1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPsec NAP enforcement

Discussion in 'Networks' started by Gomjaba, Oct 8, 2008.

  1. Gomjaba

    Gomjaba Bit Poster

    28
    1
    17
    Scenario:
    1. Server 2003 R2 SP2 : DNS / AD Server
    2. Server 2008 Datacenter : joint the domain, hosts NPS, HRA and suordinate CA services
    3. Client running Vista Business : Joint the domain

    The problem I got is that the IPSec Relying Party does not initialize.

    Here the output of netsh nap client show grouppolicy

    Code:
    
    NAP client configuration (group policy): 
    ---------------------------------------------------- 
    
    NAP client configuration: 
    ---------------------------------------------------- 
    
    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 
    
    Hash algorithm = sha1RSA (1.3.14.3.2.29) 
    
    Enforcement clients: 
    ---------------------------------------------------- 
    Name            = DHCP Quarantine Enforcement Client 
    ID              = 79617 
    Admin           = Disabled 
    
    Name            = Remote Access Quarantine Enforcement Client 
    ID              = 79618 
    Admin           = Disabled 
    
    [COLOR="Red"]Name            = IPSec Relying Party 
    ID              = 79619 
    Admin           = Enabled [/COLOR]
    
    Name            = TS Gateway Quarantine Enforcement Client 
    ID              = 79621 
    Admin           = Disabled 
    
    Name            = EAP Quarantine Enforcement Client 
    ID              = 79623 
    Admin           = Disabled 
    
    Client tracing: 
    ---------------------------------------------------- 
    State = Disabled 
    Level = Disabled 
    
    Trusted server group configuration: 
    ---------------------------------------------------- 
    Group            = Trusted HRA Servers 
    Require Https    = Enabled 
    URL              = https://nps1.domain.local/domainhra/hcsrvext.dll 
    Processing order = 1 
    
    Ok.
    
    and here the output of netsh nap client show state

    Code:
    
    Client state: 
    ---------------------------------------------------- 
    Name                   = Network Access Protection Client 
    Description            = Microsoft Network Access Protection Client 
    Protocol version       = 1.0 
    Status                 = Enabled 
    Restriction state      = Not restricted 
    Troubleshooting URL    =  
    Restriction start time =  
    
    Enforcement client state: 
    ---------------------------------------------------- 
    Id                     = 79617 
    Name                   = DHCP Quarantine Enforcement Client 
    Description            = Provides DHCP based enforcement for NAP 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 
    
    Id                     = 79618 
    Name                   = Remote Access Quarantine Enforcement Client 
    Description            = Provides the quarantine enforcement for RAS Client 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 
    
    [COLOR="Red"]Id                     = 79619 
    Name                   = IPSec Relying Party 
    Description            = Provides IPSec based enforcement for Network Access Protection 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No [/COLOR]
    
    Id                     = 79621 
    Name                   = TS Gateway Quarantine Enforcement Client 
    Description            = Provides TS Gateway enforcement for NAP 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 
    
    Id                     = 79623 
    Name                   = EAP Quarantine Enforcement Client 
    Description            = Provides EAP based enforcement for NAP 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 
    
    System health agent (SHA) state: 
    ---------------------------------------------------- 
    Id                     = 79744 
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      =  
    Initialized            = Yes 
    Failure category       = None 
    Remediation state      = Success 
    Remediation percentage = 0 
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating its security state.
     
    Compliance results     = (0x00000000) - 
                             (0x00000000) - 
                             (0x00000000) - 
                             (0x00000000) - 
                             (0x00000000) - 
                             (0x00000000) - 
                             (0x00000000) - 
                             (0x00000000) - 
    
    Remediation results    = 
    
    Ok.
    
    So the IPSec Relying Party is enabled, but does not initialize.

    IPsec service runs on the client, NAP client runs and when I either disable for example antivirus or the firewall, NAP does not allow me to connect to the network anymore .. so this seems to work ..

    Output of napsh nps show config on the Server 2008 box

    Code:
    
    Connection request policy configuration: 
    --------------------------------------------------------- 
    Name             = Use Windows authentication for all users 
    State            = Enabled 
    Processing order = 999999 
    Policy source    = 0 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00" 
    
    Profile attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Auth-Provider-Type                      0x1025      "0x1" 
    
    Connection request policy configuration: 
    --------------------------------------------------------- 
    Name             = NAP IPsec with HRA 
    State            = Enabled 
    Processing order = 2 
    Policy source    = 5 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00" 
    
    Profile attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Auth-Provider-Type                      0x1025      "0x1" 
    
    Event log configuration: 
    --------------------------------------------------------- 
    Accepted authentication requests = Enabled 
    Rejected authentication requests = Enabled 
    
    File log configuration: 
    --------------------------------------------------------- 
    Accounting                     = Enabled 
    Authentication                 = Enabled 
    Periodic accounting status     = Enabled 
    Periodic authentication status = Enabled 
    Directory                      = C:\Windows\system32\LogFiles 
    Format                         = ODBC formatting 
    Delete old logs                = Enabled 
    Frequency                      = Monthly logs 
    Max size                       = 10 MB 
    
    Ports configuration: 
    --------------------------------------------------------- 
    Accounting ports     = 1813,1646 
    Authentication ports = 1812,1645 
    
