Remove From My Forums

IPsec NAP Configuration

Question
0

Sign in to vote

I have set up and configured DC1, NPS1 and CLIENT1 systems using Windows Server 2003 Enterprise Edition, Windows Longhorn Beta 2 and Windows Vista Ultimate (released version) respectively, created the xxxxx.com domain and joined both NPS1 and CLIENT1 to the domain. I set up the CA on DC1 and the sub-CA on NPS1 and have successfully issued certificates from both CA, including certificates that use the both the Subordinate Certificate Authority and the System Health Authentication templates.

As this is in a lab, CLIENT1 requires a proxy to connect with the Internet with the proxy server bypassed for local addresses. I have verified that CLIENT1 has http access to NPS1 by creating a simple web page in c:\windows\system32\hcs and accessing it using IE from CLIENT1.

The first problem that I see is that on CLIENT 1 in the MMC Certificates (Local Computer)->Personal->Certificates, no health certificated issued by the sub-CA on NPS1 are created. However, I can manually execute the Request New Certificate… command and create both a Computer and System Health Authentication certificate issued by the Root CA. In the Request Certificates Details-> Properties->Certificate Authorities window, only the Root CA is available as a CA, not the sub-CA, even if I check the Show all CAs in the forest.

The second problem that I see is that the firewall remediation example in the document fails to work, even after I temporarily disable the both the IPsec Secure Policy and the Boundary Policy on NPS1.



I have include relevant netsh output files from NPS1 and CLIENT1 as nps1.config and client1.config.

Any suggestions?

CLIENT1 Configuration

COMMAND: netsh nap client show configuration

NAP client configuration:

----------------------------------------------------

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

Hash algorithm = sha1RSA (1.3.14.3.2.29)

Enforcement clients:

----------------------------------------------------

Name            = DHCP Quarantine Enforcement Client

ID              = 79617

Admin           = Disabled

Name            = Remote Access Quarantine Enforcement Client

ID              = 79618

Admin           = Disabled

Name            = IPSec Relying Party

ID              = 79619

Admin           = Disabled

Name            = TS Gateway Quarantine Enforcement Client

ID              = 79621

Admin           = Disabled

Name            = EAP Quarantine Enforcement Client

ID              = 79623

Admin           = Disabled

Client tracing:

----------------------------------------------------

State = Enabled

Level = Verbose

Trusted server group configuration:

----------------------------------------------------

Group            = Trusted HRA Servers

Require Https    = Disabled

URL              = http://NPS1/domainhra/hcsrvext.dll

Processing order = 1

User interface settings:

----------------------------------------------------

Title       = NAP Test Text

Description =

Image       =

Ok.

COMMAND: netsh advfirewall show domainprofile

Domain Profile Settings:

----------------------------------------------------------------------

State                                 ON

Firewall Policy                       BlockInbound,AllowOutbound

LocalFirewallRules                    N/A (GPO-store only)

LocalConSecRules                      N/A (GPO-store only)

InboundUserNotification               Enable

RemoteManagement                      Disable

UnicastResponseToMulticast            Enable

Logging:

LogAllowedConnections                 Disable

LogDroppedConnections                 Disable

FileName                              C:\Windows\system32\LogFiles\Firewall\pfirewall.log

MaxFileSize                           4096

Ok.

COMMAND: netsh interface ipv4 show config

Configuration for interface "Local Area Connection"

    DHCP enabled:                         No

    IP Address:                           10.7.0.102

    Subnet Prefix:                        10.7.0.0/24 (mask 255.255.255.0)

    Default Gateway:                      10.7.0.4

    Gateway Metric:                       256

    InterfaceMetric:                      10

    Statically Configured DNS Servers:    10.7.0.100

    Register with which suffix:           Both primary and connection-specific

    Statically Configured WINS Servers:   None

Configuration for interface "Loopback Pseudo-Interface 1"

    DHCP enabled:                         No

    IP Address:                           127.0.0.1

    Subnet Prefix:                        127.0.0.0/8 (mask 255.0.0.0)

    InterfaceMetric:                      50

    Statically Configured DNS Servers:    None

    Register with which suffix:           Primary only

    Statically Configured WINS Servers:   None



NPS1 Configuration

COMMAND: netsh nps show config

Connection request policy configuration:

