Event ID 6277 — NAP Client Health Status
Applies To: Windows Server 2008 R2
.jpg)
When Network Policy Server (NPS) is configured as a Network Access Protection (NAP) policy server, health policy and client computer configuration determine whether NAP-capable client computers are allowed full network access, full network access for a limited time, or limited access to a restricted network only. This determination is made based on the health policy created in NPS. NAP client computers that comply with health policies are allowed full network access.
Event Details
| Product: | Windows Operating System |
| ID: | 6277 |
| Source: | Microsoft-Windows-Security-Auditing |
| Version: | 6.1 |
| Symbolic Name: | SE_AUDITID_ETW_NPS_RESPONSE_ON_PROBATION |
| Message: | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. Contact the Network Policy Server administrator for more information. User: %tSecurity ID:%t%t%t%1 %tAccount Name:%t%t%t%2 %tAccount Domain:%t%t%t%3 %tFully Qualified Account Name:%t%4 Client Machine: %tSecurity ID:%t%t%t%5 %tAccount Name:%t%t%t%6 %tFully Qualified Account Name:%t%7 %tOS-Version:%t%t%t%8 %tCalled Station Identifier:%t%t%9 %tCalling Station Identifier:%t%t%10 NAS: %tNAS IPv4 Address:%t%t%11 %tNAS IPv6 Address:%t%t%12 %tNAS Identifier:%t%t%t%13 %tNAS Port-Type:%t%t%t%14 %tNAS Port:%t%t%t%15 RADIUS Client: %tClient Friendly Name:%t%t%16 %tClient IP Address:%t%t%t%17 Authentication Details: %tProxy Policy Name:%t%t%18 %tNetwork Policy Name:%t%t%19 %tAuthentication Provider:%t%t%20 %tAuthentication Server:%t%t%21 %tAuthentication Type:%t%t%22 %tEAP Type:%t%t%t%23 %tAccount Session Identifier:%t%t%24 Quarantine Information: %tResult:%t%t%t%t%25 %tExtended-Result:%t%t%t%26 %tSession Identifier:%t%t%t%27 %tHelp URL:%t%t%t%28 %tSystem Health Validator Result(s):%t%29 %tQuarantine Grace Time:%t%t%30 |
Resolve
Change the configuration of the NAP client
If your health policies or client configurations do not produce the results that you intended, you must change either the NAP client configuration or the health policies.
To perform this procedure, you must be a member of Domain Admins.
To change the configuration of the NAP client:
- Review the health policy you have created for the NAP client.
- Configure the client according to the restrictions of the health policy.
To configure a health policy:
- Click Start, Administrative Tools, Network Policy Server. The NPS Microsoft Management Console (MMC) opens.
- Double-click Policies, and then click Health Policies.
- In the details pane, double-click the policy that you want to configure.
For more information, see the Network Access Protection Deployment Guide at https://go.microsoft.com/fwlink/?LinkId=101262.
Verify
To verify the health status of the NAP client:
Log on to the access client to determine whether its configuration meets the requirements of the health policy you created in NPS.
- If the health policy allows the client full network access, verify that the client can connect to network resources for which it has permission to connect.
- If the health policy allows the client full network access for a limited time and the end of that time period has not been reached, confirm that the client can connect to network resources for which it has permission to connect. If the end of that time period has been reached, confirm that the client no longer has full network access.
- If the health policy allows the client access to a restricted network only, confirm that the client cannot access network resources on the primary network, but is able to access resources on the restricted network to which it is assigned.