    Network policy configuration: 
    --------------------------------------------------------- 
    Name             = Connections to other access servers 
    State            = Enabled 
    Processing order = 999999 
    Policy source    = 0 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00" 
    
    Profile attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    NP-Allow-Dial-in                        0x100f      "FALSE" 
    NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa" 
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE" 
    Framed-Protocol                         0x7         "0x1" 
    Service-Type                            0x6         "0x2" 
    
    Network policy configuration: 
    --------------------------------------------------------- 
    Name             = Connections to Microsoft Routing and Remote Access server 
    State            = Enabled 
    Processing order = 999998 
    Policy source    = 0 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x1033      "^311$" 
    
    Profile attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    NP-Allow-Dial-in                        0x100f      "FALSE" 
    NP-Allowed-EAP-Type                     0x100a      "0D000000000000000000000000000000" 
    NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9" 
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE" 
    Framed-Protocol                         0x7         "0x1" 
    Service-Type                            0x6         "0x2" 
    MS-Filter                               0x102f      
    
    	=============================================================== 
    	IPFILTER_IPV4INFILTER	Action: DENY
    	--------------------------------------------------------------- 
    	Address . . . . . : 0.0.0.0
    	Mask. . . . . . . : 0.0.0.0
    	Protocol. . . . . : 0
    	Source Port . . . : 0
    	Destination Port. : 0
    	--------------------------------------------------------------- 
    
    MS-MPPE-Encryption-Policy               0xffffffa7  "0x2" 
    MS-MPPE-Encryption-Types                0xffffffa6  "0xe" 
    
    Network policy configuration: 
    --------------------------------------------------------- 
    Name             = NAP IPsec with HRA Compliant 
    State            = Enabled 
    Processing order = 3 
    Policy source    = 5 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x1fbd      "NAP IPsec with HRA Compliant" 
    
    Profile attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Ignore-User-Dialin-Properties           0x1005      "TRUE" 
    NP-Allow-Dial-in                        0x100f      "TRUE" 
    NP-Authentication-Type                  0x1009      "0x7" 
    MS-Quarantine-State                     0x1faf      "0x0" 
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE" 
    Framed-Protocol                         0x7         "0x1" 
    Service-Type                            0x6         "0x2" 
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x1" 
    
    Network policy configuration: 
    --------------------------------------------------------- 
    Name             = NAP IPsec with HRA Noncompliant 
    State            = Enabled 
    Processing order = 4 
    Policy source    = 5 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x1fbd      "NAP IPsec with HRA Noncompliant" 
    
    Profile attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Ignore-User-Dialin-Properties           0x1005      "TRUE" 
    NP-Allow-Dial-in                        0x100f      "TRUE" 
    NP-Authentication-Type                  0x1009      "0x7" 
    MS-Quarantine-State                     0x1faf      "0x1" 
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE" 
    Framed-Protocol                         0x7         "0x1" 
    Service-Type                            0x6         "0x2" 
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x1" 
    
    Server registration: 
    --------------------------------------------------------- 
    Status = Un-registered 
    
    SHV configuration: 
    --------------------------------------------------------- 
    Id                             = 79744 
    Name                           = Windows Security Health Validator
     
    Vendor                         = Microsoft Corporation
     
    Description                    = The Windows Security Health Validator defines the policy that client computers must be compliant with.
     
    Version                        = 1.0
     
    Policy server unreachable      = Noncompliant 
    Remediation server unreachable = Noncompliant 
    System Health Agent failure    = Noncompliant 
    NAP server failure             = Noncompliant 
    Other errors                   = Noncompliant 
    
    Health policy configuration: 
    --------------------------------------------------------- 
    Name          = NAP IPsec with HRA Compliant 
    Configuration = All must pass 
    Id            = 79744 
    
    Health policy configuration: 
    --------------------------------------------------------- 
    Name          = NAP IPsec with HRA Noncompliant 
    Configuration = One or more must fail 
    Id            = 79744 
    
    SQL log configuration: 
    --------------------------------------------------------- 
    Connection                     =  
    Description                    =  
    Accounting                     = Enabled 
    Authentication                 = Enabled 
    Periodic accounting status     = Enabled 
    Periodic authentication status = Enabled 
    Max sessions                   = 2 
    
    Ok.
    
    There was a bug in the Vista RTM version, but this PC has SP1 and all patches ...
     
    Certifications: VCP, MCITP:SA, MCITP:EA
    WIP: MCITP: Database Admin
  2. Gomjaba

    Gomjaba Bit Poster

    28
    1
    17
    Right .. now I feel really stupid ...

    Never believe what someone gives you :/

    I asked one of our guys to burn me that Vista SP1 DVD .. well guess what ... It doesn't have it included .. Still weird why Windowsupdate didn't offer it :/

    Downloading now ... *pmsl*
     
    Certifications: VCP, MCITP:SA, MCITP:EA
    WIP: MCITP: Database Admin
  3. Gomjaba

    Gomjaba Bit Poster

    28
    1
    17
    Code:
    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes
    
    So yea ... SP1 .....
     
    Certifications: VCP, MCITP:SA, MCITP:EA
    WIP: MCITP: Database Admin

Share This Page

Loading...