Quick Fixes for NAP
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
This topic provides a summary of the most common Network Access Protection (NAP) problems and the solutions to those problems. You can use the information in this topic to resolve problems in the same way that you use a frequently asked questions (FAQ) topic to find answers to common questions. Read this topic before you begin any advanced troubleshooting.
Membership in the local Administrators group, or equivalent, is the minimum required to complete these procedures. To update Group Policy settings, membership in the local Domain Admins group, or equivalent, is required. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Common NAP problems
The following are common NAP problems and quick fixes:
NAP client computers are evaluated as non-NAP-capable
Client access requests match an incorrect policy
The CA type is incorrect
The health certificate template is not available
The user attempted to use an authentication method that is not enabled
The RADIUS client is not NAP-capable
Access requests are not received by NPS
NAP client computers are evaluated as non-NAP-capable
A NAP client computer might not be authorized for full network access even though it is compliant with network health requirements because the health state is not being evaluated. If you have configured a network policy for non-NAP-capable computers, the NAP client might match this policy. If you do not have a non-NAP-capable policy, the client might fail to match any policy. There are three common causes for this issue:
The NAP Agent service is not running on the client computer.
The NAP enforcement client is not enabled on the client computer.
Health checks are not enabled on the client computer. Health checks only apply to client computers using the 802.1X or VPN enforcement methods.
Note
This problem has also been identified when the client computer is using the NAP with Terminal Services Gateway (TS Gateway) enforcement method and does not have the TS Gateway certificate in Trusted Root Certification Authorities of the local computer certificate store.
To ensure NAP client computers are evaluated as NAP-capable
On the client computer, open a command prompt as administrator, type netsh nap client show state, and press ENTER.
If the message The "Network Access Protection Agent" service is not running is displayed, then you must start the NAP Agent service.
You can use Group Policy to start the NAP Agent service by using the Services console on the client computer.
You can use the command line to start the NAP Agent service by typing net start napagent. If Client state information is displayed in the command output, then the NAP Agent service is running.
In the command output, under Enforcement client state, review the status of enforcement clients. Verify that Yes is displayed next to Initialized for the enforcement client you are using.
If the enforcement client is not initialized, make sure that you have enabled the enforcement client in local settings or Group Policy. You should also make sure that you have not used local policy to enable the enforcement client and Group Policy to configure other NAP client settings. In this scenario, the local settings will be ignored.
To check NAP client Group Policy settings, type netsh nap client show group, and, in the command output under Enforcement clients, next to Admin, verify that Enabled is displayed for the enforcement client you are using.
To check NAP client local policy settings, type netsh nap client show config, and, in the command output under Enforcement clients, next to Admin, verify that Enabled is displayed for the enforcement client you are using.
If you are using NAP with 802.1X or VPN enforcement, view Protected EAP (PEAP) properties of the local or remote network connection, and verify that Enable Quarantine checks is enabled.
To view PEAP properties of a NAP VPN connection, right-click the VPN connection, click Properties, click the Security tab, and next to Advanced (custom settings), click Settings.
To view PEAP properties of a network connection for wired 802.1X-authenticated computers, right-click the local area connection, click Properties, click the Authentication tab, and under Choose a network authentication method, next to Microsoft Protected EAP (PEAP), click Settings.
To view PEAP properties of a network connection for wireless 802.1X-authenticated computers, right-click the wireless network connection, click Status, click Wireless Properties, click the Security tab, and under Choose a network authentication method, next to Microsoft Protected EAP (PEAP), click Settings.
If you are using NAP with 802.1X or VPN enforcement, you should also review properties of the PEAP authentication method configured in your connection request policy.
- To view PEAP properties on a server running NPS, in the NPS console tree, open Policies\Connection Request Policies, right-click the name of your connection request policy for 802.1X or VPN connections, click Properties, click Settings, click Authentication Methods, under EAP Types, click Microsoft Protected EAP (PEAP), and then click Edit. Verify that Enable Quarantine checks is selected.
Client access requests match an incorrect policy
NAP client access requests can match an incorrect connection request policy or network policy if the processing order of policies is not configured correctly. This commonly occurs when a policy that is high in the processing order is configured with less specific requirements than your NAP policies. For more information about configuring NAP-related polices, see General Policy Design Considerations in the Network Access Protection Design Guide.
To review the processing order of policies
On a server running NPS, click Start, click Run, type nps.msc, and press ENTER.
