HPE Community
Switches, Hubs, and Modems
1753260 Members
4692 Online
108792 Solutions
New Discussion юеВ

Re: IDM with NAP, "unknow" status problem

 
Karol Karkowski
Advisor

тАО12-10-2009 05:46 AM

тАО12-10-2009 05:46 AM

IDM with NAP, "unknow" status problem

Hi

I'am making deployment of HP Procurve Manager with IDM and NAP for one of my client.
I am using 802.1x authorization mechanisms and NAP based on Windows Server 2008 wich acts as Radius Server in this case.
I have made standard configuration steps (according to Microsoft NAP - Step by step and Hp documents):
- created realm
- sync AD groups & users form Domain Controler
- installed IDM agent on Win Server 2008 and connected with IDM
- created policy 802.1x with NAP on Windows Serv 2008 with appropriate wizard
- created Access Profiles for Access Profiles Groups in IDM
- deployed access profiles to the realm
- created policy group on Dimain Controler's AD for client station for automatic NAP configuration
- configured switch with IDM Secure Access Wizard

I have problem with NAP status for some hosts in the LAN:
IDM gets Endpoint Security status as UNKNOW although :
- NAP agent service on the station is activated
- NAP enforcement client for EAP is started
- NAP status is ok (complaint)

I have checked a lot of things but I haven't found any reason.

Please help

best regards

0 Kudos
4 REPLIES 4
Holger Hasenaug
Trusted Contributor

тАО12-11-2009 12:00 AM

тАО12-11-2009 12:00 AM

Re: IDM with NAP, "unknow" status problem

An unknown IDM Endpoint Integrity status occur if the following MS RADIUS attributes which are passed by the NPS to the IDM agent have the following values:
- MS-Quarantine-State=0x1=Quarantined
AND
- Not-Quarantine-Capable=0x1=Endpoint does not send SoH

This may be caused by one of the following:

- Client does not support NAP
- NAP Agent is not started on client
- The ├в Enable Quarantine checks├в check-box is not marked under LAN properties/Protected EAP Properties

---

An "any" IDM Endpoint Integrity status occur if the check-box called ├в RADIUS client is NAP capable├в is not marked on the NPS server on the RADIUS clients settings.





0 Kudos
Karol Karkowski
Advisor

тАО12-11-2009 03:58 AM

тАО12-11-2009 03:58 AM

Re: IDM with NAP, "unknow" status problem

Hi Holger

Thanks a lot, really,
I have lost a lot of time finding solutions.
You really helped me.

The problem was with Enable Quarantine checks in LAN Connection settings under EAP. I have overlooked this setting and it wasn't mentioned in the Microsoft and HP documentation.

Do you know is it possible to set this settings in Active Directory to automate turning it on by creating Group Policy or something like this?

Thanks once more

best regards
0 Kudos
Holger Hasenaug
Trusted Contributor

тАО12-11-2009 01:11 PM

тАО12-11-2009 01:11 PM

Re: IDM with NAP, "unknow" status problem

Hi Karol,

For configuring 802.1X including the NAP settings through GPO for the wired LAN interface the Windows Domain must either be a native Windows 2008 domain or you need to do an AD schema extention on your 2003 domain.

Below is a good blog from Microsoft which as pretty valuable information on this topic, especially the last entry.

Have fun.
0 Kudos
Holger Hasenaug
Trusted Contributor

тАО12-11-2009 01:14 PM

тАО12-11-2009 01:14 PM

Re: IDM with NAP, "unknow" status problem

Ups I forgot the URL. Here it is:

http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/8df1735b-1022-4455-b3f2-2c7545ff47e1

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.