Network Access for Compliant Computers Is Restricted

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In a Network Access Protection (NAP) deployment, this problem typically occurs when the client access request does not match the correct network policy. It can also occur when:

  • Policy settings are incorrectly configured.

  • RADIUS client settings are incorrectly configured.

  • There is a configuration problem on the NAP enforcement point.

  • For the NAP with IPsec enforcement method, there are problems issuing health certificates to NAP clients.

Description of system behavior

The network access of a NAP client computer that is compliant with health requirements might be restricted due to errors applying properties to the network connection of the client computer. In an IPsec enforcement infrastructure, this problem can also occur if the NAP client computer is unable to acquire a health certificate due to server-side problems.

Associated operating system events

  • NPS event ID 6276: Network Policy Server quarantined a user.

  • NPS event ID 6278: Network Policy Server granted full access to a user because the host met the defined health policy.

  • NAP client event ID 21: The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1.

Compliant computers have restricted network access

NAP client computers might be evaluated as compliant but have their network access restricted due to a configuration problem on the RADIUS client or the NAP enforcement point. Compliant computers might also match a non-NAP-capable policy because client-side settings are not correctly configured, or required services are not running.

An incorrect network policy is matched

This problem occurs most commonly because the NAP client computer matches a policy for non-NAP-capable computers. Compliant client computers can match this policy if the NAP Agent service has not started when the network access request is made. It can also happen if NAP client settings are not correctly configured.


To repair this problem, see NAP client computers are evaluated as non-NAP-capable.

Incorrect RADIUS client settings

Another common root cause that leads to restricted network access is when RADIUS clients are not configured as NAP-capable.


To repair this problem, see RADIUS client is not NAP-capable.

NAP enforcement point configuration

If the NAP enforcement point is not functional or does not provide a network connection to the NAP client computer that allows for full network access, then the access of compliant computers can be restricted.


Review the configuration of the NAP enforcement point and verify that settings are correct. The type of configuration required will depend on the NAP enforcement method used and the connection properties that are applied to compliant computers. For example, if the enforcement point is an 802.1X-compliant network access device, verify the VLAN or access control list (ACL) configuration for compliant computers.

Health certificate problems

If a compliant NAP client computer cannot acquire a health certificate, its network access will be restricted. This can happen due to a configuration or connectivity problem on the NAP certification authority (CA), Health Registration Authority (HRA) server, or the NAP client.


To repair this problem see Fixing Health Certificate Problems.