none
Having Problem With Network policy RRS feed

  • Întrebare

  •  

    I am having a problem with the connection request policies,over there i can set the condition for them the check the use name ,identity type and etc...

    however i can set the policy to allow some user to log in but i am making another policy where by client without the firewall on cannot access ,but it cannot work. NID help PLZ

    miercuri, 23 aprilie 2008 08:29

Răspunsuri

  • Hi,

     

    When the VPN connection fails, it *usually* means that your authentication settings on the client do not match those on the server. Check the connection request policy PEAP settings as Louis has described, and also verify that your client has all the correct PEAP settings as described in the step by step guide.

     

    You can double-check why the connection is failing by looking at the event logs. You probably are generating an event that will tell you something is wrong with authentication settings.

     

    FYI - even if the client is noncompliant, the VPN connection should still succeed. Having the firewall on or off will not affect your ability to authenticate. If the client is noncompliant, it will connect and you'll get a notification that you don't meet requirements.

     

    -Greg

    sâmbătă, 26 aprilie 2008 01:42
    Proprietar
  •  

    I just wanted to clarify one thing because I see this issue alot supporting NPS and IAS.  In order to use EAP Method on NPS or IAS you will have to have that certificate, if you uncheck the "validate server certificate" on the client this means you will not verify the trusted Root Authority for the server certificate. So you will have to resolve your issue with the certificate before using EAP.  You can still use the same certificate that you had before if its in the Local Computer Store.

     

    The best way to test and see if you have a valid certificate on the NPS server is to do the following.

     

    1.Open your Connection Request Policy

    2.Click on Settings

    3.Click on Authentication Methods

    4.Check "override Network policy authentication settings"

    5.Click Add Under EAP Types:

    6.Highlight Microsoft: Protected EAP (PEAP) and click OK

    7.Then Highlight PEAP and click Edit

    8.You should get a Configure Protected EAP properties popup

    9.This is where you will see Certificate issued

     

    If you do not get the Configure Propected EAP Properties you do not have a valid certifcate and you wil have to resolve the issue that Greg talked about above.

     

    Hope this helps,

     

    Louis Hardy

    miercuri, 30 aprilie 2008 17:07
  • Hi,

     

    Check the server event log. There should be an RRAS event on the server that tells you what is wrong. It is most likely caused by incorrect authentication settings on the client or the server. This error can also happen if you enter the wrong username and password.

     

    -Greg

    vineri, 2 mai 2008 14:29
    Proprietar
  • Hi,

     

    You can configure everything with Virtual PC. You just need to configure your network settings correctly and it will work.

     

    Click Help on the menu and search for help on network adapters. I've set up this VPN lab several times on virtual machines.

     

    The virtual machine uses a virtual network, and when you ping it will reply the same as a real network adapter. For the VPN server, you will need to have two network adapters, one connected to the 192 network and another to the 131 network.

     

    I'm a little confused though, I thought you had this almost working before. You must have set the networks up previously.

     

    -Greg

    luni, 5 mai 2008 14:50
    Proprietar
  • Hi,

     

    Please check the processing order of your connection request policies. When you configure VPN-only and then follow this up with a NAP configuration, the NAP policies you create will be placed AFTER the VPN policies.

     

    When the client connects, it will use the first policy where the conditions match and ignore anything afterward. If your client matches the conditions of the VPN policy, then your NAP policies are being ignored. I am guessing that the authentication settings in your VPN policy are different and aren't compatible with what is currently configured on the client.

     

    If this isn't the problem, please post the output of "netsh nps show config"

     

    Thanks,

    -Greg

    joi, 8 mai 2008 06:39
    Proprietar
  • Hi,

     

    If the client cannot connect when the server requires PEAP, then your client settings are not correct. If you would like to try and tell me more about what you are doing in email, send mail to:

     

    greg.lindsay@online.microsoft.com <-- remove the "online" from this email address. The "online" is added to avoid scanning by spam bots.

     

    In email I can send you screen shots of what the setup should look like.

     

    -Greg

    vineri, 9 mai 2008 15:16
    Proprietar

Toate mesajele

  • Hi,

     

    What network access method aka NAP enforcement method are you using? Connection request policy and network policy are configured differently for IPsec, 802.1X, VPN, or DHCP.

     

    In general, connection request policy is where you set up authentication (who is the user?) and network policy is where you configure authorization (what resources can this user access?).

     

    It sounds like you might be setting up NAP policies to enforce the firewall setting with the Windows System Health Validator. Are you using the NAP configuration wizard and the step by step guides to help configure this?

     

    -Greg

    miercuri, 23 aprilie 2008 16:22
    Proprietar
  • I am using the VPN connection and ya i follow the step by step guides but some of the guides i nv follow .

     

    So u mean the connection request policy is so call ( identify the user),while the Network policy is to (show wat file the user can access)?

     

    Than if i want to set the policy to validate the client firewall (if it is on or not ) where do i set it and how?

    can tell me in detail Coz i am a novice THX

     

    joi, 24 aprilie 2008 04:24
  • Hello,

     

    The detail information that you are looking for is in this document below.  I would go through the steps in this document which has the detail information that you are looking for.  The Guide uses the NAP wizard which will create the policies for you.

     

    Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab

     

    http://www.microsoft.com/downloads/details.aspx?FamilyID=729bba00-55ad-4199-b441-378cc3d900a7&displaylang=en

     

    Network Policies. Network policies use conditions, settings, and constraints to determine who can connect to the network. There must be a network policy that will be applied to computers that are compliant with the health requirements, and a network policy that will be applied to computers that are noncompliant. For this test lab, compliant client computers will be allowed unrestricted network access. Clients determined to be noncompliant with health requirements will have their access restricted through the use of IP packet filters. Noncompliant clients will also be optionally updated to a compliant state and subsequently granted unrestricted network access.  

     

    Connection Request Policies. Connection request policies are conditions and settings that validate requests for network access and govern where this validation is performed. In this test lab, a connection request policy is used that requires the client computer to perform protected EAP (PEAP) authentication before being granted access to the network

     

    Example of what you are looking for an more is in the Guide:

     

    Configure system health validators

    System health validators (SHVs) define configuration requirements for computers that attempt to connect to your network. For the test lab, WSHV will be configured to require only that Windows Firewall is enabled.

