Export (0) Print
Expand All

Computers Do Not Have Full Network Access When They Should Using for Network Access Protection

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

This section provides troubleshooting information to help you identify and resolve why computers do not have full network access when they should when using Network Access Protection in Configuration Manager 2007.

Network Access Protection relies on Active Directory Domain Services to publish and retrieve health state references.

When installing a new Configuration Manager site, wait until replication for the Configuration Manager site is complete before configuring Configuration Manager Network Access Protection (NAP) policies.

Solution

Wait for Active Directory replication to complete.

Network Access Protection uses Active Directory Domain Services to publish and retrieve health state references. If this is not configured and operational, compliant clients might have limited network access.

Solution

First, ensure that the Active Directory schema has been extended with the Configuration Manager 2007 schema extensions and that the Configuration Manager site is publishing to Active Directory. For more information, see the following:

Second, ensure that the Configuration Manager health state reference settings are configured appropriately for your environment. For more information, see the following:

By default, a client that experiences an error condition during the Network Access Protection process will be deemed non-compliant. However, error conditions can be reconfigured to give clients a compliant status, which can then result in full network access. For more information, see Network Access Protection Failure Categories and Error Codes.

Solution

Locate the error by referencing the Network Access Protection logs, and then correct the error. For more information about the log files, see Log Files for Network Access Protection.

Alternatively, you can reconfigure the failure category on the Network Policy Server so that it maps to a compliant status. For more information, see Configuring Failure Categories for Configuration Manager Network Access Protection.

When the Network Policy Server is checking the health state of multiple System Health Agents and not just Configuration Manager, a Configuration Manager client that is compliant with the configured software updates can be non-compliant for a different System Health Agent, and as such, have limited network access.

Solution

None. Logging on the Network Policy Server will identify which System Health Agent returned a non-compliant health state.

Network Access Protection in Configuration Manager replies on the correct configuration of policies on the Network Policy Server.

Solution

Ensure that the policies are configured correctly on the Network Policy Server. For more information, see the following:

This scenario will result in the client having an unknown health state, which by default, maps to SHA vendor specific error code received on the Configuration Manager System Health Validator on the Network Policy Server. By default, the option SHA vendor specific error code received is configured for Non-compliant.

Solution

If this unwanted behavior, reconfigure SHA vendor specific error code received on the Configuration Manager System Health Validator from Non-compliant to Compliant. For more information, see Configuring Failure Categories for Configuration Manager Network Access Protection.

If you enabled Network Access Protection, create some Configuration Manager NAP policies, and then disable Network Access Protection, this does not automatically delete the Configuration Manager NAP policies. Therefore, when you re-enable Network Access Protection on the same site, the old Configuration Manager NAP policies are also re-enabled.

For more information, see About Enabling and Disabling Network Access Protection.

Solution

Delete old Configuration Manager NAP policies you do not want. For more information, see How to Delete a Configuration Manager NAP Policy to Stop NAP Evaluation in Network Access Protection.

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft