Non-NAP Capable computers not being processed by Exceptions policy

Mon, 29 Jun 2009 12:53:27 Z

OK, next problem I am having. I have a policy set up for exceptions for Nap-non capable computers but this policy is not being processed. I add the computer to the domain (I created an Org Unit called Non Nap-capable Computers), add it to my exception group (called NAP Computer Exceptions, set up as Global/Security). This group is added as one of the Machine Groups on the Conditions tab under Network Policies yet when I check the logs the computer is always processed as nap-non capable. I even have the Exceptions policy set as the first one to be processed but the non nap-capable is the policy that gets processed, it is 4 in the list. This happens with both Vista SP2 and XP SP3 computers.

Non-NAP Capable computers not being processed by Exceptions policy

Fri, 03 Jul 2009 07:23:18 Z

Hi,

Add the group as a condition to your non-NAP capable policy and see if these computers continue to match that policy. If not, then the condition isn't configured right.

I imagine you've done this, but after adding a computer to a new security group you must reboot the computer in order to apply the membership. Run gpresult and make sure you see this group membership.

-Greg

Non-NAP Capable computers not being processed by Exceptions policy

Mon, 06 Jul 2009 13:23:06 Z

I did a gpresult and found the computer was not in the group, so I added the computer thru My Computer/Properties/Computer Name (using XP SP3) to get it into the domain, and then added it to the NAP Computer Exceptions group, when I then run the gpresult it is showing up in the group. I am still not having the NAP Computer Exception policy processed. I have this policy set up as simple as one can be set up, it is 1st in the processing list. In the Overview tab, I have the policy Enabled, under Access permission, I have Grant Access, and under Type of Network Access Server I have DHCP server. Under the Conditions tab I only have one condition with a Condition of Machine Groups and a Value of GNB\NAP Computer Exceptions. I have verified that this computer is part of that group thru gpresult. Not sure what else I can check or do to remedy this.

Non-NAP Capable computers not being processed by Exceptions policy

Tue, 07 Jul 2009 04:22:21 Z

Hi,

Add the computer group condition to the non-NAP capable policy and see if it still matches. Let me know what happens.

Also please post the output of "netsh nps show config" from your NPS server to help troubleshoot.

-Greg

Non-NAP Capable computers not being processed by Exceptions policy

Tue, 07 Jul 2009 11:03:48 Z

When I add that condition to the non-NAp capable policy it now tells me this connection request does not match any of the network policies. I know you earlier said this means it is not set up correctly but I do not know where I could have gone wrong. This tells me it thinks this computer is not part of the NAP Computer Exceptions group but it is, anyways, I am also attaching the information you requested, hope you see something I am not.

C:\Windows\system32>netsh nps show config

Connection request policy configuration:
---------------------------------------------------------
Name             = Use Windows authentication for all users
State            = Enabled
Processing order = 2
Policy source    = 0

Condition attributes:

Name Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name Id Value
---------------------------------------------------------
Auth-Provider-Type 0x1025 "0x1"

Connection request policy configuration:
---------------------------------------------------------
Name             = NAP DHCP
State            = Enabled
Processing order = 1
Policy source    = 3

Condition attributes:

Name Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Auth-Provider-Type                      0x1025      "0x1"
Override-RAP-Auth                       0x1fb0      "FALSE"

Event log configuration:
---------------------------------------------------------
Accepted authentication requests = Enabled
Rejected authentication requests = Enabled

File log configuration:
---------------------------------------------------------
Accounting                     = Enabled
Authentication                 = Enabled
Periodic accounting status     = Enabled
Periodic authentication status = Enabled
Directory                      = C:\Windows\system32\LogFiles
Format                         = ODBC formatting
Delete old logs                = Enabled
Frequency                      = Monthly logs
Max size                       = 10 MB

Ports configuration:
---------------------------------------------------------
Accounting ports = 1813,1646
Authentication ports = 1812,1645

Network policy configuration:
---------------------------------------------------------
Name             = Connections to other access servers
State            = Enabled
Processing order = 6
Policy source    = 0

Condition attributes:

Name Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
NP-Allow-Dial-in                        0x100f      "FALSE"
NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"

Network policy configuration:
---------------------------------------------------------
Name             = Connections to Microsoft Routing and Remote Access server
State            = Enabled
Processing order = 5
Policy source    = 0

Condition attributes:

Name Id Value
---------------------------------------------------------
Condition0 0x1033 "^311$"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
NP-Allow-Dial-in                        0x100f      "FALSE"
NP-Allowed-EAP-Type                     0x100a      "0D0000000000000000000000000
00000"
NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9
"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
MS-Filter                               0x102f

        ===============================================================
        IPFILTER_IPV4INFILTER   Action: DENY
        ---------------------------------------------------------------
        Address . . . . . : 0.0.0.0
        Mask. . . . . . . : 0.0.0.0
        Protocol. . . . . : 0
        Source Port . . . : 0
        Destination Port. : 0
        ---------------------------------------------------------------

MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"

Network policy configuration:
---------------------------------------------------------
Name             = NAP DHCP Compliant
State            = Enabled
Processing order = 2
Policy source    = 3

Condition attributes:

Name Id Value
---------------------------------------------------------
Condition0 0x1fbd "NAP DHCP Compliant"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
MS-Extended-Quarantine-State            0x1fd9      "0x0"
Ignore-User-Dialin-Properties           0x1005      "TRUE"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
MS-Quarantine-State                     0x1faf      "0x0"
Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

Network policy configuration:
---------------------------------------------------------
Name             = NAP DHCP Noncompliant
State            = Enabled
Processing order = 3
Policy source    = 3

Condition attributes:

