NAP-Capable Computers Are Evaluated as Non-NAP-Capable

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In a Network Access Protection (NAP) deployment, this problem typically occurs for one of the following reasons:

  • The NAP Agent service is not started.

  • A NAP enforcement client is not enabled.

  • Quarantine checks are not enabled on the client or server.

Less common causes include:

  • You are using PEAP authentication with NAP and the Override network policy authentication settings checkbox is not enabled on the Settings tab in connection request policy.

  • You are using an NPS proxy server as a RADIUS client and the RADIUS client is NAP-capable checkbox is not enabled on the Advanced tab in RADIUS client properties.

  • You are using NAP with the Terminal Services Gateway (TS Gateway) enforcement method and the client does not trust the certificate provided by the TS Gateway. For more information, see NAP client computers are evaluated as non-NAP-capable.

Description of system behavior

The network access of NAP client computers that are evaluated as non-NAP-capable will be consistent with the access assigned in the network policy for non-NAP-capable computers. If no such policy is configured, then no policy will be matched and access requests will be denied.

Associated operating system events

  • NPS event ID 6276: Network Policy Server quarantined a user.

Root cause diagnosis and resolution

If you are using NAP with 802.1X enforcement, Extensible Authentication Protocol (EAP) authentication might occur before the NAP Agent service is started. In this case, the client computer will not have full network access until reauthentication occurs. One solution to this issue is to set a dependency on the Wired Autoconfig service so that it does not start until after the NAP Agent service.

802.1X authentication occurs before the NAP Agent service starts

If different connection properties, such as VLANs, are associated with non-NAP-capable systems and NAP-capable systems, then a NAP client computer might switch VLANs unexpectedly during the logon process if it is authenticated before the NAP Agent service has started.

Resolution

One solution to this issue is to configure the Wired Autoconfig service to start after the NAP Agent service. You can use the Registry Editor or the command line.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To repair this issue using the Registry Editor

  1. On the NAP client computer, click Start, click Run, type regedit, and press ENTER.

  2. In Registry Editor, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dot3svc.

  3. Double-click DependOnService, under Value data, type napagent, and then click OK.

  4. Close the Registry Editor and restart the computer.

To repair this issue using the command line

  • Open a command prompt as an administrator, and type sc config dot3svc depend= napagent.