IPsec NAP enforcement

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Scenario:
1. Server 2003 R2 SP2 : DNS / AD Server
2. Server 2008 Datacenter : joint the domain, hosts NPS, HRA and suordinate CA services
3. Client running Vista Business : Joint the domain

The problem I got is that the IPSec Relying Party does not initialize.

Here the output of netsh nap client show grouppolicy

Code:

NAP client configuration (group policy): 
---------------------------------------------------- 

NAP client configuration: 
---------------------------------------------------- 

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 

Hash algorithm = sha1RSA (1.3.14.3.2.29) 

Enforcement clients: 
---------------------------------------------------- 
Name            = DHCP Quarantine Enforcement Client 
ID              = 79617 
Admin           = Disabled 

Name            = Remote Access Quarantine Enforcement Client 
ID              = 79618 
Admin           = Disabled 

[COLOR="Red"]Name            = IPSec Relying Party 
ID              = 79619 
Admin           = Enabled [/COLOR]

Name            = TS Gateway Quarantine Enforcement Client 
ID              = 79621 
Admin           = Disabled 

Name            = EAP Quarantine Enforcement Client 
ID              = 79623 
Admin           = Disabled 

Client tracing: 
---------------------------------------------------- 
State = Disabled 
Level = Disabled 

Trusted server group configuration: 
---------------------------------------------------- 
Group            = Trusted HRA Servers 
Require Https    = Enabled 
URL              = https://nps1.domain.local/domainhra/hcsrvext.dll 
Processing order = 1 

Ok.

and here the output of netsh nap client show state

Code:

Client state: 
---------------------------------------------------- 
Name                   = Network Access Protection Client 
Description            = Microsoft Network Access Protection Client 
Protocol version       = 1.0 
Status                 = Enabled 
Restriction state      = Not restricted 
Troubleshooting URL    =  
Restriction start time =  

Enforcement client state: 
---------------------------------------------------- 
Id                     = 79617 
Name                   = DHCP Quarantine Enforcement Client 
Description            = Provides DHCP based enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79618 
Name                   = Remote Access Quarantine Enforcement Client 
Description            = Provides the quarantine enforcement for RAS Client 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

[COLOR="Red"]Id                     = 79619 
Name                   = IPSec Relying Party 
Description            = Provides IPSec based enforcement for Network Access Protection 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No [/COLOR]

Id                     = 79621 
Name                   = TS Gateway Quarantine Enforcement Client 
Description            = Provides TS Gateway enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79623 
Name                   = EAP Quarantine Enforcement Client 
Description            = Provides EAP based enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

System health agent (SHA) state: 
---------------------------------------------------- 
Id                     = 79744 
Name                   = Windows Security Health Agent
 
Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
 
Version                = 1.0
 
Vendor name            = Microsoft Corporation
 
Registration date      =  
Initialized            = Yes 
Failure category       = None 
Remediation state      = Success 
Remediation percentage = 0 
Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating its security state.
 
Compliance results     = (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 

Remediation results    = 

Ok.

So the IPSec Relying Party is enabled, but does not initialize.

IPsec service runs on the client, NAP client runs and when I either disable for example antivirus or the firewall, NAP does not allow me to connect to the network anymore .. so this seems to work ..

Output of napsh nps show config on the Server 2008 box

Code:

Connection request policy configuration: 
--------------------------------------------------------- 
Name             = Use Windows authentication for all users 
State            = Enabled 
Processing order = 999999 
Policy source    = 0 

Condition attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00" 

Profile attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Auth-Provider-Type                      0x1025      "0x1" 

Connection request policy configuration: 
--------------------------------------------------------- 
Name             = NAP IPsec with HRA 
State            = Enabled 
Processing order = 2 
Policy source    = 5 

Condition attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00" 

Profile attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Auth-Provider-Type                      0x1025      "0x1" 

Event log configuration: 
--------------------------------------------------------- 
Accepted authentication requests = Enabled 
Rejected authentication requests = Enabled 

File log configuration: 
--------------------------------------------------------- 
Accounting                     = Enabled 
Authentication                 = Enabled 
Periodic accounting status     = Enabled 
Periodic authentication status = Enabled 
Directory                      = C:\Windows\system32\LogFiles 
Format                         = ODBC formatting 
Delete old logs                = Enabled 
Frequency                      = Monthly logs 
Max size                       = 10 MB 

Ports configuration: 
--------------------------------------------------------- 
Accounting ports     = 1813,1646 
Authentication ports = 1812,1645 

Network policy configuration: 
--------------------------------------------------------- 
Name             = Connections to other access servers 
State            = Enabled 
Processing order = 999999 
Policy source    = 0 

Condition attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00" 

Profile attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
NP-Allow-Dial-in                        0x100f      "FALSE" 
NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa" 
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE" 
Framed-Protocol                         0x7         "0x1" 
Service-Type                            0x6         "0x2" 

Network policy configuration: 
--------------------------------------------------------- 
Name             = Connections to Microsoft Routing and Remote Access server 
State            = Enabled 
Processing order = 999998 
Policy source    = 0 

Condition attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Condition0                              0x1033      "^311$" 

Profile attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
NP-Allow-Dial-in                        0x100f      "FALSE" 
NP-Allowed-EAP-Type                     0x100a      "0D000000000000000000000000000000" 
NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9" 
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE" 
Framed-Protocol                         0x7         "0x1" 
Service-Type                            0x6         "0x2" 
MS-Filter                               0x102f      

	=============================================================== 
	IPFILTER_IPV4INFILTER	Action: DENY
	--------------------------------------------------------------- 
	Address . . . . . : 0.0.0.0
	Mask. . . . . . . : 0.0.0.0
	Protocol. . . . . : 0
	Source Port . . . : 0
	Destination Port. : 0
	--------------------------------------------------------------- 

MS-MPPE-Encryption-Policy               0xffffffa7  "0x2" 
MS-MPPE-Encryption-Types                0xffffffa6  "0xe" 

Network policy configuration: 
--------------------------------------------------------- 
Name             = NAP IPsec with HRA Compliant 
State            = Enabled 
Processing order = 3 
Policy source    = 5 

Condition attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Condition0                              0x1fbd      "NAP IPsec with HRA Compliant" 

Profile attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Ignore-User-Dialin-Properties           0x1005      "TRUE" 
NP-Allow-Dial-in                        0x100f      "TRUE" 
NP-Authentication-Type                  0x1009      "0x7" 
MS-Quarantine-State                     0x1faf      "0x0" 
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE" 
Framed-Protocol                         0x7         "0x1" 
Service-Type                            0x6         "0x2" 
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1" 

Network policy configuration: 
--------------------------------------------------------- 
Name             = NAP IPsec with HRA Noncompliant 
State            = Enabled 
Processing order = 4 
Policy source    = 5 

Condition attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Condition0                              0x1fbd      "NAP IPsec with HRA Noncompliant" 

Profile attributes: 

Name                                    Id          Value 
--------------------------------------------------------- 
Ignore-User-Dialin-Properties           0x1005      "TRUE" 
NP-Allow-Dial-in                        0x100f      "TRUE" 
NP-Authentication-Type                  0x1009      "0x7" 
MS-Quarantine-State                     0x1faf      "0x1" 
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE" 
Framed-Protocol                         0x7         "0x1" 
Service-Type                            0x6         "0x2" 
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1" 

Server registration: 
--------------------------------------------------------- 
Status = Un-registered 

SHV configuration: 
--------------------------------------------------------- 
Id                             = 79744 
Name                           = Windows Security Health Validator
 
Vendor                         = Microsoft Corporation
 
Description                    = The Windows Security Health Validator defines the policy that client computers must be compliant with.
 
Version                        = 1.0
 
Policy server unreachable      = Noncompliant 
Remediation server unreachable = Noncompliant 
System Health Agent failure    = Noncompliant 
NAP server failure             = Noncompliant 
Other errors                   = Noncompliant 

Health policy configuration: 
--------------------------------------------------------- 
Name          = NAP IPsec with HRA Compliant 
Configuration = All must pass 
Id            = 79744 

Health policy configuration: 
--------------------------------------------------------- 
Name          = NAP IPsec with HRA Noncompliant 
Configuration = One or more must fail 
Id            = 79744 

SQL log configuration: 
--------------------------------------------------------- 
Connection                     =  
Description                    =  
Accounting                     = Enabled 
Authentication                 = Enabled 
Periodic accounting status     = Enabled 
Periodic authentication status = Enabled 
Max sessions                   = 2 

Ok.

There was a bug in the Vista RTM version, but this PC has SP1 and all patches ...

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Right .. now I feel really stupid ...

Never believe what someone gives you :/

I asked one of our guys to burn me that Vista SP1 DVD .. well guess what ... It doesn't have it included .. Still weird why Windowsupdate didn't offer it :/

Downloading now ... *pmsl*

 

Code:

Id                     = 79619
Name                   = IPSec Relying Party
Description            = Provides IPSec based enforcement for Network Access Protection
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = Yes

So yea ... SP1 .....