Tools to Troubleshoot NAP
You can find a variety of tools for troubleshooting Network Access Protection (NAP) problems, from netsh command to Microsoft System Center Configuration Manager.
April 17, 2013
Q: Can you provide a short list of the most important tools I can use to troubleshoot a Network Access Protection (NAP) problem?
A: For NAP troubleshooting on the server side, you should first check the NAP-specific error messages that you can find in the following Event Viewer container: Custom ViewsServer RolesNetwork Policy and Access Services. To view NAP configuration information on a NAP server, you can use the following netsh commands:
For NAP Network Policy Server (NPS) configuration information:
netsh nps show config
For NAP Health Registration Authority (HRA) configuration information:
netsh nap hra show config
For NAP troubleshooting on the client side, check for error messages in the following Event Viewer container: Applications and Services LogsMicrosoftWindowsNetwork Access ProtectionOperational. To view NAP configuration information on a client, you can use the following netsh commands:
For client Group Policy configuration:
netsh nap client show group
For client local policy configuration:
netsh nap client show config
For client NAP state
netsh nap client show state
Related: A Microsoft Network Access Protection (NAP) Primer
To determine which NAP System Health Agent (SHA) is causing problems, you can use the NAP-related events in the Event Viewer. These events mostly contain an error message with an identifier of the SHA that caused the error. You can find the meaning of these SHA identifiers in the system registry: The HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServicesapagentShas registry container holds a list of all SHAs that are active on your system. For example, identifier 79744 points to the Windows Out-of-Box System Health Agent.
For more information about NAP-specific events and their IDs, take a look at "NAP event logs" in the Microsoft article "Tools for Troubleshooting NAP." For more information about the event IDs related to NAP agent communication with the SHA, check "NAP Agent Communication with the SHA."
If you have a Microsoft System Center Configuration Manager (SCCM) installation in your environment, I advise you to use SCCM for advanced logging and data collection on your NAP clients. For more information on the SCCM NAP-specific log files, take a look at "Log Files for Network Access Protection."
Learn More: Managing Security Dependencies on Windows Networks
About the Author
You May Also Like