I have exhausted every avenue to get VPN access to the domain without the dreaded Not-NAP Capable remote access condition.
The set up inclues:
- Single DC which has these roles:
- Active Directory Certificate Services
- Active Directory Domain Services
- DHCP Server
- DNS Sever
- File Services
- Network Policy and Access Services
- Print Services
Features:
- Group Policy Management
Radius, WINS and IPv6 not implemented.
RAS:
- DHCP IPv 4 address assignment
- Enable Broadcast Name Resolution
- No inbound or outbound filters
- PPP: Multilink, LCP and software compression
- IPv4 Router – LAN and demand dial routing
- IPv4 Remote access server
- Primary NIC has fixed IP address for the DC
- Dedicated NIC for VPN – Local Area Network Connection 5 with fixed IP address
- Firewall routes all traffic from its fixed WAN IP address, after NAT to Dedicated VPN NIC address
- Firewall ports enable VPN traffic
- Domain Controllers Policy
- eapqec – enabled on Client
Network Policy Server
Connection Request Policies
- Microsoft Routing and Remote Access Service Policy Enabled 1 – Remote Access Server (VPN-Dial-up)
- Authentication Provider – Local Computer
- Extensible Authentication Protocol Configuration – Configured
- Extensible Authentication Protocol Method – Microsoft Protected EAP (PEAP)
- Authentication Method – EAP
- Override Authentication – Enabled
Network Policies
- Microsoft Routing and Remote Access Service Policy Enabled 1 – Remote Access Server (VPN-Dial-up)
- Condition
- MS-RAS Vendor ID 311$
- User Groups – DOMAIN\Domain Users
- Widows Groups – DOMAIN\JohnGroup
- Windows Groups – DOMAIN\Domain Admins
- Settings
- Extensible Authentication Protocol Configuration – Configured
- Extended State - <blank>
- Access Permission – Grant Access
- Extensible Authentication Protocol Method – Microsoft EAP (PEAP)
- Configure Protected EAP Properties – check Enable Fast Reconnect & Enable Quarantine Checks
- NAP Port Type – Virtual (VPN)
- Authentication Method – EAP
- NAP Enforcement – Allow full network access
- Update Noncompliant Clients – False
- Framed Protocol – PPP
- Service Type – Framed
- BAP Percentage of Capacity – Reduce Multilink if server reaches 50% for 2 minutes
- IPv4 Filters – configured
- Encryption Policy – configured
- Encryption – Basic Encryption, Strong, Strongest
Health Policies
- SHV Health Check – Client passes all SHV checks
- Fails one SHV Check – Client fails one or more SHV checks
Network Access Protection
- System Health Validation
- Windows Vista – NONE are checked
- Error Code Resolution – all are set to compliant
- This was done to enable the LEAST restrictive condition on the client and allow NAP compliant connection. Other conditions have been tried.
No error reporting on NAP compliance
Client – Windows 7 Professional
- napagent – Service running
- Logon Network Service
- Netsh nap client show state
- Network Access Protection Client – 1.0 – Enabled
- Not Restricted
- GroupPolicy = Not Configured
- EAP Quarantine Enforcement Client
- 1.0
- Initialized = Yes
- System Health Agent
- ID = 79744
- Initialized = Yes
- Failure Category = None
- Remediation State = Success
- Remediation percentage = 0
- Compliance results; Remediation results; ok
When tunnel connects:
- VPN is established with:
- Connect to Miniport
- Authentication of user
- Register on Network
- Client reports
- Domain.local 5
- Access type: Internet
- Connections: DOMAIN
When network is shown only the Client is seen on the network on the client network view – no other parts of the domain can be seen
Unable to ping the address of the DOMAIN controller
RRAS when showing Remote Access Clients always reports Not NAP-capable.
I have tried many variations on the set up and nothing allows full access to the domain.