Share via


Event ID 20214 — RRAS NAP and Network Access Quarantine Control

Applies To: Windows Server 2008

Network Access Protection (NAP) provides a platform to help ensure that client computers on a private network meet administrator-defined requirements for system health. NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access, or when client computers attempt to communicate with other network resources.

Network Access Quarantine Control is similar in function to NAP VPN enforcement, but it provides added protection for remote access connections only. NAP provides added protection for Internet Protocol security (IPsec)-based communications, 802.1X authenticated connections, VPN connections, Dynamic Host Configuration Protocol (DHCP) configuration, and Terminal Services Gateway (TS Gateway) connections.

.

Event Details

Product: Windows Operating System
ID: 20214
Source: RemoteAccess
Version: 6.0
Symbolic Name: ROUTERLOG_RASQEC_INVALID_PARAM
Message: The Network Access Protection (NAP) enforcement client received an invalid request for the remote access connection. Some network services or resources may not be available. If the problem persists, disconnect and retry the remote access connection or contact the administrator for the remote access server.

Diagnose

This error might be caused by one of the following conditions:

  • NAP scenarios are not working. See section titled "Restart or enable the NAP Agent service, enable remote access quarantine enforcement client, or retry remote access connection."
  • Correlation ID mismatch occurred. This might be due to the response to an earlier request.
  • The connection has been disconnected because the Session Timeout received from the RADIUS server has expired. See the section titled "Check the NPS configuration."

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

Unavailable network services or resources

Restart or enable NAP Agent service or enable remote access quarantine client

Unavailable network services or resources

Restart or enable the NAP Agent service, enable remote access quarantine enforcement client, or retry remote access connection

Restart or enable NAP Agent service or enable remote access quarantine client

Possible resolutions:

  • Restart the NAP Agent service
  • Register the NAP enforcement client with the NAP Agent service.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Follow the procedures in the order in which they appear until the problem is resolved.

Restart the NAP Agent service

To restart the NAP Agent service:

  1. Click Start, click Control Panel, click System and Maintenance, and then click Administrative Tools.
  2. Double-click Services.
  3. In the services list, right-click Network Access Protection Agent, and then click Restart.

Enable the remote access quarantine enforcement client

To enable the remote access quarantine enforcement client:

  1. Click Start, click All Programs, click Accessories, and then click Run.
  2. Type napclcfg.msc, and then press ENTER.
  3. In the console tree, click Enforcement Clients.
  4. In the details pane, right-click Remote Access Quarantine Enforcement Client, and then click Enable.
  5. Close the NAP Client Configuration window.

Enable and start the NAP Agent service

To enable and start the NAP Agent service:

  1. Click Start, click Control Panel, click System and Maintenance, and then click Administrative Tools.
  2. Double-click Services.
  3. In the services list, double-click Network Access Protection Agent.
  4. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and then click Start.
  5. Wait for the NAP Agent service to start, and then click OK.
  6. Close the Services console.

Restart or enable the NAP Agent service, enable remote access quarantine enforcement client, or retry remote access connection

Possible resolutions:

  • Restart the NAP Agent service.
  • Register the NAP enforcement client with the NAP Agent service.
  • Disconnect and retry the remote access connection.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Follow the procedures in the order in which they appear until the problem is resolved.

Restart the NAP Agent service

To restart the NAP Agent service:

  1. Click Start, click Control Panel, click System and Maintenance, and then click Administrative Tools.
  2. Double-click Services.
  3. In the services list, right-click Network Access Protection Agent, and then click Restart.

Enable the remote access quarantine enforcement client

To enable the remote access quarantine enforcement client:

  1. Click Start, click All Programs, click Accessories, and then click Run.
  2. Type napclcfg.msc, and then press ENTER.
  3. In the console tree, click Enforcement Clients.
  4. In the details pane, right-click Remote Access Quarantine Enforcement Client, and then click Enable.
  5. Close the NAP Client Configuration window.

Enable and start the NAP Agent service

To enable and start the NAP Agent service:

  1. Click Start, click Control Panel, click System and Maintenance, and then click Administrative Tools.
  2. Double-click Services.
  3. In the services list, double-click Network Access Protection Agent.
  4. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and then click Start.
  5. Wait for the NAP Agent service to start, and then click OK.
  6. Close the Services console.

Verify

To verify that NAP remote access enforcement clients are installed and initialized:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Command Prompt.
  2. In the command window, type netsh nap client show configuration, and then press ENTER.
  3. If the client computer's NAP configuration is determined by Group Policy, type netsh nap client show grouppolicy, and then press ENTER.
  4. In the command output, under Enforcement clients, verify that the enforcement clients listed for your deployment are correct, and that the enforcement clients in use on your network have an Admin value of Enabled.
  5. In the command window, type netsh nap client show state, and then press ENTER.
  6. In the command output, under Enforcement client state, verify that all enforcement clients listed for your deployment are correct, and that the enforcement clients that are enabled on the client computer have an Initialized value of Yes.

RRAS NAP and Network Access Quarantine Control

Routing and Remote Access Service Infrastructure