---------------------------------------------------------

Name             = Use Windows authentication for all users

State            = Enabled

Processing order = 1

Policy source    = 0

Condition attributes:

Name                                    Id          Value

---------------------------------------------------------

Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value

---------------------------------------------------------

Auth-Provider-Type                      0x1025      "0x1"

Event log configuration:

---------------------------------------------------------

Accepted authentication requests = Enabled

Rejected authentication requests = Enabled

File log configuration:

---------------------------------------------------------

Accounting      = Enabled

Authentication = Enabled

Periodic status = Enabled

Directory       = C:\Windows\system32\LogFiles

Format          = IAS formatting

Delete old logs = Enabled

Frequency       = Daily logs

Max size        = 10 MB

Ports configuration:

---------------------------------------------------------

Accounting ports     = 1813,1646

Authentication ports = 1812,1645

Remote access policy configuration:

---------------------------------------------------------

Name             = Connections to other access servers

State            = Enabled

Processing order = 4

Policy source    = 0

Condition attributes:

Name                                    Id          Value

---------------------------------------------------------

Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value

---------------------------------------------------------

NP-Allow-Dial-in                        0x100f      "FALSE"

NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"

Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"

Framed-Protocol                         0x7         "0x1"

Service-Type                            0x6         "0x2"

Remote access policy configuration:

---------------------------------------------------------

Name             = Connections to Microsoft Routing and Remote Access server

State            = Enabled

Processing order = 3

Policy source    = 0

Condition attributes:

Name                                    Id          Value

---------------------------------------------------------

Condition0                              0x1033      "^311$"

Profile attributes:

Name                                    Id          Value

---------------------------------------------------------

NP-Allow-Dial-in                        0x100f      "FALSE"

NP-Allowed-EAP-Type                     0x100a      "0D000000000000000000000000000000"

NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9"

Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"

Framed-Protocol                         0x7         "0x1"

Service-Type                            0x6         "0x2"

MS-Filter                               0x102f

      ===============================================================

      IPFILTER_IPV4INFILTER   Action: DENY

      Action      Address     Mask Protocol    Src Port    Dst Port

      ---------------------------------------------------------------

      0.0.0.0     0.0.0.0     0     0     0

      ---------------------------------------------------------------

MS-MPPE-Encryption-Policy               0xffffffa7 "0x2"

MS-MPPE-Encryption-Types                0xffffffa6 "0xe"

Remote access policy configuration:

---------------------------------------------------------

Name             = Compliant-Full-Access

State            = Enabled

Processing order = 2

Policy source    = 0

Condition attributes:

Name                                    Id          Value

---------------------------------------------------------

Condition0                              0x1fbd      "Compliant"

Profile attributes:

Name                                    Id          Value

---------------------------------------------------------

NP-Allow-Dial-in                        0x100f      "TRUE"

NP-Authentication-Type                  0x1009      "0x7"

MS-Quarantine-State                     0x1faf      "0x0"

Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"

Framed-Protocol                         0x7         "0x1"

Service-Type                            0x6         "0x2"

Remote access policy configuration:

---------------------------------------------------------

Name             = noncompliant-Restricted

State            = Enabled

Processing order = 1

Policy source    = 0

Condition attributes:

Name                                    Id          Value

---------------------------------------------------------

Condition0                              0x1fbd      "Noncompliant"

Profile attributes:

Name                                    Id          Value

---------------------------------------------------------

NP-Allow-Dial-in                        0x100f      "TRUE"

NP-Authentication-Type                  0x1009      "0x7"

MS-Quarantine-State                     0x1faf      "0x1"

Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"

Framed-Protocol                         0x7         "0x1"

Service-Type                            0x6         "0x2"

Server registration:

---------------------------------------------------------

Status = Un-registered

SHV configuration:

---------------------------------------------------------

Id                             = 79744

Name                           = Windows Security Health Validator

Vendor                         = Microsoft Corporation

Description                    = The Windows Security Health Validator defines the policy that client computers must be compliant with.

Version                        = 1.0

Policy server unreachable      = Noncompliant

Remediation server unreachable = Noncompliant

System Health Agent failure    = Noncompliant

NAP server failure             = Noncompliant

Other errors                   = Noncompliant

SHV template configuration:

---------------------------------------------------------

Name          = Compliant

Configuration = All must pass

Id            = 79744

SHV template configuration:

---------------------------------------------------------

Name          = Noncompliant

Configuration = One or more must fail

Id            = 79744

SQL log configuration:

---------------------------------------------------------

Connection      =

Description     =

Accounting      = Enabled

Authentication = Enabled

Periodic status = Enabled

Max sessions    = 2

Ok.

