Event ID 10 — NAP Agent Communication with the Enforcement Client
Applies To: Windows Server 2008
The Network Access Protection (NAP) Agent service must be able to communicate with an installed enforcement client in order to provide the enforcement client with health status and receive information about the level of network access granted to the client computer.
Event Details
Product: | Windows Operating System |
ID: | 10 |
Source: | Microsoft-Windows-NetworkAccessProtection |
Version: | 6.0 |
Symbolic Name: | NAP_EVENT_QEC_UNINITIALIZED |
Message: | The enforcement client %1 successfully uninitialized. |
Resolve
Enable and initialize the enforcement client
This error condition indicates there is a problem with communication between the NAP Agent service and an installed enforcement client, possibly due to an error with the initialization or registration of the enforcement client. To resolve this problem:
- Ensure that enforcement clients are enabled.
- Ensure that enforcement clients are initialized.
- Save files for vendor evaluation.
Important: Enabling enforcement clients requires that you configure NAP settings using either local computer policy or Group Policy. If both local NAP client settings and Group Policy NAP client settings are configured, then Group Policy settings will override the local settings.
To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Enable enforcement clients
To ensure that enforcement clients are enabled:
If NAP client settings are configured using local policy, use the following procedure to ensure enforcement clients are enabled.
On the NAP client computer, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
In the command window, type netsh nap client show configuration, and then press ENTER.
In the command output, under Enforcement clients, review the value of Admin for each of the enforcement clients.
If the Admin value of one or more required enforcement clients is Disabled, type netsh nap client set enforcement ID = <id> ADMIN = "ENABLE", where <id> is the enforcement ID of the enforcement client you want to enable, and then press ENTER.
In the following example, the ID of the enforcement client is 79619.
netsh nap client set enforcement ID = 79619 ADMIN = "ENABLE"
Confirm that the output of the command reads "OK."
Repeat steps 2-5 until you have enabled all required enforcement clients.
If you cannot enable one or more enforcement clients, see the procedure titled "To save files for vendor evaluation."
If the Admin value of all required enforcement clients is Enabled, see the section titled "To ensure that enforcement clients are initialized."
If NAP client settings are configured using Group Policy, use the following procedure to ensure enforcement clients are enabled.
On the NAP client computer, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
In the command window, type netsh nap client show grouppolicy, and then press ENTER.
In the command output, under Enforcement clients, review the value of Admin for each of the enforcement clients.
If the value of one or more required enforcement clients is Disabled, use the following procedure to enable enforcement clients in Group Policy.
To enable enforcement clients in Group Policy:
- On a computer with the Group Policy Management feature installed, click Start, click Run, type gpmc.msc, and press ENTER.
- In the console tree, right-click Default Domain Policy, or the Group Policy object you want to configure, and then click Edit.
- In the console tree, navigate to Computer Configuration\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients.
- In the details pane, right-click each enforcement client you want to enable, and then click Enable.
- Close the console.
- When you are prompted to apply the new settings, click Yes.
- On the NAP client computer, in the command window, type gpupdate /force, and then press ENTER.
- Confirm that the command output shows that user policy and computer policy have been updated successfully.
- In the command window, type netsh nap client show grouppolicy, and confirm that for each required enforcement client the value of Admin is Enabled.
- If the value of all required enforcement clients is Enabled, see the section titled "To ensure that enforcement clients are initialized."
Initialize enforcment clients
To ensure that enforcement clients are initialized:
On the NAP client computer, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
In the command window, type netsh nap client show state, and then press ENTER.
In the command output, under Enforcement client state, review the value of Initialized for each of the required enforcement clients.
If the value of one or more required enforcement clients is No, attempt to reinitialize the enforcement client by restarting the NAP Agent service.
To restart the NAP Agent service:
- In the command window, type net stop napagent && net start napagent, and then press ENTER.
- Confirm that the output shows that the NAP Agent service started and stopped successfully.
- In the command window, type netsh nap client show state, and then press ENTER.
- In the command output, under Enforcement client state, review the value of Initialized for each of the required enforcement clients.
- If the status of one or more enforcement clients is still No after you have restarted the NAP Agent service and ensured that the enforcement client is enabled, see the section titled "To save files for vendor evaluation."
- If the status of all required enforcement clients is Yes, see the section titled "To save files for vendor evaluation."
Save information to a file
To save files for vendor evaluation:
On the NAP client computer, click Start, and then click Control Panel.
Click System and Maintenance, and under Administrative Tools, click View event logs.
In the Event Viewer console tree, navigate to Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.
Right-click Operational, and then click Filter Current Log.
On the Filter tab, next to Event sources, select Network Access Protection.
Under Includes/Excludes Event IDs, click the text box containing <All Event IDs>, type 6-10,12,28,29, and then click OK. These events are associated with the initialization and registration of installed enforcement clients.
In the Actions pane, click Save Filtered Log File As.
Next to File name, type a name for the log file, select a location for the file, and then click Save.
In the Display Information dialog box, choose Display information for these languages, select your preferred language from the list, and then click OK.
On the NAP client computer, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
In the command window, type netsh nap client show configuration > <file>, where <file> is the location and name of the file you want to save, and then press ENTER. This command will create a file containing the local client NAP configuration.
In the following example, configuration information is saved to a file named napcfg.txt in the C:\ directory.
netsh nap client show configuration > C:\napcfg.txt
In the command window, type netsh nap client show grouppolicy >> <file>, where <file> is the location and name of the file you created in the preceding step, and then press ENTER. This command will append the NAP client Group Policy configuration to the file.
In the command window, type netsh nap client show state >> <file>, where <file> is the location and name of the file you appended in the preceding step, and then press ENTER. This command will append NAP client state information to the file.
Give the files to your enforcement client vendor for evaluation.
Verify
To verify that NAP enforcement clients are installed and initialized:
- On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Command Prompt.
- In the command window, type netsh nap client show configuration, and then press ENTER.
- If the client computer's NAP configuration is determined by Group Policy, type netsh nap client show grouppolicy, and then press ENTER.
- In the command output, under Enforcement clients, verify that the enforcement clients listed for your deployment are correct, and that the enforcement clients in use on your network have an Admin value of Enabled.
- In the command window, type netsh nap client show state, and then press ENTER.
- In the command output, under Enforcement client state, verify that all enforcement clients listed for your deployment are correct, and that the enforcement clients that are enabled on the client computer have an Initialized value of Yes.