    To configure system health validators

    1.   In the Network Policy Server console tree, open Network Access Protection, and then click System Health Validators.

    2.   In the details pane, under Name, double-click Windows Security Health Validator.

    3.   In the Windows Security Health Validator Properties dialog box, click Configure.

    4.   Clear all check boxes except A firewall is enabled for all network connections. See the following example.

    5.   Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.

    6.   Leave the Network Policy Server console open for the following procedure.

     

    I hope this helps,

     

    Louis Hardy

    vineri, 25 aprilie 2008 05:40
  • I have configure the WSHV to check the firewall of the client (to see if it is on) and The health policies i created 2 policies 1st "pass" check client which pass all the check and 2nd "fail"client who fail all the checks and than over at the network policies i created 2 polices again 1st "clean client" which have the condition of health policy and uses the "pass" policy  and 2nd "Dirty client" which also have the condition of health policy but uses the "fail" policies.

     

    I set the "clean client"policy to grant connection and "Dirty client" to deny connection however my client still can't connect to the VPN server even if i on or off the firewall.

     

    isit got to do with the remediation server ?

     

     

    I have set another network policy which the condition is day a time restrictions and i set it to be able to access any time

    an my client is able to access to the vpn server using this connection.

     

    I got 1 more question which is when my client conenct to the server or fail to connect there isn't any notification for me

    (I think that my windows security health agent is not working or wat)

    vineri, 25 aprilie 2008 08:44
  • Ok first let take a look at your Connection request Policy,

     

     Remote Access Server

    Condition should equal Day and Time Always

    Settings

    Authenticator Provider - Local Computer

    EAP Method - I am using Peap (But you have to use an EAP method)

    Override Authentication - Enabled

     

    You should have at least two Network Policies and both them should be set to grant access.

    VPN Client Compliant that is your clean client:

    Grant Access

    Condition is your Health Policy that passes all

    NAP Enforcement is Full Access

     

    VPN Client non-compliant that is your dirty client:

    Grant Access

    Condition is your Health Policy that fails one or more

    Nap enforcement can be a probation period or limited access

    To restrict the access use your IP filters

     

    Hope this helps or gets you closer,

     

    Louis Hardy

    vineri, 25 aprilie 2008 13:20
  • Hi,

     

    When the VPN connection fails, it *usually* means that your authentication settings on the client do not match those on the server. Check the connection request policy PEAP settings as Louis has described, and also verify that your client has all the correct PEAP settings as described in the step by step guide.

     

    You can double-check why the connection is failing by looking at the event logs. You probably are generating an event that will tell you something is wrong with authentication settings.

     

    FYI - even if the client is noncompliant, the VPN connection should still succeed. Having the firewall on or off will not affect your ability to authenticate. If the client is noncompliant, it will connect and you'll get a notification that you don't meet requirements.

     

    -Greg

    sâmbătă, 26 aprilie 2008 01:42
    Proprietar
  •  

    Hi,

    i did wat louis had told me I set the eap,and Set my clean and dirty client however i still cannot connect through the health check policy and from the event log they just say there is a policy which block the connection.

     

    I think i have to tell u my Scenario :

    basically i am using virtual pc 2004 to configure the NAP and instead of following the guide of using a DC1 ,NPS1,VPN1 and a client 1 i use DC1,VPN1(which merge NPS1 and VPN1) and a client 1.

     

     

    Is it the merging that is stopping the connection or isit i must follow the step by step guide closely?

     

    What i want is to have a client which nv on a firewall,and is trying to connect to our server and is block my our policy and had to go to the remediation server and over there the client will on the firewall and will be grant full access into our DC1.

     

    Any suggestion what should i do??

     should i reinstall every thing and follow what the guide say and create 4 server ?

    luni, 28 aprilie 2008 03:50
  •  

    Hello,

     

    The Scenario you have should work.  What you need to do is check the event log to see what specific policy is blocking you from connecting.  You may need to adjust the order of your policies.  Also keep in mind that both your compliant and non complaint policy should Grant Access.  If you have Deny Access in you non compliant policy it will do just that and you will never see the NAP Enforcement take place.

     

    If you could cut and paste the text from your Event log and post it to your next forum post.

     

    Hope this helps,

     

    Louis Hardy

    luni, 28 aprilie 2008 04:40
  • This is the error from my Client:

     

    Verifying User name and Password..

    Error 812:The connection was prevented because of a policy configured on your RAS/VPN server.specfically ,the authentication method used by the server to verify your usename and password may not match the auithentication method configured in your connection profile .Please contact the Administrator of the RAS server and notify them of this error

    This is the error from my VPN (there is 3)

    Warning :

    Cold=:The user APATHETIC\Boss connected from 172.20.131.5 but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server Specifically ,the authentication method use by the server to verfy your username and password may not match the authentication method configured in your connection profile .

     

    Error:

    COld={Na}: the following error occured in the Point to Point Protocol module on port: VPN2-127, UserName: APATHETIC\Boss. The connection was prevented because of a policy configured on your RAS/VPN server. SPecifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

     

    Information:

    network policy deny access to a user

    luni, 28 aprilie 2008 05:08
  • Hi,

     

    That's a humorous domain and username =)

     

    As I suspected, your problem is authentication settings, and I believe it is caused by having VPN1 and NPS1 on the same machine. You can configure it this way, but it will not match the step by step guide.

     

    Did you try to configure a RADIUS client? This isn't needed if VPN1 and NPS1 are on the same machine. I think it will actually give you an error if you try to configure the local machine as a RADIUS client, but I don't recall for sure. I will bring my VPN server up and check the authentication settings to see what I think you need to change.

     

    -Greg

    luni, 28 aprilie 2008 06:49
    Proprietar
  • Hi,

     

    ok thx alot This is my final year project And i really hope to score high mark in this project do hope u guys can help me .

     

    Thx alot

    luni, 28 aprilie 2008 07:12
  • Hi,

     

    OK I added NPS locally to my VPN server and reconfigured it so that NPS authenticates and checks health of the client locally instead of forwarding to another server. I had forgotten that when you install NPS locally, it automatically ignores the VPN server authentication settings, so that isn't your problem.