COMMAND: netsh nps show napserverinfo

NAP server information:

---------------------------------------------------------

Name        = Network Access Protection Server

Description = Microsoft Network Access Protection Server

Version     = 1.0

Ok.

COMMAND: netsh nps show shv

SHV configuration:

---------------------------------------------------------

Id                             = 79744

Name                           = Windows Security Health Validator

Vendor                         = Microsoft Corporation

Description                    = The Windows Security Health Validator defines the policy that client computers must be compliant with.

Version                        = 1.0

Policy server unreachable      = Noncompliant

Remediation server unreachable = Noncompliant

System Health Agent failure    = Noncompliant

NAP server failure             = Noncompliant

Other errors                   = Noncompliant

Ok.

COMMAND: netsh nps show shvtemplate

SHV template configuration:

---------------------------------------------------------

Name          = Compliant

Configuration = All must pass

Id            = 79744

SHV template configuration:

---------------------------------------------------------

Name          = Noncompliant

Configuration = One or more must fail

Id            = 79744

Ok.

COMMAND: netsh nps show registeredserver

Server registration:

---------------------------------------------------------

Status = Un-registered

Ok.

COMMAND: netsh nap hra show configuration

Health Registration Authority (HRA) configuration:

----------------------------------------------------

Certification Authority (CA) servers:

Name                          Processing order

----------------------------------------------------

\\NPS1\xxxxx-NPS1-SubCA    1

Timeout configuration:

----------------------------------------------------

Blackout time       = 5 (minutes)

No response timeout = 20 (seconds)

Ok.

COMMAND: netsh interface ipv4 show config

Configuration for interface "Local Area Connection 5"

    DHCP enabled:                         No

    IP Address:                           10.7.0.101

    Subnet Prefix:                        10.7.0.0/24 (mask 255.255.255.0)

    Default Gateway:                      172.20.10.9

    Gateway Metric:                       256

    Default Gateway:                      172.20.10.114

    Gateway Metric:                       256

    Default Gateway:                      10.7.0.4

    Gateway Metric:                       256

    InterfaceMetric:                      10

    Statically Configured DNS Servers:    10.7.0.100

    Register with which suffix:           Both primary and connection-specific

    Statically Configured WINS Servers:   None

Configuration for interface "Loopback Pseudo-Interface 1"

    DHCP enabled:                         No

    IP Address:                          127.0.0.1

    Subnet Prefix:                        127.0.0.0/8 (mask 255.0.0.0)

    InterfaceMetric:                      50

    Statically Configured DNS Servers:    None

    Register with which suffix:           None

    Statically Configured WINS Servers:   None

Monday, January 22, 2007 9:32 PM

Answers

0

Sign in to vote

It looks like you are not matching the health policies in your Network Policies set - you are repeatedly matching the policy called "Connections to other access servers"

You might double-check that your policies are in the correct order of evaluation, etc.

-Chris

Chris.Edson@online.microsoft.com *
Software Development Engineer in Test
* Remove the "online" make the address valid.
** This posting is provided "AS IS" with no warranties, and confers no rights

Wednesday, January 24, 2007 11:58 PM
0

Sign in to vote

Hi,
Chris is referring to something in your posted configuration (see below).

Remote access policy configuration:

---------------------------------------------------------

Name             = Connections to Microsoft Routing and Remote Access server

State            = Enabled

Processing order = 3

Policy source    = 0

I see that the processing order is set to 3, but Chris is asking that you check this. If it is indeed third in your processing order, then it looks like the client is not matching the compliant or noncompliant policy conditions, which are exclusively health state conditions. I would check that the client is sending statements of health by checking event viewer on CLIENT1. Review events by navigating to Application And Services Logs/Microsoft/Windows/Network Access Protection/Operational. You should see events here with a source of Network Access Protection and also SystemHealthAgent.

