Use this procedure to verify that NAP-capable client computers are configured for the Network Access Protection (NAP) Internet Protocol security (IPsec) enforcement method. A NAP-capable computer is one that has the NAP components installed and can verify its health state by sending statements of health (SoHs) to Network Policy Server (NPS) for evaluation. For more information about NAP, see http://go.microsoft.com/fwlink/?LinkId=94393.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

Verify NAP client components

NAP components include the NAP Agent service, one or more NAP enforcement clients, and at least one system health agent (SHA). Other services can also be required if they support an installed SHA. All of these components work together to continuously monitor the health status of a NAP client computer and provide this status to NAP servers for evaluation.

NAP Agent

The NAP Agent service collects and manages health information on the client computer. NAP Agent also processes SoHs from all installed SHAs and reports client health to enforcement clients. NAP Agent must be operational to enable client computers to request or receive health certificates.

To verify the NAP Agent service is started

  1. Click Start, click Control Panel, click System and Maintenance, click Administrative Tools, and then double-click Services.

  2. In the list of services, under Name, double-click Network Access Protection Agent.

  3. Verify that the Service status is Started, and Startup type is set to Automatic.

  4. If the service is not started, choose Automatic next to Startup type, and then click Start.

  5. Click OK to close the Network Access Protection Properties dialog box.

  6. Close the Services console.

Note

Restarting the NAP Agent service will automatically reinitialize SHAs and the computer will attempt to acquire a new health certificate. This can be useful when troubleshooting NAP.

NAP IPsec enforcement client

The NAP IPsec enforcement client must be installed and enabled on client computers. The NAP enforcement client requests access to a network, and communicates a client computer's health status to other components of the NAP client architecture. The NAP IPsec enforcement client restricts access to IPsec-protected networks by interacting with the certificate store on a client computer.

To verify the NAP IPsec enforcement client is initialized

  1. Click Start, point to All Programs, click Accessories, and then click Command Prompt.

  2. At the command prompt, type netsh nap client show state, and press ENTER. This command displays the NAP status of the client computer.

  3. In the command output, under Enforcement client state, verify that the IPsec Relying Party status is Initialized = Yes.

Verify IPsec client configuration

NAP clients must be configured with settings that allow them to communicate with NAP server components. You can configure these settings by using Group Policy, the NAP Client Configuration console, or the command line. For the IPsec enforcement method, NAP client settings include Request Policy and Trusted Server Groups.

Request policy

You do not need to modify the default request policy settings on NAP client computers. If these settings are changed, then it is important to verify that similar settings are enabled on your NAP servers. By default, a NAP-capable client computer initiates a negotiation process with a NAP server by using a mutually acceptable default security mechanism for encrypting communication. We recommend that you use the default request policy settings.

To view request policy settings

  1. Click Start, point to All Programs, click Accessories, and then click Command Prompt.

  2. If Group Policy is used to deploy NAP client settings, at the command prompt, type netsh nap client show group, and then press ENTER. If local policy is used to deploy NAP client settings, at the command prompt, type netsh nap client show config, and then press ENTER. These commands display the Group Policy and local policy NAP configuration settings on client computers.

  3. In the command output, verify that the Cryptographic service provider (CSP) and Hash algorithm settings correspond to the settings configured on HRA. The default cryptographic service provider is Microsoft RSA SChannel Cryptographic Provider, keylength = 2048. The default hash algorithm is sha1RSA (1.3.14.3.2.29).

Trusted server groups

Trusted server groups are configured within client health registration settings so that NAP client computers can contact Web sites that are used by HRA to process health certificate requests. If trusted server groups are not configured or are configured incorrectly, NAP client computers will fail to acquire health certificates.

To verify the configuration of trusted server groups

  1. Click Start, point to All Programs, click Accessories, and then click Command Prompt.

  2. If Group Policy is used to deploy NAP client settings, at the command prompt, type netsh nap client show group, and then press ENTER. If local policy is used to deploy NAP client settings, at the command prompt, type netsh nap client show config, and then press ENTER. These commands display the Group Policy and local policy NAP configuration settings on client computers.

  3. In the command output, under Trusted server group configuration, verify that the configuration is correct for entries next to Processing order, Group, Require Https, and URL.

Note

A NAP client computer will attempt to obtain a health certificate from the first URL in all configured trusted server groups unless that server has been marked as unavailable. For more information, see Verify IIS Configuration and Understanding HRA Authentication Requirements.

Review NAP client events

Reviewing information contained in NAP client events can assist you with troubleshooting. It can also help you to understand NAP client functionality.

To review NAP client events in Event Viewer

  1. Click Start, point to All Programs, click Accessories, and then click Run.

  2. Type eventvwr.msc, and press ENTER.

  3. In the left tree, navigate to Event Viewer(Local)\Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.

  4. Click an event in the middle pane.

  5. By default, the General tab is displayed. Click the Details tab to view additional information.

  6. You can also right-click an event and then click Event Properties to open a new window for reviewing events.

Additional references

  • Understanding NAP IPsec Enforcement
  • Verify CA Configuration