     

    A couple things I had to do though:

     

    1. Make sure the NPS server has a computer certificate.

     

    The VPN service doesn't require a computer certificate, but when NPS is installed it does need this for PEAP. The check-box on your client's PEAP properties that says "validate server certificate" is looking for this certificate. Normally you can't even configure PEAP on NPS without getting the certificate first, but apparently when you install VPN it allows you to configure PEAP anyway. When I deleted this certificate and tried to connect with the client, I got the exact same error that you did above (RemoteAccess event 20255).

     

    2. Disable the default connection request policy. As Louis suggested, you might be having a problem with the order of policies. The connection won't work if it is matching the default "Microsoft Routing and Remote Access Service Policy" because there are no authentication methods configured on this policy. Make sure the first policy is "NAP VPN."

     

    -Greg

    luni, 28 aprilie 2008 07:30
    Proprietar
  •  

    Hi,

     

    But for my connection request policy I have deleted the "Microsoft Routing and Remote Access Service Policy" (the default policy) and create "NAP VPN " using the step by step guild and this policy is the 1st in the processing order but same error still occur.

     

     

    luni, 28 aprilie 2008 08:53
  • Hi,

     

    I am having a great problem, i just found out than i can't even connect to the client even through the time and date restriction.

     

    I used to be able to connect to the VPN1 by the policy with a naming condition but now i can't they give me this few errors

     

    In the event log

    warning :

    CoId=:THe user APATHETIC\Boss connected from 172.20.131.5 but failed an authentication attempt due to the following reason: The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configures on the RAS/VPN server. Specifically, this could be due to configuration differences between the authentication met

     

    warning :

    CoId={NA}: The account for user \APATHETIC\Boss connected on port VPN2-127 does not have Remote Access privilege. The line has been disconnected.

     

     

    luni, 28 aprilie 2008 09:07
  • Hi,

     

    Sry Guys i found out that for the authentication method if i add any EAP type for connection request policy i can't connect by that policy

     

    In summary i can connect to my VPN1 through a naming condition policy but still cannot connect by a health check policy the error was same as before

     

    luni, 28 aprilie 2008 09:26
  • Hi,

     

    Do you have a computer certificate installed on the VPN/NPS server? The procedure to do this is in the step by step guide under the configuring NPS section.

     

    If your NPS server doesn't have this certificate, you will fail PEAP authentication - unless you uncheck the "validate server certificate" checkbox on the client.

     

    If that isn't it, let's check your NPS configuration. Please post the output of "netsh nps show config"

     

    Thanks,

    -Greg

    luni, 28 aprilie 2008 09:53
    Proprietar
  •  

    Hi,

     my com have the cert install

    the netsh output is this

    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"
    Condition1                              0x1         "Boss"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    Override-RAP-Auth                       0x1fb0      "TRUE"

    Event log configuration:
    ---------------------------------------------------------
    Accepted authentication requests = Enabled
    Rejected authentication requests = Enabled

    File log configuration:
    ---------------------------------------------------------
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Directory                      = C:\Windows\system32\LogFiles
    Format                         = ODBC formatting
    Delete old logs                = Enabled
    Frequency                      = Weekly logs
    Max size                       = 10 MB

    Ports configuration:
    ---------------------------------------------------------
    Accounting ports     = 1813,1646
    Authentication ports = 1812,1645

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to other access servers
    State            = Disabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x0"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to Microsoft Routing and Remote Access server
    State            = Enabled
    Processing order = 1
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1033      "^311$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    MS-Extended-Quarantine-State            0x1fd9      "0x0"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Allowed-EAP-Type                     0x100a      "0D0000000000000000000000000
    00000"
    NP-Allowed-Port-Types                   0x1008      "0x5"
    NP-Authentication-Type                  0x1009      "0x5" "0x3" "0x9" "0x4" "0xa
    "
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Link-Utilization-Threshold           0xffffffaa  "0x32"
    MS-Link-Drop-Time-Limit                 0xffffffa9  "0x78"
    MS-Filter                               0x102f

            ===============================================================
            IPFILTER_IPV4INFILTER   Action: DENY
            ---------------------------------------------------------------
            Address . . . . . : 0.0.0.0
            Mask. . . . . . . : 0.0.0.0
            Protocol. . . . . : 0
            Source Port . . . : 0
            Destination Port. : 0
            ---------------------------------------------------------------

    MS-MPPE-Encryption-Policy               0xffffffa7  "0x2"
    MS-MPPE-Encryption-Types                0xffffffa6  "0xe"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x0"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP VPN Compliant
    State            = Enabled
    Processing order = 3
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP VPN Compliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    MS-Extended-Quarantine-State            0x1fd9      "0x0"
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Allowed-EAP-Type                     0x100a      "1A0000000000000000000000000
    00000"
    NP-Authentication-Type                  0x1009      "0x5" "0x3" "0x9" "0x4" "0xa
    "
    Quarantine-Fixup-Servers-Configuration  0x1fc2      "Firewall activated"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Link-Utilization-Threshold           0xffffffaa  "0x32"
    MS-Link-Drop-Time-Limit                 0xffffffa9  "0x78"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP VPN Noncompliant
    State            = Enabled
    Processing order = 4
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP VPN Noncompliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    MS-Extended-Quarantine-State            0x1fd9      "0x0"
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Allowed-EAP-Type                     0x100a      "1A0000000000000000000000000
    00000"
    NP-Authentication-Type                  0x1009      "0x5" "0x3" "0x9" "0x4"
    Quarantine-Fixup-Servers-Configuration  0x1fc2      "Firewall activated"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Link-Utilization-Threshold           0xffffffaa  "0x32"
    MS-Link-Drop-Time-Limit                 0xffffffa9  "0x78"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP VPN Non NAP-Capable
    State            = Disabled
    Processing order = 5
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbb      "^1$"
    Condition1                              0x3d        "^5$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    Quarantine-Fixup-Servers-Configuration  0x1fc2      "Firewall activated"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Remediation server configuration:
    ---------------------------------------------------------
    Group   = Firewall activated
    Address = 169.254.0.20
    Name    = Firewall Activated