The Network Access Protection events should begin with a Statement of Health being received from the System Health Agent. Next, the Statement of Health is sent to the enforcement client. Third, the Network Access Protection Agent will either succeed or fail to acquire a certificate. If it fails, there is an associated error code that can be useful in diagnosing the problem. Please provide this, and describe any other pertinent events you are seeing on the client. Based on the fact that you do not appear to be matching client health states, I would guess that either 1) your client is not sending a statement of health, 2) NPS is not receiving the statement of health, or 3) your SHV is specifying health conditions the client does not match.

When troubleshooting this sort of thing, I monitor event viewer on both the client and the server after restarting NAP Agent on the client. A successful policy match on NPS will result in a warning event if the client is quarantined, or an information event if the client is compliant and granted full access. The information event will detail the client's health state.

-Greg

P.S. In answer to your question on item #6, I was referring to instructions on page 21 of the step by step guide that describe how "to configure the Health Registration Authority with a health certificate."

Thursday, January 25, 2007 2:36 AM

All replies

0

Sign in to vote

Hi,

From the configuration you posted, it appears the IPsec enforcement client (IPSec Relying Party) is not enabled. Right-click it and click enable. You should also verify that NAP Agent and Security Center are running on the client. Let me know if this fixes the problem.

Greg Lindsay

Tuesday, January 23, 2007 7:36 AM
0

Sign in to vote

On CLIENT1, I used MMC->NAP Client Configuration(Local Computer) and enabled the IPSec Relaying Party enforcement client and restarted the system. I verified that the Network Access Protection Agent and the Security Center services were started. The Security Center has a Automatic(Delayed Start) configuration. A health certificate was not issued.

The CLIENT1 Security Center reports that the Firewall is Off with a red background on the summary window. Clicking on Windows Firewall for details, the description is Windows Firewall is not using the recommended settings with a red background but on the next line it says that the Windows Firewall is on. The firewall Change Settings window says For your security, some settings are controlled by Group Policy. The on button is selected but both the on and off buttons are disabled. Previously, I have temporarily disabled the IPsec Secure and Boundary Policy on NPS1 to allow changes to the firewall setting but this had no effect of the health status of CLIENT1.

I am concerned that MMC->Certificates(Local Computer)->Personal->Certificates Request New Certificate on CLIENT1 cannot see the sub-CA on NPS1 to issue the health certificate even though it can see the root CA and the System Health Authentication certificate template.

Thanks.

Tuesday, January 23, 2007 5:04 PM
0

Sign in to vote

What does the NPS server logs / accounting logs say? Which policy is it matching (or not matching)?

Jeff Sigman
NAP Release Manager
Jeff.Sigman@online.microsoft.com *
http://blogs.technet.com/nap

* Remove the "online" to actually email me.
** This posting is provided "AS IS" with no warranties, and confers no rights.

Tuesday, January 23, 2007 6:20 PM
0

Sign in to vote

The \windows\system32\logfiles\in070123.log file is:

10.7.0.101,,01/23/2007,08:21:49,RAS,NPS1,8132,5,44,0xC5F2C24EB44C5341A04DCF169CA6BA6950A419940A3FC701,6,12,8108,1,61,15,8138,XXXXXNAP\CLIENT1$,32,NPS1.xxxxxnap.com,4,10.7.0.101,4155,1,4154,Use Windows authentication for all users,25,311 1 254.128.0.0 05/05/1829 23:54:06 17904229656286986241,4127,7,4149,Connections to other access servers,4136,1,4142,0

10.7.0.101,,01/23/2007,08:21:49,RAS,NPS1,25,311 1 254.128.0.0 05/05/1829 23:54:06 17904229656286986241,44,0xC5F2C24EB44C5341A04DCF169CA6BA6950A419940A3FC701,4149,Connections to other access servers,4127,7,4154,Use Windows authentication for all users,4155,1,4136,3,4142,65

10.7.0.101,,01/23/2007,08:32:38,RAS,NPS1,8132,5,44,0x50AA3E7EE2C5174BB0866430C79C0932EE089E170C3FC701,6,12,8108,1,61,15,8138,XXXXXNAP\CLIENT1$,32,NPS1.xxxxxnap.com,4,10.7.0.101,4155,1,4154,Use Windows authentication for all users,25,311 1 254.128.0.0 01/01/1601 00:05:09 2041965127695073282,4127,7,4149,Connections to other access servers,4136,1,4142,0

