Home > Security > NAP Troublehsooting

NAP Troublehsooting

Troubleshooting Network Access Protection

I just setup a lab environment to test several of the following NAP enforcement features:

  • IPSec Connection Security
  • 802.1x Access Point
  • VPN Server
  • DHCP Server

The first NAP enforcement feature I configured was for DHCP.  It is the least complicated and easiest scenario to test.  I’ve also used as a guideline the following Microsoft white paper Step by Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab .  All servers in the setup were 2008 Enterprise Edition and the following were the roles available on the network:

DC1

  • Domain Controller
  • NPS
  • DHCP Server

SRV1

  • Member Server joined to domain
  • DHCP Client

The issue I encountered was that SRV1 was unable to get an IP address from the DHCP server.  If I turned off NAP on the DHCP server either at the IPv4 or Scope level then SRV1 was able to obtain an address.  After doing some testing I was able to get it to work but only changing the “Error Code Resolution” features in the Windows Security Health Validator to the following:

  • SVH unable to contact required services – Noncompliant
  • SHA unable to contact required services – Noncompliant
  • SHA not resonding to NAP client – Compliant
  • SHV not responding – Noncompliannt
  • Vendor specific error code received – Noncompliant

The issue I discovered is that Server2008 doesn’t have a Security Health Agent.  The SHA also depends on the Windows Security Center, which isn’t included in Server2008 either.  Only after chaning the “SHA not responding to NAP client” setting to “Compiant” was SRV1 able to receive an address via DHCP. 

After discovering the issue with SHA on Server2008 I did some research and found the following posting “Include Security Center and Windows SHA on Server 2008” on the Microsoft Technet forum for NAP.

Advertisements
Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: