Protection Server

    Description = Microsoft Network Access Protection Server

    Version     = 1.0

     

    Ok.

     

    COMMAND: netsh nps show shv

     

    SHV configuration:

    ---------------------------------------------------------

    Id                             = 79744

    Name                           = Windows Security Health Validator

     

    Vendor                         = Microsoft Corporation

     

    Description                    = The Windows Security Health Validator defines the policy that client computers must be compliant with.

     

    Version                        = 1.0

     

    Policy server unreachable      = Noncompliant

    Remediation server unreachable = Noncompliant

    System Health Agent failure    = Noncompliant

    NAP server failure             = Noncompliant

    Other errors                   = Noncompliant

     

    Ok.

     

    COMMAND: netsh nps show shvtemplate

     

    SHV template configuration:

    ---------------------------------------------------------

    Name          = Compliant

    Configuration = All must pass

    Id            = 79744

     

    SHV template configuration:

    ---------------------------------------------------------

    Name          = Noncompliant

    Configuration = One or more must fail

    Id            = 79744

     

    Ok.

     

    COMMAND: netsh nps show registeredserver

     

    Server registration:

    ---------------------------------------------------------

    Status = Un-registered

     

    Ok.

     

    COMMAND: netsh nap hra show configuration

     

    Health Registration Authority (HRA) configuration:

    ----------------------------------------------------

     

    Certification Authority (CA) servers:

     

    Name                          Processing order

    ----------------------------------------------------

    \\NPS1\xxxxx-NPS1-SubCA    1

     

    Timeout configuration:

    ----------------------------------------------------

    Blackout time       = 5 (minutes)

    No response timeout = 20 (seconds)

     

     

    Ok.

     

    COMMAND: netsh interface ipv4 show config

     

    Configuration for interface "Local Area Connection 5"

        DHCP enabled:                         No

        IP Address:                           10.7.0.101

        Subnet Prefix:                        10.7.0.0/24 (mask 255.255.255.0)

        Default Gateway:                      172.20.10.9

        Gateway Metric:                       256

        Default Gateway:                      172.20.10.114

        Gateway Metric:                       256

        Default Gateway:                      10.7.0.4

        Gateway Metric:                       256

        InterfaceMetric:                      10

        Statically Configured DNS Servers:    10.7.0.100

        Register with which suffix:           Both primary and connection-specific

        Statically Configured WINS Servers:   None

     

    Configuration for interface "Loopback Pseudo-Interface 1"

        DHCP enabled:                         No

        IP Address:                           127.0.0.1

        Subnet Prefix:                        127.0.0.0/8 (mask 255.0.0.0)

        InterfaceMetric:                      50

        Statically Configured DNS Servers:    None

        Register with which suffix:           None

        Statically Configured WINS Servers:   None

     

    Monday, January 22, 2007 9:32 PM

Answers

  • It looks like you are not matching the health policies in your Network Policies set - you are repeatedly matching the policy called "Connections to other access servers"

    You might double-check that your policies are in the correct order of evaluation, etc.

    -Chris

    Chris.Edson@online.microsoft.com *
    Software Development Engineer in Test
    * Remove the "online" make the address valid.
    ** This posting is provided "AS IS" with no warranties, and confers no rights

    Wednesday, January 24, 2007 11:58 PM
  • Hi,

    Chris is referring to something in your posted configuration (see below).

    Remote access policy configuration:

    ---------------------------------------------------------

    Name             = Connections to Microsoft Routing and Remote Access server

    State            = Enabled

    Processing order = 3

    Policy source    = 0

     

    I see that the processing order is set to 3, but Chris is asking that you check this. If it is indeed third in your processing order, then it looks like the client is not matching the compliant or noncompliant policy conditions, which are exclusively health state conditions. I would check that the client is sending statements of health by checking event viewer on CLIENT1. Review events by navigating to Application And Services Logs/Microsoft/Windows/Network Access Protection/Operational.  You should see events here with a source of Network Access Protection and also SystemHealthAgent. 

     

    The Network Access Protection events should begin with a Statement of Health being received from the System Health Agent.  Next, the Statement of Health is sent to the enforcement client. Third, the Network Access Protection Agent will either succeed or fail to acquire a certificate. If it fails, there is an associated error code that can be useful in diagnosing the problem. Please provide this, and describe any other pertinent events you are seeing on the client. Based on the fact that you do not appear to be matching client health states, I would guess that either 1) your client is not sending a statement of health, 2) NPS is not receiving the statement of health, or 3) your SHV is specifying health conditions the client does not match.