In the NPS console tree, open Policies\Connection Request Policies and Policies\Network Policies.
Review the conditions and processing order for polices used to match NAP client computer network access requests.
Disable or modify the processing order of policies as required.
The CA type is incorrect
When you select default values during installation of Active Directory Certificate Services (AD CS), your NAP certification authority (CA) will be installed as an enterprise CA. By default, the Health Registration Authority (HRA) role service uses a standalone CA configuration that is incompatible with an enterprise NAP CA. To fix this problem, change the configuration of HRA or reinstall your NAP CA and choose standalone CA.
To configure HRA to use an enterprise CA
Click Start, click Run, type mmc, and then press ENTER.
Click File, click Add/Remove Snap-in, click Health Registration Authority, click Add, and then click OK twice.
In the console tree, right-click Certification Authority, and then click Properties.
In Certification Authorities, choose Use enterprise certification authority.
Under Authenticated compliant certificate template and Anonymous compliant certificate template, choose the certificate templates to use, and then click OK.
The health certificate template is not available
When you attempt to use the Certificate Services console to issue a new health certificate template by right-clicking Certificate Templates, clicking New, and then clicking Certificate Template to Issue, the system health authentication template might not be available. This is commonly caused because your NAP CA is running the Standard edition of the operating system. In order to issue new templates, the NAP CA must be running the Enterprise edition of the operating system.
To verify the NAP CA is running the Enterprise edition
Click Start, right-click Computer, and then click Properties.
In the System window, under Windows edition, verify that Windows Server Enterprise is displayed.
The user attempted to use an authentication method that is not enabled
When you use NAP with 802.1X or VPN enforcement, you must configure settings in the connection request policy to override network policy authentication settings. If this setting is not enabled, NPS will deny network access requests by NAP client computers with the following reason: “The user attempted to use an authentication method that is not enabled on the matching network policy.” To fix this issue, configure connection request policy to override network policy authentication settings.
To configure connection request policy to override network policy authentication
On the server running NPS, click Start, click Run, type nps.msc, and press ENTER.
In the console tree, open Policies\Connection Request Policies.
In the details pane, right-click the name of your connection request policy for 802.1X or VPN connections, and then click Properties.
Click the Settings tab, click Authentication Methods, select Override network policy authentication settings, and then click OK.
The RADIUS client is not NAP-capable
When you use RADIUS clients with the IPsec enforcement, VPN enforcement, or DHCP enforcement methods, you must enable the RADIUS client as NAP-capable. This setting can be missing if you use the NAP configuration wizard to create RADIUS clients because the setting is not displayed in the wizard interface. A RADIUS client that is not enabled as NAP-capable will have limited functionality in a NAP deployment unless you are using the 802.1X enforcement method. For example, a VPN server that is also a RADIUS client for the NAP with VPN enforcement method will not enforce remediation server group settings if it is not configured as NAP-capable. You can use the NPS console to configure a RADIUS client as NAP-capable.
Warning
Do not configure RADIUS clients used with the NAP with 802.1X enforcement method as NAP-capable.
To configure a RADIUS client as NAP-capable
On the server running NPS, click Start, click Run, type nps.msc, and press ENTER.
In the console tree, open RADIUS Clients and Servers\RADIUS Clients.
In the details pane, right-click the name of the RADIUS client used for IPsec enforcement, VPN enforcement, or DHCP enforcement, and then click Properties.
On the Settings tab, select RADIUS client is NAP-capable, and then click OK.
Access requests are not received by NPS
When a NAP client computer requests access to the network, a connection request event is generated on the server running NPS. If your configuration includes RADIUS clients that do not perform local authentication and authorization of network access requests, you must configure these RADIUS clients to forward connection requests. If these RADIUS clients are not configured to forward connection requests, or they are configured to forward requests to the wrong remote RADIUS server group, no events will be generated on the remote server running NPS.
To configure RADIUS client connection request forwarding
On the server running NPS, click Start, click Run, type nps.msc, and press ENTER.
In the console tree, open Policies\Connection Request Policies.
In the details pane, right-click the name of the connection request policy for NAP client computers, and then click Properties.
On the Settings tab, click Authentication, verify that Forward requests to the following remote RADIUS server group for authentication is selected, and then click OK.
See Also
Concepts
Things to Check Before Troubleshooting NAP
Tools for Troubleshooting NAP
Troubleshooting NAP Problems