Event ID 20230 — RRAS NAP and Network Access Quarantine Control

Applies To: Windows Server 2008

Network Access Protection (NAP) provides a platform to help ensure that client computers on a private network meet administrator-defined requirements for system health. NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access, or when client computers attempt to communicate with other network resources.

Network Access Quarantine Control is similar in function to NAP VPN enforcement, but it provides added protection for remote access connections only. NAP provides added protection for Internet Protocol security (IPsec)-based communications, 802.1X authenticated connections, VPN connections, Dynamic Host Configuration Protocol (DHCP) configuration, and Terminal Services Gateway (TS Gateway) connections.

.

Event Details

Product: Windows Operating System
ID: 20230
Source: RemoteAccess
Version: 6.0
Symbolic Name: ROUTERLOG_USER_QUARANTINE_SESSION_TIMEOUT
Message: The connection from user %1 on port %2 has been disconnected because the Session Timeout received from the RADIUS server has expired. This connection received only an IPv6 address from the RRAS server and it is invalid to configure the MS-Quarantine-Session-Timeout attribute on the NPS server for IPv6-only connections.

Resolve

Check the NPS configuration

Possible resolution:

  • This connection has received only an IPv6 address from the RRAS server. You cannot configure the MS-Quarantine-Session-Timeout attribute on the server running Network Policy Server (NPS) for IPv6-only connections.

To check the NPS configuration:

  1. Open NPS. Click Start, click Run, type nps.msc, and then press ENTER.
  2. In the console tree, under Policies, click Connection Request Policies.
  3. In the details pane, under Policy Name, double-click the NAP VPN policy for remote access server (VPN - Dial up).
  4. Click the Settings tab.
  5. Under RADIUS Attributes, click Vendor Specific. Under Attributes, check whether a Microsoft vendor RADIUS attribute, MS-Quarantine-Session-Timeout, appears. If yes, select the MS-Quarantine-Session-Timeout attribute, and then click Remove. If the policy is being created for the first time, do not add the MS-Quarantine-Session-Timeout attribute.
  6. Click OK.

 

Verify

To verify that NAP remote access enforcement clients are installed and initialized:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Command Prompt.
  2. In the command window, type netsh nap client show configuration, and then press ENTER.
  3. If the client computer's NAP configuration is determined by Group Policy, type netsh nap client show grouppolicy, and then press ENTER.
  4. In the command output, under Enforcement clients, verify that the enforcement clients listed for your deployment are correct, and that the enforcement clients in use on your network have an Admin value of Enabled.
  5. In the command window, type netsh nap client show state, and then press ENTER.
  6. In the command output, under Enforcement client state, verify that all enforcement clients listed for your deployment are correct, and that the enforcement clients that are enabled on the client computer have an Initialized value of Yes.

RRAS NAP and Network Access Quarantine Control

Routing and Remote Access Service Infrastructure