    Remote server configuration:
    ---------------------------------------------------------
    Group                        = Microsoft Routing and Remote Access Service Authe
    ntication Servers
    Address                      = 192.168.1.1
    Accounting port              = 1813
    Authentication port          = 1812
    Accounting shared secret     = secret
    Authentication shared secret = secret
    Require auth attrib          = No
    Priority                     = 1
    Weight                       = 30
    Timeout                      = 5 seconds
    Max dropped                  = 5
    Blackout                     = 30 seconds
    Notifications                = No

    Remote server configuration:
    ---------------------------------------------------------
    Group                        = Microsoft Routing and Remote Access Service Accou
    nting Servers
    Address                      = 192.168.1.1
    Accounting port              = 1813
    Authentication port          = 1812
    Accounting shared secret     = secret
    Authentication shared secret = secret
    Require auth attrib          = No
    Priority                     = 1
    Weight                       = 30
    Timeout                      = 5 seconds
    Max dropped                  = 5
    Blackout                     = 30 seconds
    Notifications                = No

    SHV configuration:
    ---------------------------------------------------------
    Id                             = 79744
    Name                           = Windows Security Health Validator

    Vendor                         = Microsoft Corporation

    Description                    = The Windows Security Health Validator defines t
    he policy that client computers must be compliant with.

    Version                        = 1.0

    Policy server unreachable      = Noncompliant
    Remediation server unreachable = Noncompliant
    System Health Agent failure    = Noncompliant
    NAP server failure             = Noncompliant
    Other errors                   = Noncompliant

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP VPN Compliant
    Configuration = All must pass
    Id            = 79744

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP VPN Noncompliant
    Configuration = One or more must fail
    Id            = 79744

    SQL log configuration:
    ---------------------------------------------------------
    Connection                     =
    Description                    =
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Max sessions                   = 2

    Ok.


     

     

    marți, 29 aprilie 2008 01:35
  • Hi,

     

    1st Question

     

    If i don't have any policy at both the "request network policy" and "network policy" and i set the user to allow access but i still can't connect why?

     

    i got 2 error from my VPN event log

    error:

    The adress of remote RADIUS server 192.168.1.1 in remote RADIUS server group Microsoft routing and remote access service Accounting servers resolves to local address 192.168.1.1.The address will be ignored

     

    error:

    The adress of remote RADIUS server 192.168.1.1 in remote RADIUS server group Microsoft routing and remote access service Authentication servers resolves to local address 192.168.1.1.The address will be ignored

     

    They prompt me to renter my username and password in the client

     

    2nd Question

     

    I don't know if i am correct I found out that if my Client does not pass the "connection request policy" than they will prompt me to re-enter my username and password .If i pass the "connection requestion policy" but fail the "network policy" than they will show the some error

     

    Is that so?

     

     

     

     

    marți, 29 aprilie 2008 02:03
  •  

    I think I see what is wrong with your connection request rule and the reason you are failing Authentication and being prompted.  If you look below I got this from your configuration you posted.

     

    Auth-Provider-Type                      0x1025      "0x1"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    Override-RAP-Auth                       0x1fb0      "TRUE"

     

    This tells me that you do not have EAP configured on your Connection request policy.  If you open your connection request policy and do the following.

     

    Open your connectin Request policy

    Then goto the Settings Tab

    Click on Authentication Method

    You should have the check box check to override network policy Authentication and according to your setting above you do.  However, you dont have EAP configured you have MSChapV2 and MSChap etc configured.   You need to configure you EAP method here to match you client configuration.

     

    Also once you add the EAP type here highlight it and click edit you should be able to see your certificate if it is configured correctly.

     

     

    Hopes this get you closer,

     

    Louis Hardy

    marți, 29 aprilie 2008 03:54
  •  

    Also under Radius Client and Servers you create two Remote Radius Server group both pointing to itself.  You need to delete both of them.

     

    Also I just configured my VPN server to also be the NPS server and it does work.

     

    Hope this helps,

     

    Louis Hardy

    marți, 29 aprilie 2008 04:16
  • Hi,

     

    The output from netsh nps show config appears cut off. You only got the bottom of it showing network policies and remote server groups. Notice that your post starts with "Policy source    = 2" which should not be the first line. That seems to be an entry from the last connection request policy, but we can't see the other ones.

     

    Your config is kind of a mess. The simplest thing for you to do would be to:

     

    1. Delete all RADIUS clients.

    2. Delete all remote RADIUS server groups.

    3. Delete all connection request policies.

    4. Delete all network policies.

    5. Click on NPS, then click Configure NAP and go through the wizard for VPN NAP. This will create new policies for you that should work.

     

    -Greg

    marți, 29 aprilie 2008 06:41
    Proprietar
  • Hi

    I have reinstall every think and Follow closely to The NAP_VPN_step by step by upon configurating the certificate part  we met a error i underline it with red.

     

    why is it so?

     

    Obtain a computer certificate on NPS1

    To provide server-side PEAP authentication, the server running NPS uses a computer certificate stored in its local computer certificate store. Certificate Manager will be used to obtain a computer certificate from the certification authority service on DC1.

     

    8.   Verify the status of certificate installation is Succeeded, and then click Finish.

    9.   Close the Console1 window.

    10.  Click No when prompted to save console settings.

    miercuri, 30 aprilie 2008 05:53
  • Hi,

     

    I don't see the error in red. What error did you get when installing a computer certificate?

     

    -Greg

    miercuri, 30 aprilie 2008 06:35
    Proprietar
  •  

    Hi

    I have reinstall every think and Follow closely to The NAP_VPN_step by step by upon configurating the certificate part  we met a error i underline it with red.

     

    why is it so?

     

     

    Obtain a computer certificate on NPS1

    To provide server-side PEAP authentication, the server running NPS uses a computer certificate stored in its local computer certificate store. Certificate Manager will be used to obtain a computer certificate from the certification authority service on DC1.

     

    To obtain a computer certificate on NPS1

    1.   Click Start, click Run, type mmc, and then press ENTER.

    2.   On the File menu, click Add/Remove Snap-in.

    3.   In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.

    4.   Click OK to close the Add or Remove Snap-ins dialog box.

    5.   In the console tree, double-click Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.

    6.   The Certificate Enrollment dialog box opens. Click Next.

    7.   Select the Computer check box, and then click Enroll, as shown in the following example.<---(i get a error here when the certificate enrollment  dialog box opens there isn't any check boxes for me to click on.