Name Id Value
---------------------------------------------------------
Condition0 0x1fbd "NAP DHCP Noncompliant"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
MS-Extended-Quarantine-State            0x1fd9      "0x0"
Ignore-User-Dialin-Properties           0x1005      "TRUE"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
Quarantine-Fixup-Servers-Configuration 0x1fc2      "NAP Client Services"
MS-Quarantine-State                     0x1faf      "0x1"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

Network policy configuration:
---------------------------------------------------------
Name             = NAP DHCP Non NAP-Capable Exceptions
State            = Enabled
Processing order = 1
Policy source    = 3

Condition attributes:

Name Id Value
---------------------------------------------------------
Condition0 0x1fb4 "S-1-5-21-4191016595-1503350
669-2086681662-145014"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
MS-Extended-Quarantine-State            0x1fd9      "0x0"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
MS-Quarantine-State                     0x1faf      "0x0"
Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

Network policy configuration:
---------------------------------------------------------
Name             = NAP DHCP Non NAP-Capable
State            = Enabled
Processing order = 4
Policy source    = 3

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1fbb      "^1$"
Condition1                              0x1fb4      "S-1-5-21-4191016595-1503350
669-2086681662-145014"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
MS-Quarantine-State                     0x1faf      "0x0"
Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

Remediation server configuration:
---------------------------------------------------------
Group = NAP Client Services
Address = 142.139.11.25
Name = Domain Controller

Remediation server configuration:
---------------------------------------------------------
Group = NAP Client Services
Address = 142.139.17.130
Name = EPO Server

Remediation server configuration:
---------------------------------------------------------
Group = NAP Client Services
Address = 142.139.19.166
Name = WSUS Server

SHV configuration:
---------------------------------------------------------
Id = 79744
Name = Windows Security Health Validator

Vendor = Microsoft Corporation

Description = The Windows Security Health Validator defines t
he policy that client computers must be compliant with.

Version = 1.0

Policy server unreachable      = Noncompliant
Remediation server unreachable = Noncompliant
System Health Agent failure    = Noncompliant
NAP server failure             = Noncompliant
Other errors                   = Noncompliant

Health policy configuration:
---------------------------------------------------------
Name = NAP DHCP Compliant
Configuration = All must pass
Id = 79744

Health policy configuration:
---------------------------------------------------------
Name = NAP DHCP Noncompliant
Configuration = One or more must fail
Id = 79744

SQL log configuration:
---------------------------------------------------------
Connection                     =
Description                    =
Accounting                     = Enabled
Authentication                 = Enabled
Periodic accounting status     = Enabled
Periodic authentication status = Enabled
Max sessions                   = 2

Ok.

C:\Windows\system32>

Non-NAP Capable computers not being processed by Exceptions policy

Thu, 16 Jul 2009 13:19:29 Z

Good morning, I have not heard anything back since last Tuesday, is there a solution to this problem or is it still being investigated???

Non-NAP Capable computers not being processed by Exceptions policy

Thu, 16 Jul 2009 20:51:58 Z

Hi,

Sorry for the delay in answering.

I've reproduced your scenario and this may be a bug. I'll need to have others reproduce it and see if they have an explanation or if it is truly a bug.

I noticed the following behavior:

--> A policy configured with *only* a computer group condition that is placed at the top of the processing order will match a DHCP NAP client access request, but only if the computer is NAP-capable and is a member of the security group used in the condition.

Essentially, this verifies that the computer group condition is working as expected with NAP-capable systems.

I set the policy to quarantine (provide limited access) for any computer that matched the condition. Immediately I see this policy works because a NAP-capable compliant computer that is a member of the security group will be provided with a restricted IP address (255.255.255.255 netmask). If I stop napagent and release/renew the IP address the computer will immediately fail to match this policy even though there is no other condition than the computer group.

I'll send this on to the product team right away for investigation and let you know what they find out.

Thanks for noticing this! I'll keep you apprised here of anything we find out. For now, it appears that a group condition isn't working with DHCP enforcement when the client is non NAP-capable.

-Greg

Non-NAP Capable computers not being processed by Exceptions policy

Mon, 20 Jul 2009 10:50:23 Z

Good morning. Yes, just to confirm a few things you seemed to have tried already, this might be the problem. I added a condition to the NAP Compliant policy that all computers must also belong to the group NAP Enforced Computers, this is the group I use to apply the polices need by NAP clients. This policy was still processed to I was able to eliminate the idea that maybe NAP was not processing conditions with computer groups in them.
With my Exceptions policy I removed the condition that they needed to belong to the NAP Computer Exceptions group and created the condition that they needed to be Non-nap Capable and that condition began to be processed. I removed the Non-nap capable condition, put back the condition that they belong to the NAP Computer Exceptions group, and then made that computer NAP capable and it began processing the Exceptions policy.

From all this it seems you are bang on that for some reason, when a computer is Non-nap Capable, it will not process conditions that contain Computer groups. Hope you find an explanation or work around.

Non-NAP Capable computers not being processed by Exceptions policy

Wed, 22 Jul 2009 22:12:35 Z

Hi,

The latest information is that the DHCP packet sent when the client is non NAP-capable doesn't contain the FQDN, which it needs to be recognized in a domain security group. Only the machine name is sent. One way of working around this would be to use the MAC address instead, but I know this isn't really an acceptable solution. We are still looking into it and perhaps there is another workaround such as a registry key that can be set to enable sending the FQDN. If not, this may require a patch.

-Greg

Non-NAP Capable computers not being processed by Exceptions policy

Sun, 26 Jul 2009 05:19:47 Z

Hi,

I marked this as answered for now. If there is a workaround I will provide it. Currently this is under investigation and there is no available solution.

-Greg