We have the following config:
- Windows 2012 DHCP with NPS and HRA services installed (192.168.5.11)
- Windows 2008 R2 with SCCM 2012 SP1 - no NAP settings (192.168.5.125)
- Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)
We have configured the following policies on the NPS Server:
- Connection Request: DHCP: Called Station ID: 192.168.8.0
- Network Policies with appropriate MS-Service Class for DHCP scope, with compliant and non-compliant Health Polices (very simple, the only thing that isn't being checked is Win Updates)
The DHCP is happy to dish out IP addresses to compliant machines no problem at all. When a machine goes non-compliant it registers the non-compliant machine with event ID 6276 - Network Policy Server quarantined a user.
It then proceeds to send the limited access DHCP options which the client then happily ignores.
I've run WireShark on the clients to capture the DHCP response and I can see the different options being returned to the client, specifically option 121 with the classless static routes.
When I run napstat it says full network access - no issues raised.
Output from netsh nap client show config
NAP client configuration:
----------------------------------------------------
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name = DHCP Quarantine Enforcement Client
ID = 79617
Admin = Disabled
Name = IPsec Relying Party
ID = 79619
Admin = Disabled
Name = RD Gateway Quarantine Enforcement Client
ID = 79621
Admin = Disabled
Name = Microsoft Forefront UAG Quarantine Enforcement Client
ID = 79622
Admin = Enabled
Name = EAP Quarantine Enforcement Client
ID = 79623
Admin = Disabled
Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled
Ok.
Output from netsh nap client show state:
Client state:----------------------------------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
GroupPolicy = Configured
Enforcement client state:
----------------------------------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Id = 79619
Name = IPsec Relying Party
Description = Provides IPsec based enforcement for Network Access Protection
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79621
Name = RD Gateway Quarantine Enforcement Client
Description = Provides RD Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79622
Name = Microsoft Forefront UAG Quarantine Enforcement Client
Description = Reports client health status.
Version = 4.0.2095.10000
Vendor name = Microsoft Corporation
Registration date = 11/01/2013 09:04:05
Initialized = No
Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
System health agent (SHA) state:
----------------------------------------------------
Id = 7467776
Name = ESET SHA
Description = ESET System Health Agent (SHA) checks compliance of ESET products policy defined by system administrator.
Version = 5.0.2126.0
Vendor name = ESET
Registration date = 23/08/2012 16:12:42
Initialized = No
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (0) -
Id = 79744
Name = Windows Security Health Agent
Description = The Windows Security Health Agent monitors security settings on your computer.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
Compliance results =
Remediation results =
Id = 79745
Name = Configuration Manager 2012 System Health Agent
Description = Configuration Manager 2012 System Health Agent facilitates enforcement of software update compliance using Network Access Protection.
Version = 2012
Vendor name = Microsoft Corporation
Registration date = 23/01/2013 17:54:04
Initialized = No
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (0) -
Ok.
Output from netsh nap client show grouppolicy:
NAP client configuration (group policy):
----------------------------------------------------
NAP client configuration:
----------------------------------------------------
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name = DHCP Quarantine Enforcement Client
ID = 79617
Admin = Enabled
Name = IPsec Relying Party
ID = 79619
Admin = Disabled
Name = RD Gateway Quarantine Enforcement Client
ID = 79621
Admin = Disabled
Name = Microsoft Forefront UAG Quarantine Enforcement Client
ID = 79622
Admin = Disabled
Name = EAP Quarantine Enforcement Client
ID = 79623
Admin = Disabled
Client tracing:
----------------------------------------------------
State = Enabled
Level = Advanced
Trusted server group configuration:
----------------------------------------------------
Group = HRA Servers
Require Https = Enabled
URL = https://<FQDN>/domainhra/hcsrvext.dll
Processing order = 1
Group = HRA Servers
Require Https = Enabled
URL = https://<FQDN>/nondomainhra/hcsrvext.dll
Processing order = 2
User interface settings:
----------------------------------------------------
Title = Network Access Protection
Description = Your machine does not meet the security requirements defined by the company. If your machine does remediate automatically please contact IT
Image =
Ok.
I've tried running: netsh nap client set enforcement ID = 79617 ADMIN = "ENABLE"and restarting the NAP agent on client machines - same thing.
Any ideas what is going wrong?