Health Policy doesn't work

-

nps server running win 2012 r2.

i testing wired 802.1x policies in test lab.  switch has been configured accordingly , client authentication works when using domain membership (via 'domain computers' group) condition.

the problem have if try extend condition include or solely contain health policy.  it doesn't matter health policy conditions (check windows firewall or antivirus on etc) authenticating wired client never works.

the nps server event log shows client denied access , strange network policy mentioned in event log not policy containing compliant or non-compliant health policies.  it's separate network policy used 802.1x wireless implementation.  so seems nps server skips past wired network access policies when health policy used within them.

i have network access policy agent running on client, eap enforcement client enabled on client, 802.1x authentication settings valid on client.  i have been through many online 802.1x setup guides , sure every setting has been configured , nothing has been missed.

this issue applies both windows 7 , windows vista clients.

do have suggestions on may causing problem?

hi spiral,

according description, nps server event log shows client denied access.

to deploy nap 802.1x wired, have configure following:

1. in nps, configure connection request policy, network policy, , nap health policy.

2. install , configure 802.1x authenticating switches.

3. enable nap eap enforcement client , nap service on nap-capable client computers.

4. configure windows security health validator (wshv) or install , configure other system health agents (shas) , system health validators (shvs), depending on nap deployment.

5. if using peap-tls or eap-tls smart cards or certificates, deploy public key infrastructure (pki) active directory certificate services (ad cs).

6. if using peap-ms-chap v2, issue server certificates either ad cs or purchase server certificates trusted root certification authority (ca).

you may check configurations of above several aspects first, verify if mistake exits.

after checking, can narrow down scope of problem disabling other network policies, connecting again , observing result. besides, can change condition “not nap capable”, test again. if can connect in condition of “not nap capable”, seems client can’t make recognized “nap capable” client, need check configurations on client.

some references of nap enforcement 802.1x:

https://technet.microsoft.com/en-us/library/cc770861(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/cc730926(v=ws.10).aspx

best regards,

anne he

please remember mark replies answers if , unmark them if provide no help. if have feedback technet support, contact tnmff@microsoft.com.



Windows Server  >  Network Access Protection



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more