     

    8.   Verify the status of certificate installation is Succeeded, and then click Finish.

    9.   Close the Console1 window.

    10.  Click No when prompted to save console settings.

    miercuri, 30 aprilie 2008 06:56
  • Hi,

     

    Late last night I realized you were trying to paste a graphic into the reply, which is why it formatted strangely. Thanks for typing it out.

     

    Click on "show all templates" and scroll to where the Computer certificate is shown. This will tell you why you can't enroll. It is usually a permissions problem. You might be able to get around not having this certificate by un-checking the "validate server certificate" box on the client PEAP settings (Edit: nope you can't - it's required), but it's better to fix the problem and get the certificate.

     

    You have 3 vhds - right?

    1. Domain controller, DNS, root certification authority
    2. NPS, VPN, Group Policy Management
    3. Vista client

    Which did you delete and reinstall? Was it just #2? Is this your setup? I wish you had just deleted the policies and not the entire server.

     

    -Greg

    miercuri, 30 aprilie 2008 14:36
    Proprietar
  •  

    I just wanted to clarify one thing because I see this issue alot supporting NPS and IAS.  In order to use EAP Method on NPS or IAS you will have to have that certificate, if you uncheck the "validate server certificate" on the client this means you will not verify the trusted Root Authority for the server certificate. So you will have to resolve your issue with the certificate before using EAP.  You can still use the same certificate that you had before if its in the Local Computer Store.

     

    The best way to test and see if you have a valid certificate on the NPS server is to do the following.

     

    1.Open your Connection Request Policy

    2.Click on Settings

    3.Click on Authentication Methods

    4.Check "override Network policy authentication settings"

    5.Click Add Under EAP Types:

    6.Highlight Microsoft: Protected EAP (PEAP) and click OK

    7.Then Highlight PEAP and click Edit

    8.You should get a Configure Protected EAP properties popup

    9.This is where you will see Certificate issued

     

    If you do not get the Configure Propected EAP Properties you do not have a valid certifcate and you wil have to resolve the issue that Greg talked about above.

     

    Hope this helps,

     

    Louis Hardy

    miercuri, 30 aprilie 2008 17:07
  • Hi Greg,

     

    I reinstall the whole thing and i am now following closely to the NAP_VPN step by step guild

     

    i am now stuck with the creating of the certificate and i cannot go on

    vineri, 2 mai 2008 02:14
  •  

    Can you tell me what type of Certificate server are you using for Certificate Authority?

     

    Also what part of the instructions below are you having an issue with?

     

    To obtain a computer certificate on NPS1

    1.   Click Start, click Run, type mmc, and then press ENTER.

    2.   On the File menu, click Add/Remove Snap-in.

    3.   In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.

    4.   Click OK to close the Add or Remove Snap-ins dialog box.

    5.   In the console tree, double-click Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.

    6.   The Certificate Enrollment dialog box opens. Click Next.

    7.   Select the Computer check box, and then click Enroll, as shown in the following example.

    8.   Verify the status of certificate installation is Succeeded, and then click Finish.

    9.   Close the Console1 window.

    10.  Click No when prompted to save console settings.

     

    Louis Hardy

    vineri, 2 mai 2008 02:24
  • Hi,

     

    I am not quite sure of wat type of certificate server am i using

     

    I am having problem after step 5

     

    5.    In the console tree, double-click Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.

    After clicking the request new certificate ,there are no certificate enrollment option enlisted.

     

    How can i get this certificate ?

    vineri, 2 mai 2008 02:32
  • Hi louis,

     

    On your previous post ,after step 7 Then Highlight PEAP and click Edit there is a error box saying that "a certificate could not be found that can be used with this extensible authentication protocol"

     

    Does this means that there is not cert install in this NPS server?

     

     

    vineri, 2 mai 2008 02:38
  • Yes that means you have no certificate that is valid for EAP Authentication in your local computer store.  You have to find out which server is running as your Certificate Authority.  If you dont have one then you will have to install a CA.  If you decide to install a CA make sure IIS is install first so you will have access to get certificate via the web interface. 

     

    How to Install a Windows Server 2003 Enterprise CA

    http://technet.microsoft.com/pt-br/library/aa996120.aspx

     

    Building an Enterprise Root Certification Authority in Small and Medium Businesses

    http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsserver2003/build_ent_root_ca.mspx

     

    Additional informatin for Certificates at the link below,

    www.microsoft.com/pki

     

    Louis Hardy

     

     

    vineri, 2 mai 2008 02:50
  • As stated in the step by step guide, i am to use the Windows Server 2003 for DC1.

    However, I used Windows Server 2008 instead where the problem of installing the CA occurs.

    May I know how can I manage this?

    vineri, 2 mai 2008 03:03
  • Do you have your CA installed on Windows 2008?  It will still work if you do you just have to verify that you have it install.  It is a role so it should be showing in Server manager on Windows 2008.  If it is not install you will need to install Enterprise Root Ca.

     

    Found this on another website hope it helps,

     

    Installing an Enterprise Root Certificate Authority

    In order to install and configure an Enterprise Root CA, you must log onto the server with a user account that belongs to the Domain Admins group.

    To set up an enterprise root CA in Windows Server 2008:

    1. Click Start, point to Administrative Tools, and then click Server Manager.
    2. In the Roles Summary section, click Add roles.
    3. On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.
    4. On the Select Role Services page, select the Certification Authority check box, and then click Next.
    5. On the Specify Setup Type page, click Enterprise, and then click Next.
    6. On the Specify CA Type page, click Root CA, and then click Next.
    7. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. Click Next twice.
    8. In the Common name for this CA box, type the common name of the CA. The common name for a CA is usually the same as its host name or computer name. Keep in mind as well, that you will not be able to change any of the identifying information after the service is installed.
    9. Click Next.
    10. On the Set the Certificate Validity Period page, configure the default validity duration for the root CA. The Validity period defines how long issued certificates remain valid. The default value for this field is 5 years. You can increase or decrease the number as necessary. Click Next after you have filled in the information.
    11. On the Configure Certificate Database page, configure the location of the Certificate database, the Certificate database log, and the shared folder. The default location for the database and database log is C:\WINDOWS\system32\CertLog. You use the default value or use the Browse button to select a different location. Click Next.
    12. After verifying the information on the Confirm Installation Options page, click Install.