     

    When troubleshooting this sort of thing, I monitor event viewer on both the client and the server after restarting NAP Agent on the client. A successful policy match on NPS will result in a warning event if the client is quarantined, or an information event if the client is compliant and granted full access. The information event will detail the client's health state.

     

    -Greg

     

    P.S. In answer to your question on item #6, I was referring to instructions on page 21 of the step by step guide that describe how "to configure the Health Registration Authority with a health certificate."


    Thursday, January 25, 2007 2:36 AM

All replies

  • Hi,

    From the configuration you posted, it appears the IPsec enforcement client (IPSec Relying Party) is not enabled. Right-click it and click enable. You should also verify that NAP Agent and Security Center are running on the client.  Let me know if this fixes the problem.

    Greg Lindsay

    Tuesday, January 23, 2007 7:36 AM
  • On CLIENT1, I used MMC->NAP Client Configuration(Local Computer) and enabled the IPSec Relaying Party enforcement client and restarted the system.  I verified that the Network Access Protection Agent and the Security Center services were started.  The Security Center has a Automatic(Delayed Start) configuration.  A health certificate was not issued.

    The CLIENT1 Security Center reports that the Firewall is Off with a red background on the summary window.  Clicking on Windows Firewall for details, the description is Windows Firewall is not using the recommended settings with a red background but on the next line it says that the Windows Firewall is on.  The firewall Change Settings window says For your security, some settings are controlled by Group Policy.  The on button is selected but both the on and off buttons are disabled.  Previously, I have temporarily disabled the IPsec Secure and Boundary Policy on NPS1 to allow changes to the firewall setting but this had no effect of the health status of CLIENT1.

    I am concerned that MMC->Certificates(Local Computer)->Personal->Certificates Request New Certificate on CLIENT1 cannot see the sub-CA on NPS1 to issue the health certificate even though it can see the root CA and the System Health Authentication certificate template.

    Thanks.

     

    Tuesday, January 23, 2007 5:04 PM
  • What does the NPS server logs / accounting logs say? Which policy is it matching (or not matching)?

     

    Jeff Sigman
    NAP Release Manager
    Jeff.Sigman@online.microsoft.com *
    http://blogs.technet.com/nap

    * Remove the "online" to actually email me.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.

     

    Tuesday, January 23, 2007 6:20 PM
  • The \windows\system32\logfiles\in070123.log file is:

    10.7.0.101,,01/23/2007,08:21:49,RAS,NPS1,8132,5,44,0xC5F2C24EB44C5341A04DCF169CA6BA6950A419940A3FC701,6,12,8108,1,61,15,8138,XXXXXNAP\CLIENT1$,32,NPS1.xxxxxnap.com,4,10.7.0.101,4155,1,4154,Use Windows authentication for all users,25,311 1 254.128.0.0 05/05/1829 23:54:06 17904229656286986241,4127,7,4149,Connections to other access servers,4136,1,4142,0

    10.7.0.101,,01/23/2007,08:21:49,RAS,NPS1,25,311 1 254.128.0.0 05/05/1829 23:54:06 17904229656286986241,44,0xC5F2C24EB44C5341A04DCF169CA6BA6950A419940A3FC701,4149,Connections to other access servers,4127,7,4154,Use Windows authentication for all users,4155,1,4136,3,4142,65

    10.7.0.101,,01/23/2007,08:32:38,RAS,NPS1,8132,5,44,0x50AA3E7EE2C5174BB0866430C79C0932EE089E170C3FC701,6,12,8108,1,61,15,8138,XXXXXNAP\CLIENT1$,32,NPS1.xxxxxnap.com,4,10.7.0.101,4155,1,4154,Use Windows authentication for all users,25,311 1 254.128.0.0 01/01/1601 00:05:09 2041965127695073282,4127,7,4149,Connections to other access servers,4136,1,4142,0

    10.7.0.101,,01/23/2007,08:32:38,RAS,NPS1,25,311 1 254.128.0.0 01/01/1601 00:05:09 2041965127695073282,44,0x50AA3E7EE2C5174BB0866430C79C0932EE089E170C3FC701,4149,Connections to other access servers,4127,7,4154,Use Windows authentication for all users,4155,1,4136,3,4142,65

