This section provides troubleshooting information to help you resolve issues when computers fail to connect to either the full network or the restricted network using Network Access Protection in Configuration Manager 2007.
NAP Enforcement Mechanism (for example, DHCP, IPsec with a Health Registration Authority) Is Not Configured Correctly
The operation of Network Access Protection (NAP) in Configuration Manager relies on the underlying Windows NAP infrastructure. If this is not correctly configured, Configuration Manager NAP operation is not possible.
Make sure that NAP is working correctly without Configuration Manager before you introduce health checks for the Configuration Manager System Health Validator. Check your underlying NAP infrastructure and reconfigure as appropriate.
For configuration information, see the documentation and step-by-step guides on the Network Access Protection Web site at (http://go.microsoft.com/fwlink/?LinkId=93844).
There is No Matching Policy on the Network Policy Server
For Configuration Manager NAP, you must have at least one connection request policy and three network policies.
Check the policy configuration on the Network Policy Server. For more information, see Configuring the Network Policy Server for Configuration Manager and the documentation on the Network Access Protection Web site at (http://go.microsoft.com/fwlink/?LinkId=93844).
The Matching Policy on the Network Policy Server has been Incorrectly Configured as Deny Access
It is a common misunderstanding that non-compliant computers should be denied network access. Even if computers are non-compliant, the network policies for Configuration Manager must be configured for Grant Access.
Reconfigure the policies so that computers are granted network access. For more information, see Configuring Network Policies for Configuration Manager Network Access Protection and the documentation on the Network Access Protection Web site at (http://go.microsoft.com/fwlink/?LinkId=93844).