Access Requests Do Not Match Any Network Policy
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Network Policy Server (NPS) will process a network access request by first attempting to find a matching connection request policy. If a connection request policy is matched, it will then attempt to match a network policy. Network access will be denied if the access request fails to match both a connection request policy and a network policy.
Description of system behavior
When NPS fails to match a client access request to a network policy, it will deny the user network access. The behavior of NAP client computers that are denied network access will depend on the type of NAP enforcement method used.
With IPsec enforcement, client computers will not be issued a NAP health certificate.
With 802.1X enforcement, client computers will fail 802.1X authentication and might have guest access properties applied to the connection.
With VPN enforcement, the VPN connection will be terminated.
With DHCP enforcement, the client computer will not acquire a DHCP-issued IP address configuration.
Associated operating system events
- NPS event ID 6273: The Network Policy Server denied access to a user.
Root cause diagnosis and resolution
Failure to match a policy is typically caused by an error in policy configuration. To resolve this problem, review the configuration of your network policies. If no configuration errors are apparent, create a policy that will match all network access requests and begin adding conditions to this policy until the client access request fails.
No network policy is matched
Network access is denied when the client access request fails to match a network policy.
To resolve this problem, you must understand why the client network access request failed to match a policy. The reasons can include a configuration problem on the client, a policy configuration problem, or both. One solution is to create additional policies at the bottom of the policy processing order that will match all network access requests. If the client matches this policy, then you can begin adding conditions to the policy until the client fails to match a condition. This allows you to identify the condition that is causing the client to be denied access to the network. Next, investigate why the client does not match this condition. If the client computer fails to match a network policy when you configure a health policy condition, check the client settings and verify that the NAP Agent service is running and the correct enforcement client is enabled and initialized.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To repair this problem
On a server running NPS, click Start, click Run, type nps.msc, and press ENTER.
In the NPS console tree, open Policies\Network Policies. Review the configuration and processing order of the network policy used to match NAP client access requests.
If no errors are found in network policy configuration, check the status of NAP Agent on the client computer and confirm that the enforcement client is enabled. For more information, see Review NAP client settings.