10.7.0.101,,01/23/2007,08:32:38,RAS,NPS1,25,311 1 254.128.0.0 01/01/1601 00:05:09 2041965127695073282,44,0x50AA3E7EE2C5174BB0866430C79C0932EE089E170C3FC701,4149,Connections to other access servers,4127,7,4154,Use Windows authentication for all users,4155,1,4136,3,4142,65

10.7.0.101,,01/23/2007,08:32:41,RAS,NPS1,8132,5,44,0x50AA3E7EE2C5174BB0866430C79C0932EE089E170C3FC701,6,12,8108,1,61,15,8138,XXXXXNAP\CLIENT1$,32,NPS1.xxxxxnap.com,4,10.7.0.101,4155,1,4154,Use Windows authentication for all users,25,311 1 254.128.0.0 01/01/1601 00:05:09 2041965127695073283,4127,7,4149,Connections to other access servers,4136,1,4142,0

10.7.0.101,,01/23/2007,08:32:41,RAS,NPS1,25,311 1 254.128.0.0 01/01/1601 00:05:09 2041965127695073283,44,0x50AA3E7EE2C5174BB0866430C79C0932EE089E170C3FC701,4149,Connections to other access servers,4127,7,4154,Use Windows authentication for all users,4155,1,4136,3,4142,65

10.7.0.101,,01/23/2007,12:34:35,RAS,NPS1,8132,5,44,0x50AA3E7EE2C5174BB0866430C79C09329314A2E42D3FC701,6,12,8108,1,61,15,8138,XXXXXNAP\CLIENT1$,32,NPS1.xxxxxnap.com,4,10.7.0.101,4155,1,4154,Use Windows authentication for all users,25,311 1 254.128.0.0 09/22/4715 00:50:02 2279589905652776964,4127,7,4149,Connections to other access servers,4136,1,4142,0

10.7.0.101,,01/23/2007,12:34:35,RAS,NPS1,25,311 1 254.128.0.0 09/22/4715 00:50:02 2279589905652776964,44,0x50AA3E7EE2C5174BB0866430C79C09329314A2E42D3FC701,4149,Connections to other access servers,4127,7,4154,Use Windows authentication for all users,4155,1,4136,3,4142,65

I can't tell which policies are being used from this output.

Tuesday, January 23, 2007 10:01 PM
0

Sign in to vote

I think Jeff is referring to events in the event viewer. When NPS processes a connection request, there will be an event that tells you which connection request policy and which network policy was matched, and the action taken. These events are very useful for troubleshooting.

Wednesday, January 24, 2007 12:02 AM
0

Sign in to vote

In the NPS1 System event log, there two HRA errors and one IAS warnings on system restart. The first message is the IAS warning: EventId=2, Reason-Code=65, Reason=...remote access permission to the user account was denied... . The first HRA error is: ErrorId=26, ...The HRA was unable to validate the request... . The last HRA error is:ErrorID=3, ...The HRA encounterd an error... . In response, I added the RAS and IAS Servers group to User1 and restarted the CLIENT1 system. This did not resolve the problem. A permissions error would explain many of the symptoms.

Wednesday, January 24, 2007 2:13 AM
0

Sign in to vote
You shouldn't have to take any actions to set permissions that are not already described in the step by step guide.

Assuming you have disabled IPsec policies for the time being, some permission related things to check are:

Ensure the user1 account is a member of the domain admins group

Verify you are logged in to both NPS1 and CLIENT1 with the user1 account

Ensure NPS1 has permissions to "Request Certificates" and "Issue and Manage Certificates"

Verify certificate issuance requirements and policy module are set to enable auto-enrollment

Certificate application policy extensions object identifier is set to 1.3.6.1.4.1.311.47.1.1

HRA (NPS1) is enrolled with a System Health Authentication certificate

Compliant and Noncompliant network policies (authorization policies) are set to "Allow clients to connect without negotiating an authentication method"

CLIENT1 has listed http://NPS1/domainhra/hcsrvext.dll under Trusted HRA Servers.

If you have other policies above your compliant and noncompliant policies in the processing order, it is also a good idea to disable these, or at least move them below the NAP policies in processing order. However, if a connection attempt is matching one of these policies you should see it in the event viewer on NPS1, so I don't think this is your problem.

An easy method to use for testing changes you make is to open the services snap-in on CLIENT1 and restart NAP Agent. This should cause the client to request a new health certificate.