    Setup will configure the necessary components. If setup cannot locate the necessary files, you will be prompted for the Windows Server 2008 CD-ROM to continue. If IIS is not installed, a warning will appear. IIS is required in order to use Certificate Services Web Enrollment Support. Click OK to acknowledge the message.

    Review the information on the confirmation screen to verify that the installation was successful.

     

    Louis Hardy

     

    vineri, 2 mai 2008 03:10
  • Ive checked, and I dont think theres any CA installed.

    As you said, CA is a server role, Does this means I can install the role?

    If so, Which role holds the Enterprise Root CA?

     

    All I have was :

     

    Active Directory Certificate Services

    Active Directory Domain Services(Installed)

    Active Directory Federation Services

    Active Directory Lightweight Directory Services

    Active Directory Rights Management Services

    Application Server

    DHCP Server

    DNS Server(Installed)

    Fax Server

    File Services

    Network Policy and Access Services

    Print Services

    Terminal Services

    UDDI

    Web Server(IIS)   (Installed)

    Windows Deployment Services

     

    I assumed its the AD CS right? I apologise if I cause too much hustles.

    vineri, 2 mai 2008 03:31
  •  

    Yes,

     

    Active Directory Certificate Services is the correct role.  You may not have saw my last post, but I changed it and added the instructions.

     

    Check out my previous post,

     

    Louis Hardy

     

     

    vineri, 2 mai 2008 03:35
  • Following the step by step guide, is it possible if the CLIENT is installed in another computer?

    Im currently configuring my CLIENT in the other pc with the given IP address and all, yet, to verify network connectivity(Ping) for CLIENT, it is unable to receive any reply from the expected DC1.

    I wonder if this has got anything to do with CLIENT installed in another computer? 

    vineri, 2 mai 2008 06:05
  • Hi,

     

    Ping is blocked by default on Server 2008 and Vista unless a server role that is installed (such as print services) opens up the port for ICMP. The procedure to open up ICMP is included in the step by step guide if you wish to do this.

     

    Your DC is also the DNS server I believe, so if you can resolve names with DNS, then you should have a connection. If you type ping DC1 at a command prompt and it is able to translate this to an IP address, then I think the client is connected.

    -Greg 

    vineri, 2 mai 2008 07:39
    Proprietar
  •  

    Hi,

     

    i configure the my vpn connection to connect to the VPN1 but this error was given to me

     

     

    error 629: The connection was closed by the remote computer

     

     

    i use the below configuration

     

    Configure and test a VPN connection

    CLIENT1 must be configured with a VPN connection to VPN1 to access the intranet subnet.

    Configure a VPN connection

    To configure a VPN connection on CLIENT1

    1.   Click Start, right-click Network, and then click Properties.

    2.   Click Set up a connection or network.

    3.   On the Choose a connection option page, click Connect to a workplace, and then click Next.

    4.   On the How do you want to connect page, click Use my Internet connection (VPN).

    5.   Click I'll set up an Internet connection later.

    6.   On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.1. Next to Destination name, type Contoso. Select the Allow other people to use this connection check box, and then click Next.

    7.   On the Type your user name and password page, type user1 next to User name, and type the password for the user1 account next to Password. Select the Remember this password check box, type CONTOSO next to Domain (optional), and then click Create.

    8.   On The connection is ready to use page, click Close.

    9.   In the Network and Sharing Center window, click Manage Network Connections.

    10.  Under Virtual Private Network, right-click Contoso, click Properties, and then click the Security tab.

    11.  Select Advanced (custom settings), and then click Settings.

    12.  Under Logon security, select Use Extensible Authentication Protocol (EAP), and then choose Protected EAP (PEAP) (encryption enabled).

    13.  Click Properties.

    14.  Select the Validate server certificate check box. Clear the Connect to these servers check box, and then select Secured Password (EAP-MSCHAP v2) under Select Authentication Method. Clear the Enable Fast Reconnect check box, and then select the Enable Quarantine checks check box. See the following example.

    15.  Click OK three times to accept these settings.

    vineri, 2 mai 2008 08:29
  • Hi,

     

    Check the server event log. There should be an RRAS event on the server that tells you what is wrong. It is most likely caused by incorrect authentication settings on the client or the server. This error can also happen if you enter the wrong username and password.

     

    -Greg

    vineri, 2 mai 2008 14:29
    Proprietar
  • Hi,

     

    I am having some problem when doing this few task In the step by step guide

     

     

    Configure TCP/IP for the intranet network segment ,Verify network connectivity for CLIENT1 ,Join CLIENT1 to the Contoso.com domain ,Add CLIENT1 to the NAP client computers security group ,Verify Group Policy settings

     

     

    Reason because:I am using Virtual pc and i don't have hubs therefore i can't manually connect the client1 to the DC1 so i can't cofigure all this few step.

     

     

    luni, 5 mai 2008 03:25
  • Hi,

     

    You can configure everything with Virtual PC. You just need to configure your network settings correctly and it will work.

     

    Click Help on the menu and search for help on network adapters. I've set up this VPN lab several times on virtual machines.

     

    The virtual machine uses a virtual network, and when you ping it will reply the same as a real network adapter. For the VPN server, you will need to have two network adapters, one connected to the 192 network and another to the 131 network.

     

    I'm a little confused though, I thought you had this almost working before. You must have set the networks up previously.

     

    -Greg

    luni, 5 mai 2008 14:50
    Proprietar
  •  

    Hi,

    Ive completed the step-by-step guide for deployment of SSTP Remote  Access,

    and continued with the configuration for the system health validation from the step-by-step guide of NAP_VPN.

     

    However, there seems to be some error that it cant connect to the private network through the health policy.

     

    From client

    Error:812:The connection was prevented because of a policy configure on your RAS/VPN server.....

     

    From VPN1 event log

    Warning:Cold=:The user SMARTPHONE\Boss connected from 172.20.130.69 nut fail an authentication attempt due to the following reason:The connection wa sprevented because of a policy configure on your RAS/VPN server....

     

    Warning:Cold={NA}:The a/c for user\SMARTPHONE\Boss connected on port VPN2-127 does not have remote access privileage.The line has been disconnected

     

     

    How can I make it possible to allow the Client to access only if the Firewall is turned on and otherwise, Deny its access.