    10.7.0.101,,01/23/2007,08:32:41,RAS,NPS1,8132,5,44,0x50AA3E7EE2C5174BB0866430C79C0932EE089E170C3FC701,6,12,8108,1,61,15,8138,XXXXXNAP\CLIENT1$,32,NPS1.xxxxxnap.com,4,10.7.0.101,4155,1,4154,Use Windows authentication for all users,25,311 1 254.128.0.0 01/01/1601 00:05:09 2041965127695073283,4127,7,4149,Connections to other access servers,4136,1,4142,0

    10.7.0.101,,01/23/2007,08:32:41,RAS,NPS1,25,311 1 254.128.0.0 01/01/1601 00:05:09 2041965127695073283,44,0x50AA3E7EE2C5174BB0866430C79C0932EE089E170C3FC701,4149,Connections to other access servers,4127,7,4154,Use Windows authentication for all users,4155,1,4136,3,4142,65

    10.7.0.101,,01/23/2007,12:34:35,RAS,NPS1,8132,5,44,0x50AA3E7EE2C5174BB0866430C79C09329314A2E42D3FC701,6,12,8108,1,61,15,8138,XXXXXNAP\CLIENT1$,32,NPS1.xxxxxnap.com,4,10.7.0.101,4155,1,4154,Use Windows authentication for all users,25,311 1 254.128.0.0 09/22/4715 00:50:02 2279589905652776964,4127,7,4149,Connections to other access servers,4136,1,4142,0

    10.7.0.101,,01/23/2007,12:34:35,RAS,NPS1,25,311 1 254.128.0.0 09/22/4715 00:50:02 2279589905652776964,44,0x50AA3E7EE2C5174BB0866430C79C09329314A2E42D3FC701,4149,Connections to other access servers,4127,7,4154,Use Windows authentication for all users,4155,1,4136,3,4142,65

    I can't tell which policies are being used from this output.

     

    Tuesday, January 23, 2007 10:01 PM
  • I think Jeff is referring to events in the event viewer.  When NPS processes a connection request, there will be an event that tells you which connection request policy and which network policy was matched, and the action taken. These events are very useful for troubleshooting.
    Wednesday, January 24, 2007 12:02 AM
  • In the NPS1 System event log, there two HRA errors and one IAS warnings on system restart.  The first message is the IAS warning: EventId=2, Reason-Code=65, Reason=...remote access permission to the user account was denied... .  The first HRA error is: ErrorId=26, ...The HRA was unable to validate the request... .  The last HRA error is:ErrorID=3, ...The HRA encounterd an error... .  In response, I added the RAS and IAS Servers group to User1 and restarted the CLIENT1 system.  This did not resolve the problem.  A permissions error would explain many of the symptoms.

     

    Wednesday, January 24, 2007 2:13 AM
  • You shouldn't have to take any actions to set permissions that are not already described in the step by step guide.

    Assuming you have disabled IPsec policies for the time being, some permission related things to check are:

    1. Ensure the user1 account is a member of the domain admins group
    2. Verify you are logged in to both NPS1 and CLIENT1 with the user1 account
    3. Ensure NPS1 has permissions to "Request Certificates" and "Issue and Manage Certificates"
    4. Verify certificate issuance requirements and policy module are set to enable auto-enrollment
    5. Certificate application policy extensions object identifier is set to 1.3.6.1.4.1.311.47.1.1
    6. HRA (NPS1) is enrolled with a System Health Authentication certificate
    7. Compliant and Noncompliant network policies (authorization policies) are set to "Allow clients to connect without negotiating an authentication method"
    8. CLIENT1 has listed http://NPS1/domainhra/hcsrvext.dll under Trusted HRA Servers.

    If you have other policies above your compliant and noncompliant policies in the processing order, it is also a good idea to disable these, or at least move them below the NAP policies in processing order. However, if a connection attempt is matching one of these policies you should see it in the event viewer on NPS1, so I don't think this is your problem.

    An easy method to use for testing changes you make is to open the services snap-in on CLIENT1 and restart NAP Agent. This should cause the client to request a new health certificate.

    -Greg

    Wednesday, January 24, 2007 4:31 AM
  • 1.  User1 is in the domain admins group in AD on DC1.

    2.  Both NPS1 and CLIENT1 are logged in using User1.

    3.  On NPS1, MMC->Certificate Authority (Local)->Properties->Security has NPS1$(XXXXXNAP\NPS1$) with both Issue and Manage Certificates and Request Certificates Allowed.

    4.  On DC1, Administrative Tools->xxxxxnap.com->Properties->Default Domain Policy->Edit and Default Domain Policy [dc1.xxxxxnap.com] Policy->Computer Configuration->Windows Settings->Security Settings->Public Key Policies->Autoenrollment Settings General tab has Enroll certificates automatically selected with both Renew expired certificates, update pending certificates and remove revoked certificates and Update certificates that use certificate templates checked.

    5.  On DC1, MMC->Certificate Templates->System Heal Authentication->Extensions->Application Policies->Edit->System Health Authentication->Edit has the OID 1.3.6.1.4.1.311.47.1.1.

    6.  On NPS1, MMC->Certificates (Local Computer)->Personal->Certificates has both a certificate issued using the Subordinate Certification Authority certificate template and the System Health Authentication template.  Is this what you meant by HRA enrollment?

    7.  On NPS1, MMC->NPS (Local)->[Compliant-Full-Access and noncompliant-Restricted]->Settings->Constraints->Authentication Method has only Allow clients to connect without negotiating and authentication method checked.

    8.  On CLIENT1, MMC->NAP Client Configuration (Local Computer)->Health Registration Settings->Trusted Server Groups->Trusted HRA Servers has one Available URL of http://NPS1/domainhra/hcsrvext.dll.  I have verified the http connection from CLIENT1 and NPS1 using a simple index.htm file in c:\windows\system32\hcs on NPS1.

     

    There are no other policies on NPS1.  After the Network Access Protection Agent was restarted on CLIENT1, no additional certificates appeared in the MMC->Certificates(Local Computer)->Personal->Certificates window.  The same IAS and HRA access errors appeared in the event log as before.

     

    Are there other access parameters I can check?

    Wednesday, January 24, 2007 5:18 PM
  • It looks like you are not matching the health policies in your Network Policies set - you are repeatedly matching the policy called "Connections to other access servers"

    You might double-check that your policies are in the correct order of evaluation, etc.

    -Chris

    Chris.Edson@online.microsoft.com *
    Software Development Engineer in Test
    * Remove the "online" make the address valid.
    ** This posting is provided "AS IS" with no warranties, and confers no rights

    Wednesday, January 24, 2007 11:58 PM
  • Hi,

    Chris is referring to something in your posted configuration (see below).

    Remote access policy configuration:

    ---------------------------------------------------------

    Name             = Connections to Microsoft Routing and Remote Access server

    State            = Enabled

    Processing order = 3

    Policy source    = 0

     

    I see that the processing order is set to 3, but Chris is asking that you check this. If it is indeed third in your processing order, then it looks like the client is not matching the compliant or noncompliant policy conditions, which are exclusively health state conditions. I would check that the client is sending statements of health by checking event viewer on CLIENT1. Review events by navigating to Application And Services Logs/Microsoft/Windows/Network Access Protection/Operational.  You should see events here with a source of Network Access Protection and also SystemHealthAgent. 

     

    The Network Access Protection events should begin with a Statement of Health being received from the System Health Agent.  Next, the Statement of Health is sent to the enforcement client. Third, the Network Access Protection Agent will either succeed or fail to acquire a certificate. If it fails, there is an associated error code that can be useful in diagnosing the problem. Please provide this, and describe any other pertinent events you are seeing on the client. Based on the fact that you do not appear to be matching client health states, I would guess that either 1) your client is not sending a statement of health, 2) NPS is not receiving the statement of health, or 3) your SHV is specifying health conditions the client does not match.

     

    When troubleshooting this sort of thing, I monitor event viewer on both the client and the server after restarting NAP Agent on the client. A successful policy match on NPS will result in a warning event if the client is quarantined, or an information event if the client is compliant and granted full access. The information event will detail the client's health state.

     

    -Greg

     

    P.S. In answer to your question on item #6, I was referring to instructions on page 21 of the step by step guide that describe how "to configure the Health Registration Authority with a health certificate."


    Thursday, January 25, 2007 2:36 AM