-Greg
Wednesday, January 24, 2007 4:31 AM
0

Sign in to vote

1. User1 is in the domain admins group in AD on DC1.

2. Both NPS1 and CLIENT1 are logged in using User1.

3. On NPS1, MMC->Certificate Authority (Local)->Properties->Security has NPS1$(XXXXXNAP\NPS1$) with both Issue and Manage Certificates and Request Certificates Allowed.

4. On DC1, Administrative Tools->xxxxxnap.com->Properties->Default Domain Policy->Edit and Default Domain Policy [dc1.xxxxxnap.com] Policy->Computer Configuration->Windows Settings->Security Settings->Public Key Policies->Autoenrollment Settings General tab has Enroll certificates automatically selected with both Renew expired certificates, update pending certificates and remove revoked certificates and Update certificates that use certificate templates checked.

5. On DC1, MMC->Certificate Templates->System Heal Authentication->Extensions->Application Policies->Edit->System Health Authentication->Edit has the OID 1.3.6.1.4.1.311.47.1.1.

6. On NPS1, MMC->Certificates (Local Computer)->Personal->Certificates has both a certificate issued using the Subordinate Certification Authority certificate template and the System Health Authentication template. Is this what you meant by HRA enrollment?

7. On NPS1, MMC->NPS (Local)->[Compliant-Full-Access and noncompliant-Restricted]->Settings->Constraints->Authentication Method has only Allow clients to connect without negotiating and authentication method checked.

8. On CLIENT1, MMC->NAP Client Configuration (Local Computer)->Health Registration Settings->Trusted Server Groups->Trusted HRA Servers has one Available URL of http://NPS1/domainhra/hcsrvext.dll. I have verified the http connection from CLIENT1 and NPS1 using a simple index.htm file in c:\windows\system32\hcs on NPS1.

There are no other policies on NPS1. After the Network Access Protection Agent was restarted on CLIENT1, no additional certificates appeared in the MMC->Certificates(Local Computer)->Personal->Certificates window. The same IAS and HRA access errors appeared in the event log as before.

Are there other access parameters I can check?

Wednesday, January 24, 2007 5:18 PM
0

Sign in to vote

It looks like you are not matching the health policies in your Network Policies set - you are repeatedly matching the policy called "Connections to other access servers"

You might double-check that your policies are in the correct order of evaluation, etc.

-Chris

Chris.Edson@online.microsoft.com *
Software Development Engineer in Test
* Remove the "online" make the address valid.
** This posting is provided "AS IS" with no warranties, and confers no rights

Wednesday, January 24, 2007 11:58 PM
0

Sign in to vote

Hi,
Chris is referring to something in your posted configuration (see below).

Remote access policy configuration:

---------------------------------------------------------

Name             = Connections to Microsoft Routing and Remote Access server

State            = Enabled

Processing order = 3

Policy source    = 0

I see that the processing order is set to 3, but Chris is asking that you check this. If it is indeed third in your processing order, then it looks like the client is not matching the compliant or noncompliant policy conditions, which are exclusively health state conditions. I would check that the client is sending statements of health by checking event viewer on CLIENT1. Review events by navigating to Application And Services Logs/Microsoft/Windows/Network Access Protection/Operational. You should see events here with a source of Network Access Protection and also SystemHealthAgent.

The Network Access Protection events should begin with a Statement of Health being received from the System Health Agent. Next, the Statement of Health is sent to the enforcement client. Third, the Network Access Protection Agent will either succeed or fail to acquire a certificate. If it fails, there is an associated error code that can be useful in diagnosing the problem. Please provide this, and describe any other pertinent events you are seeing on the client. Based on the fact that you do not appear to be matching client health states, I would guess that either 1) your client is not sending a statement of health, 2) NPS is not receiving the statement of health, or 3) your SHV is specifying health conditions the client does not match.

When troubleshooting this sort of thing, I monitor event viewer on both the client and the server after restarting NAP Agent on the client. A successful policy match on NPS will result in a warning event if the client is quarantined, or an information event if the client is compliant and granted full access. The information event will detail the client's health state.

-Greg

P.S. In answer to your question on item #6, I was referring to instructions on page 21 of the step by step guide that describe how "to configure the Health Registration Authority with a health certificate."

Thursday, January 25, 2007 2:36 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

IPsec NAP Configuration

Question

Answers

All replies