NAP VPN Non-Domain Clients / Domain Cleints

thenetworkadmin_tek
thenetworkadmin_tek used Ask the Experts™
on
Hey folks -

Basically have a NAP server that I want handling our VPN connections for domain and non-domain clients.

I've followed the guide here:

http://www.scribd.com/doc/7624494/NAP-VPN-Step-by-Step

So I get the clients to connect - authenticate, and I make sure i setup the VPN connection to validate the cert, use NPS, etc etc.

My main issue is if it's a domain or non-domain system after it connects it coughs this out in the security log:

Authentication Details:
      Connection Request Policy Name:      NAP VPN
      Network Policy Name:            NAP VPN Non NAP-Capable
      Authentication Provider:            Windows

*nap vpn non nap-capable - being the setup from the wizard.

Anyone ever run into this? It simply won't let the systems connect and get through to the NAP-Capable policy. I've tried manually setting the VPN on the host to connect via PEAP and i've checked that my connection request policy allows PEAP and MS-CHAPv2 (as shown below in the sec log)


      Authentication Type:            PEAP
      EAP Type:                  Microsoft: Secured password (EAP-MSCHAP v2)
      Account Session Identifier:            323236

Pulling my hair out - any assistance would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Blew away the server - tried another guide:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5536

Made sure my rsop showed that the gpo i made was applied.

"netsh nap client show state" seems to be good (it's on another laptop, so no screen-shot)

I shall continue my quest.

Author

Commented:
Got this (yes i know the google.com link is lame - just for tests, this is from the C:\windows\tracing\IASNAP.log file )

[2344] 04-19 16:45:07:843: Resolved help url server: www.google.com
[2344] 04-19 16:45:07:952: Skipping disabled policy "Microsoft Routing and Remote Access Service Policy"
[2344] 04-19 16:45:07:999: Resolved remediaton server 10.0.0.105 and got 10.0.0.105
[2344] 04-19 16:45:15:921: Resolved help url server: www.google.com
[2344] 04-19 16:45:15:921: Skipping disabled policy "Microsoft Routing and Remote Access Service Policy"
[2344] 04-19 16:45:15:921: Skipping disabled policy "Use Windows authentication for all users"
[2344] 04-19 16:45:15:968: Resolved remediaton server 10.0.0.105 and got 10.0.0.105
[1716] 04-19 16:45:21:687: The request comes from NAS type 2
[1716] 04-19 16:45:21:687: Applying CRP policy:NPS1
[1620] 04-19 16:45:28:452: The request comes from NAS type 2
[1620] 04-19 16:45:28:452: Applying CRP policy:NPS1
[1716] 04-19 16:45:28:546: The request comes from NAS type 2
[1716] 04-19 16:45:28:546: Applying CRP policy:NPS1
[1716] 04-19 16:45:28:624: The request comes from NAS type 2
[1716] 04-19 16:45:28:624: Applying CRP policy:NPS1
[1716] 04-19 16:45:28:702: The request comes from NAS type 2
[1716] 04-19 16:45:28:702: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:222: The request comes from NAS type 2
[1716] 04-19 16:45:31:222: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:269: The request comes from NAS type 2
[1716] 04-19 16:45:31:269: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:300: The request comes from NAS type 2
[1716] 04-19 16:45:31:300: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:377: The request comes from NAS type 2
[1716] 04-19 16:45:31:377: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:440: The request comes from NAS type 2
[1716] 04-19 16:45:31:440: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:533: The request comes from NAS type 2
[1716] 04-19 16:45:31:533: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:533: The request comes from NAS type 2
[1716] 04-19 16:45:31:533: Applying RAP policy:NPS1 Non NAP-Capable
[1716] 04-19 16:45:31:533: Added help URL server "www.google.com"'s ip-address to Fixup server list
[1716] 04-19 16:45:31:533: Auto-generation of Session-Timeout is disabled.
[1716] 04-19 16:45:31:533: WARNING: No SHV Session Handle
[1716] 04-19 16:45:31:533: The request is given quarantine state 1
[1716] 04-19 16:45:31:533: Setting remediation servers Site1WSUS
[1716] 04-19 16:45:31:533: Insert 7 IPv4 Remediation Servers
[1716] 04-19 16:45:31:595: The request comes from NAS type 2
[1716] 04-19 16:45:31:595: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:813: The request comes from NAS type 2
[1716] 04-19 16:45:31:813: Applying CRP policy:NPS1

Author

Commented:
Made some more progress - pretty sure it's the EAP enforcement client that isn't registering with the HRA - anyone have any ideas?

Client state:
----------------------------------------------------
Name                   = Network Access Protection Client
Description            = Microsoft Network Access Protection Client
Protocol version       = 1.0
Status                 = Enabled
Restriction state      = Not restricted
Troubleshooting URL    =
Restriction start time =
Extended state         =
GroupPolicy            = Configured

Enforcement client state:
----------------------------------------------------
Id                     = 79617
Name                   = DHCP Quarantine Enforcement Client
Description            = Provides DHCP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79619
Name                   = IPsec Relying Party
Description            = Provides IPsec based enforcement for Network Access Pr
tection
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79621
Name                   = RD Gateway Quarantine Enforcement Client
Description            = Provides RD Gateway enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79623
Name                   = EAP Quarantine Enforcement Client
Description            = Provides Network Access Protection enforcement for EAP
authenticated network connections, such as those used with 802.1X and VPN techn
logies.
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Author

Commented:
Pretty much - How do I make EAP Quarantine Enforcement Client Initialize?

Author

Commented:
Thought I'd provide an update -

I can get it to work from a non-domain computer if i start napclcfg.msc up and enable the EAP Quarantine Enforcement Client manually - now I've doublechecked my GPO 100 times and I swear it's right, it's applying on the machine.

But now if i look at "netsh nap client show grouppolicy" it comes back as EAP being disabled.

If I look at the local setting on the domain computer napclcfg.msc it shows that the EAP is enabled - however the command line produces different results.

Tried adding another laptop to the computer group that gets this GPO and it's the same result - so it seems to be my GPO that's hosed. Anyone have a good link to the proper way to set this up?

I've hunted technet and the command of:

netsh nap set enforcement ID = 79619 ADMIN = "ENABLE"

does not work - HALP! :)
FIGURED IT OUT!



I had another group policy for our RADIUS network connection - this gpo was overriding the EAP settings for the domain systems - enabled the EAP enforcment client in the RADIUS gpo - viola! Worked, passed system health validators !! :)

Now it's time to test out the remediation services and get it into the production network!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial