thenetworkadmin_tek
asked on
NAP VPN Non-Domain Clients / Domain Cleints
Hey folks -
Basically have a NAP server that I want handling our VPN connections for domain and non-domain clients.
I've followed the guide here:
http://www.scribd.com/doc/7624494/NAP-VPN-Step-by-Step
So I get the clients to connect - authenticate, and I make sure i setup the VPN connection to validate the cert, use NPS, etc etc.
My main issue is if it's a domain or non-domain system after it connects it coughs this out in the security log:
Authentication Details:
Connection Request Policy Name: NAP VPN
Network Policy Name: NAP VPN Non NAP-Capable
Authentication Provider: Windows
*nap vpn non nap-capable - being the setup from the wizard.
Anyone ever run into this? It simply won't let the systems connect and get through to the NAP-Capable policy. I've tried manually setting the VPN on the host to connect via PEAP and i've checked that my connection request policy allows PEAP and MS-CHAPv2 (as shown below in the sec log)
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: 323236
Pulling my hair out - any assistance would be appreciated.
Basically have a NAP server that I want handling our VPN connections for domain and non-domain clients.
I've followed the guide here:
http://www.scribd.com/doc/7624494/NAP-VPN-Step-by-Step
So I get the clients to connect - authenticate, and I make sure i setup the VPN connection to validate the cert, use NPS, etc etc.
My main issue is if it's a domain or non-domain system after it connects it coughs this out in the security log:
Authentication Details:
Connection Request Policy Name: NAP VPN
Network Policy Name: NAP VPN Non NAP-Capable
Authentication Provider: Windows
*nap vpn non nap-capable - being the setup from the wizard.
Anyone ever run into this? It simply won't let the systems connect and get through to the NAP-Capable policy. I've tried manually setting the VPN on the host to connect via PEAP and i've checked that my connection request policy allows PEAP and MS-CHAPv2 (as shown below in the sec log)
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: 323236
Pulling my hair out - any assistance would be appreciated.
ASKER
Got this (yes i know the google.com link is lame - just for tests, this is from the C:\windows\tracing\IASNAP.
[2344] 04-19 16:45:07:843: Resolved help url server: www.google.com
[2344] 04-19 16:45:07:952: Skipping disabled policy "Microsoft Routing and Remote Access Service Policy"
[2344] 04-19 16:45:07:999: Resolved remediaton server 10.0.0.105 and got 10.0.0.105
[2344] 04-19 16:45:15:921: Resolved help url server: www.google.com
[2344] 04-19 16:45:15:921: Skipping disabled policy "Microsoft Routing and Remote Access Service Policy"
[2344] 04-19 16:45:15:921: Skipping disabled policy "Use Windows authentication for all users"
[2344] 04-19 16:45:15:968: Resolved remediaton server 10.0.0.105 and got 10.0.0.105
[1716] 04-19 16:45:21:687: The request comes from NAS type 2
[1716] 04-19 16:45:21:687: Applying CRP policy:NPS1
[1620] 04-19 16:45:28:452: The request comes from NAS type 2
[1620] 04-19 16:45:28:452: Applying CRP policy:NPS1
[1716] 04-19 16:45:28:546: The request comes from NAS type 2
[1716] 04-19 16:45:28:546: Applying CRP policy:NPS1
[1716] 04-19 16:45:28:624: The request comes from NAS type 2
[1716] 04-19 16:45:28:624: Applying CRP policy:NPS1
[1716] 04-19 16:45:28:702: The request comes from NAS type 2
[1716] 04-19 16:45:28:702: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:222: The request comes from NAS type 2
[1716] 04-19 16:45:31:222: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:269: The request comes from NAS type 2
[1716] 04-19 16:45:31:269: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:300: The request comes from NAS type 2
[1716] 04-19 16:45:31:300: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:377: The request comes from NAS type 2
[1716] 04-19 16:45:31:377: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:440: The request comes from NAS type 2
[1716] 04-19 16:45:31:440: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:533: The request comes from NAS type 2
[1716] 04-19 16:45:31:533: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:533: The request comes from NAS type 2
[1716] 04-19 16:45:31:533: Applying RAP policy:NPS1 Non NAP-Capable
[1716] 04-19 16:45:31:533: Added help URL server "www.google.com"'s ip-address to Fixup server list
[1716] 04-19 16:45:31:533: Auto-generation of Session-Timeout is disabled.
[1716] 04-19 16:45:31:533: WARNING: No SHV Session Handle
[1716] 04-19 16:45:31:533: The request is given quarantine state 1
[1716] 04-19 16:45:31:533: Setting remediation servers Site1WSUS
[1716] 04-19 16:45:31:533: Insert 7 IPv4 Remediation Servers
[1716] 04-19 16:45:31:595: The request comes from NAS type 2
[1716] 04-19 16:45:31:595: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:813: The request comes from NAS type 2
[1716] 04-19 16:45:31:813: Applying CRP policy:NPS1
[2344] 04-19 16:45:07:843: Resolved help url server: www.google.com
[2344] 04-19 16:45:07:952: Skipping disabled policy "Microsoft Routing and Remote Access Service Policy"
[2344] 04-19 16:45:07:999: Resolved remediaton server 10.0.0.105 and got 10.0.0.105
[2344] 04-19 16:45:15:921: Resolved help url server: www.google.com
[2344] 04-19 16:45:15:921: Skipping disabled policy "Microsoft Routing and Remote Access Service Policy"
[2344] 04-19 16:45:15:921: Skipping disabled policy "Use Windows authentication for all users"
[2344] 04-19 16:45:15:968: Resolved remediaton server 10.0.0.105 and got 10.0.0.105
[1716] 04-19 16:45:21:687: The request comes from NAS type 2
[1716] 04-19 16:45:21:687: Applying CRP policy:NPS1
[1620] 04-19 16:45:28:452: The request comes from NAS type 2
[1620] 04-19 16:45:28:452: Applying CRP policy:NPS1
[1716] 04-19 16:45:28:546: The request comes from NAS type 2
[1716] 04-19 16:45:28:546: Applying CRP policy:NPS1
[1716] 04-19 16:45:28:624: The request comes from NAS type 2
[1716] 04-19 16:45:28:624: Applying CRP policy:NPS1
[1716] 04-19 16:45:28:702: The request comes from NAS type 2
[1716] 04-19 16:45:28:702: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:222: The request comes from NAS type 2
[1716] 04-19 16:45:31:222: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:269: The request comes from NAS type 2
[1716] 04-19 16:45:31:269: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:300: The request comes from NAS type 2
[1716] 04-19 16:45:31:300: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:377: The request comes from NAS type 2
[1716] 04-19 16:45:31:377: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:440: The request comes from NAS type 2
[1716] 04-19 16:45:31:440: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:533: The request comes from NAS type 2
[1716] 04-19 16:45:31:533: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:533: The request comes from NAS type 2
[1716] 04-19 16:45:31:533: Applying RAP policy:NPS1 Non NAP-Capable
[1716] 04-19 16:45:31:533: Added help URL server "www.google.com"'s ip-address to Fixup server list
[1716] 04-19 16:45:31:533: Auto-generation of Session-Timeout is disabled.
[1716] 04-19 16:45:31:533: WARNING: No SHV Session Handle
[1716] 04-19 16:45:31:533: The request is given quarantine state 1
[1716] 04-19 16:45:31:533: Setting remediation servers Site1WSUS
[1716] 04-19 16:45:31:533: Insert 7 IPv4 Remediation Servers
[1716] 04-19 16:45:31:595: The request comes from NAS type 2
[1716] 04-19 16:45:31:595: Applying CRP policy:NPS1
[1716] 04-19 16:45:31:813: The request comes from NAS type 2
[1716] 04-19 16:45:31:813: Applying CRP policy:NPS1
ASKER
Made some more progress - pretty sure it's the EAP enforcement client that isn't registering with the HRA - anyone have any ideas?
Client state:
--------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
GroupPolicy = Configured
Enforcement client state:
--------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79619
Name = IPsec Relying Party
Description = Provides IPsec based enforcement for Network Access Pr
tection
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79621
Name = RD Gateway Quarantine Enforcement Client
Description = Provides RD Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides Network Access Protection enforcement for EAP
authenticated network connections, such as those used with 802.1X and VPN techn
logies.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Client state:
--------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
GroupPolicy = Configured
Enforcement client state:
--------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79619
Name = IPsec Relying Party
Description = Provides IPsec based enforcement for Network Access Pr
tection
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79621
Name = RD Gateway Quarantine Enforcement Client
Description = Provides RD Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides Network Access Protection enforcement for EAP
authenticated network connections, such as those used with 802.1X and VPN techn
logies.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
ASKER
Pretty much - How do I make EAP Quarantine Enforcement Client Initialize?
ASKER
Thought I'd provide an update -
I can get it to work from a non-domain computer if i start napclcfg.msc up and enable the EAP Quarantine Enforcement Client manually - now I've doublechecked my GPO 100 times and I swear it's right, it's applying on the machine.
But now if i look at "netsh nap client show grouppolicy" it comes back as EAP being disabled.
If I look at the local setting on the domain computer napclcfg.msc it shows that the EAP is enabled - however the command line produces different results.
Tried adding another laptop to the computer group that gets this GPO and it's the same result - so it seems to be my GPO that's hosed. Anyone have a good link to the proper way to set this up?
I've hunted technet and the command of:
netsh nap set enforcement ID = 79619 ADMIN = "ENABLE"
does not work - HALP! :)
I can get it to work from a non-domain computer if i start napclcfg.msc up and enable the EAP Quarantine Enforcement Client manually - now I've doublechecked my GPO 100 times and I swear it's right, it's applying on the machine.
But now if i look at "netsh nap client show grouppolicy" it comes back as EAP being disabled.
If I look at the local setting on the domain computer napclcfg.msc it shows that the EAP is enabled - however the command line produces different results.
Tried adding another laptop to the computer group that gets this GPO and it's the same result - so it seems to be my GPO that's hosed. Anyone have a good link to the proper way to set this up?
I've hunted technet and the command of:
netsh nap set enforcement ID = 79619 ADMIN = "ENABLE"
does not work - HALP! :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5536
Made sure my rsop showed that the gpo i made was applied.
"netsh nap client show state" seems to be good (it's on another laptop, so no screen-shot)
I shall continue my quest.