     

      

    marți, 6 mai 2008 05:43
  • It sounds like you either have one of your rules configured with Deny Access selected or your user does not have Dail-in access in Active Directory.

     

    Keep in mind that NAP enforcement for VPN can allow full access or limited network connectivity it will not disconnect the client if it the firewall is turned off.  It is design this way to give the client limited access so that it can do whatever it needs to do to get healthy.

     

    Louis Hardy

     

    marți, 6 mai 2008 13:40
  •  

    I have checked my user Dail-in access and it is set to control access through NPS and i only have 2 policies on for the Network control access which is VPN compliant and VPN non compliant and both set it according to wha the step by step guide says.But i still can't connect

     

    miercuri, 7 mai 2008 02:47
  • Are both of your policies set for Grant Access?

     

    Second Check the Event Log on NPS server and it will tell you what policy it used to denied access.

     

    Louis Hardy

    miercuri, 7 mai 2008 13:11
  •  

    Ya both are set to grant access  

     

    The event log give me 2 warning

     

    1st

    CoId= The user SMARTPHONE\Technician connected from 172.20.130.69 but failed an authentication attempt due to the following reason:The connection was prevented because of a policy configured on your RAS/VPN server .specifically , the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile .plz contact the adminstrator of the RAS server and notify them of this error

     

     

    2nd

    CoId ={NA}: The account for user \SMARTPHONE\Technician connected on port VPN2-127 does not have remote Access privilege.The line has been disconnected

    joi, 8 mai 2008 04:36
  • Hi,

     

    Please check the processing order of your connection request policies. When you configure VPN-only and then follow this up with a NAP configuration, the NAP policies you create will be placed AFTER the VPN policies.

     

    When the client connects, it will use the first policy where the conditions match and ignore anything afterward. If your client matches the conditions of the VPN policy, then your NAP policies are being ignored. I am guessing that the authentication settings in your VPN policy are different and aren't compatible with what is currently configured on the client.

     

    If this isn't the problem, please post the output of "netsh nps show config"

     

    Thanks,

    -Greg

    joi, 8 mai 2008 06:39
    Proprietar
  •  

    I don't think that is the problem cause when i trying out the firewall policy i disable all the other policies

     

    and my netsh command show this:

     

     

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to Microsoft Routing and Remote Access server
    State            = Disabled
    Processing order = 4
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1033      "^311$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Allowed-EAP-Type                     0x100a      "0D0000000000000000000000000
    00000"
    NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9
    "
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Filter                               0x102f

            ===============================================================
            IPFILTER_IPV4INFILTER   Action: DENY
            ---------------------------------------------------------------
            Address . . . . . : 0.0.0.0
            Mask. . . . . . . : 0.0.0.0
            Protocol. . . . . : 0
            Source Port . . . : 0
            Destination Port. : 0
            ---------------------------------------------------------------

    MS-MPPE-Encryption-Policy               0xffffffa7  "0x2"
    MS-MPPE-Encryption-Types                0xffffffa6  "0xe"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = User group (can work)
    State            = Disabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fb5      "S-1-5-21-1037070514-1128270
    561-1576515384-1109;S-1-5-21-1037070514-1128270561-1576515384-1115;S-1-5-21-1037
    070514-1128270561-1576515384-1112;S-1-5-21-1037070514-1128270561-1576515384-1117
    "

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = VPN connection (can work)
    State            = Disabled
    Processing order = 2
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^5$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Day and time(can work)
    State            = Disabled
    Processing order = 3
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "FALSE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = DHCP compliant- Full access
    State            = Disabled
    Processing order = 5
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbb      "^0$"
    Condition1                              0x1fbd      "NAP VPN Compliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    MS-Extended-Quarantine-State            0x1fd9      "0x0"
    Ignore-User-Dialin-Properties           0x1005      "FALSE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = DHCP Non Compliant -restricted Access
    State            = Disabled
    Processing order = 7
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbb      "^0$"
    Condition1                              0x1fbd      "NAP VPN Noncompliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "FALSE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    Quarantine-Fixup-Servers-Configuration  0x1fc2      "Remediation Group"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-URL                          0x1fb9      "Http://192.168.0.1"
    Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Non_compliant Network policy
    State            = Enabled
    Processing order = 9
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP VPN Noncompliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    Quarantine-Fixup-Servers-Configuration  0x1fc2      "Remediation Group"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = compliant Network policy
    State            = Enabled
    Processing order = 8
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP VPN Compliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Server registration:
    ---------------------------------------------------------
    Status = Registered

    Remediation server configuration:
    ---------------------------------------------------------
    Group   = Domain
    Address = 192.168.0.1
    Name    = DC1

    Remediation server configuration:
    ---------------------------------------------------------
    Group   = Remediation Group
    Address = 192.168.0.1
    Name    = Remserver

    SHV configuration:
    ---------------------------------------------------------
    Id                             = 79744
    Name                           = Windows Security Health Validator

    Vendor                         = Microsoft Corporation

    Description                    = The Windows Security Health Validator defines t
    he policy that client computers must be compliant with.

    Version                        = 1.0

    Policy server unreachable      = Compliant
    Remediation server unreachable = Compliant
    System Health Agent failure    = Compliant
    NAP server failure             = Compliant
    Other errors                   = Compliant

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP VPN Compliant
    Configuration = All must pass
    Id            = 79744

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP VPN Noncompliant
    Configuration = One or more must fail
    Id            = 79744

    SQL log configuration:
    ---------------------------------------------------------
    Connection                     =
    Description                    =
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Max sessions                   = 2

    Ok.


    C:\Users\Administrator.SMARTPHONE>

     

     

    vineri, 9 mai 2008 02:22
  • Hi,

     

    The output of the command is cut off again. Only the bottom of what I assume is the last connection request policy is shown.

     

    Notice that lines 14-17 are:

     

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to Microsoft Routing and Remote Access server
    State            = Disabled


     

    The connection request policies are ABOVE this, but you haven't included them in the output. You may need to increase the buffer size of your command window. Either that, or delete the extra network policies that you are not using (most are disabled) so that the command output is not so long.

     

    -Greg

    vineri, 9 mai 2008 03:45
    Proprietar
  •  

    Microsoft Windows [Version 6.0.6001]
    Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

    C:\Users\Administrator.SMARTPHONE>netsh nps show config

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = VPN connection (can work)
    State            = Enabled
    Processing order = 3
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^5$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = Day and time (can work)
    State            = Disabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"
    NP-Allowed-EAP-Type                     0x100a      "190000000000000000000000000
    00000" "1A000000000000000000000000000000"
    Override-RAP-Auth                       0x1fb0      "FALSE"

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = UserGroup,DateTime,VPN(workin)
    State            = Disabled
    Processing order = 4
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1         "Boss"
    Condition1                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"
    Condition2                              0x3d        "^5$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = User name (can work)
    State            = Disabled
    Processing order = 1
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1         "Boss"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"

    Event log configuration:
    ---------------------------------------------------------
    Accepted authentication requests = Enabled
    Rejected authentication requests = Enabled

    File log configuration:
    ---------------------------------------------------------
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Directory                      = C:\Windows\system32\LogFiles
    Format                         = ODBC formatting
    Delete old logs                = Enabled
    Frequency                      = Daily logs
    Max size                       = 10 MB

    Ports configuration:
    ---------------------------------------------------------
    Accounting ports     = 1813,1646
    Authentication ports = 1812,1645

    Network policy configuration:
    ---------------------------------------------------------
    Name             = User group (can work)
    State            = Disabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fb5      "S-1-5-21-1037070514-1128270
    561-1576515384-1109;S-1-5-21-1037070514-1128270561-1576515384-1115;S-1-5-21-1037
    070514-1128270561-1576515384-1112;S-1-5-21-1037070514-1128270561-1576515384-1117
    "

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = VPN connection (can work)
    State            = Disabled
    Processing order = 2
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^5$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Day and time(can work)
    State            = Disabled
    Processing order = 3
    Policy source    = 2

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "FALSE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Non_compliant Network policy
    State            = Enabled
    Processing order = 5
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP VPN Noncompliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    Quarantine-Fixup-Servers-Configuration  0x1fc2      "Remediation Group"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = compliant Network policy
    State            = Enabled
    Processing order = 4
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP VPN Compliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Server registration:
    ---------------------------------------------------------
    Status = Registered

    Remediation server configuration:
    ---------------------------------------------------------
    Group   = Domain
    Address = 192.168.0.1
    Name    = DC1

    Remediation server configuration:
    ---------------------------------------------------------
    Group   = Remediation Group
    Address = 192.168.0.1
    Name    = Remserver

    SHV configuration:
    ---------------------------------------------------------
    Id                             = 79744
    Name                           = Windows Security Health Validator

    Vendor                         = Microsoft Corporation

    Description                    = The Windows Security Health Validator defines t
    he policy that client computers must be compliant with.

    Version                        = 1.0

    Policy server unreachable      = Compliant
    Remediation server unreachable = Compliant
    System Health Agent failure    = Compliant
    NAP server failure             = Compliant
    Other errors                   = Compliant

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP VPN Compliant
    Configuration = All must pass
    Id            = 79744

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP VPN Noncompliant
    Configuration = One or more must fail
    Id            = 79744

    SQL log configuration:
    ---------------------------------------------------------
    Connection                     =
    Description                    =
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Max sessions                   = 2

    Ok.


    C:\Users\Administrator.SMARTPHONE>

    vineri, 9 mai 2008 04:52
  •  

    Hi,

     

    I got a question regarding the Network policy .

     

    For the settings in the network policy under the NAP enforcement there is a Allow full network access ,Allow full network access for a litmited time , and a Allow litmited access .

     

    The the allow limited access the client can still be a blt to access the network rite?but that it will restrict it to a remediate server rite? but whymy Boss account connect to the network with the setting Allow litmited access there isn't a remediate server coming out or any complain telling me to do somethink.

     

    And i am not sure how to configure a remediation server

    vineri, 9 mai 2008 06:23
  • Hi,

     

    You have one connection request policy that is enabled, but the settings are not correct. I think it is easiest if you disable this policy and then use the wizard as instructed in the step by step guide. The policy you are using is named VPN connection (can work). Disable this policy and then please follow the instructions in the step by step guide.

     

    If you prefer not to use the wizard, you can configure it manually like this:

     

    Open the policy by double-clicking it

    Click the Settings tab

    Click Authentication Methods

    Put a check in the "Override network policy authentication settings" box

    Under EAP types, if Microsoft: Protected EAP (PEAP) is not listed, you need to click Add and add it.

    When you have it listed, click it and then click Edit

    Make sure your computer certificate is listed next to Certificate issued

    Put a check in the Enable Quarantine checks box

    Under Eap Types, if Secured password (EAP-MSCHAP v2) is not listed, you need to click Add and add it

    Click OK, then click OK again

     

    -Greg

    vineri, 9 mai 2008 09:22
    Proprietar
  • I have done a setting tab following the step by step guide and my client cannot connect to the VPN1

     

    however if i nv add this 2 EAP types my client can connect to the host

    vineri, 9 mai 2008 15:01
  • Hi,

     

    If the client cannot connect when the server requires PEAP, then your client settings are not correct. If you would like to try and tell me more about what you are doing in email, send mail to:

     

    greg.lindsay@online.microsoft.com <-- remove the "online" from this email address. The "online" is added to avoid scanning by spam bots.

     

    In email I can send you screen shots of what the setup should look like.

     

    -Greg

    vineri, 9 mai 2008 15:16
    Proprietar
  • Hi,

    Try this fix out:

    Error 812: The connection was prevented because of a policy configuration on your RAS/VPN server

    It worked for me like a charm - I hope it helps others out.

    • Propus ca răspuns de A. TheOne luni, 11 iunie 2012 15:00
    luni, 11 iunie 2012 15:00
  • I found a blog post here that explains a way to set this up.  I went to both policies in the list and set them to allow.  Before I found this out I would set the Active directory rites to allow the connection.  Which worked most of the time.

    miercuri, 29 mai 2013 04:14
  • Thank you Sir, i have been working on this issue for few weeks and i came across your solution that helped me to resolve my issue.
    sâmbătă, 7 decembrie 2019 05:37