DHCP NAP Enforcement
- I am working on 70-642 practice to configure DHCP NAP enforcement, using 2 virtual PCs (both with local only networking) running on the same host.
I have completed configuring DC with NAP and NAP client Group Policy. The noncompliant Client (server 2008) is already gpupdate and verified that NAP agent service is started. after ipconfig /renew, the noncompliant client display an IP with subnet 255.255.255.255.
To allow the noncompliant client to pass the health check, I updated the health policy in NAP server by clearing Antivirus, Automatic Updating in Windows Security Health Validator.
I returned to the non compliant client to perform ipconfig /renew, the subnet mask is still 255.255.255.255.
I have tried to remove all the DHCP enforcement client configuration from NAP server, the noncompliant client still not able to get a valid IP and subnet.
soon, the client time out but I am not able to login to the domain again.
Please advise why the client is not able to get a valid IP and subnet after the health policy in NAP server is updated to allow the client to pass health check.
thanks!
Answers
- Hi,
Server 2008 can only be a NAP client if you install a different system health agent (SHA). This is because the WSHA uses Security Center, and Security Center is not installed on any Windows Server OS.
If you installed the Forefront SHA/SHV or the SCCM SHA/SHV, for example, then Server 2008 could be a NAP client because it does have the NAP agent service.
-Greg- Marked As Answer byGreg LindsayMSFT, OwnerWednesday, June 24, 2009 8:51 PM
All Replies
Hi,
Mostly this should be configuration issue. Can you check server side event log from NPS which will tell why is it not compliant? also, verify the following
(1) NAPAgent service is running or not
(2) DHCP QEC (Enforment ) is enabled or not.
(3) NETSH NAP CLIENT SHOW GROUPPOLICY will the configuration that are configured through group policy for NAP, make sure everything is expected or not.
(4) If you have client is Windows XP make sure you are chaning the setting in SHV for Windows XP, not for Vista or Windows 7.
Thanks
-RamaSubbu SK
Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.- Hi,
Adding to what RamaSubbu SK said, you should check event viewer (Custom Views\Server Roles\Network Policy and Access Services) to make sure your client is matching the policy that you are modifying.
-Greg - Do I have to install HRA and CA on server DCsrv1 to work for DHCP enforcement test above?
- No that is only necessary for IPsec enforcement.
- I have finnaly achieved the test result with Vista as the non complaint client.
That is, after turning on NAP on Dcsrv1 (windows 2008, DHCP, DNS, AD, DC),the vista client cannot get an IP after ipconfig /renew.
Then i remove all requirements in Health Validator (Dcsrv1), the vista client is able to get a valid IP with ipconfig /renew.
The test doesn't work when i use Server 2008 as a noncompliant client.
Is it that the requirements stated on Health Validator only apply to Vista or XP clients, but not Server 2008 client or other OS?
- Hi,
Server 2008 can only be a NAP client if you install a different system health agent (SHA). This is because the WSHA uses Security Center, and Security Center is not installed on any Windows Server OS.
If you installed the Forefront SHA/SHV or the SCCM SHA/SHV, for example, then Server 2008 could be a NAP client because it does have the NAP agent service.
-Greg- Marked As Answer byGreg LindsayMSFT, OwnerWednesday, June 24, 2009 8:51 PM
- thanks Greg,
I will install Microsoft ForeFront Integration Kit for Network Access Protection on Server 2008 client Virtual PC, will post the result to forum later.
- Hi Greg,
Based on your previous reply:
"Server 2008 can only be a NAP client if you install a different system health agent (SHA). This is because the WSHA uses Security Center, and Security Center is not installed on any Windows Server OS.
If you installed the Forefront SHA/SHV or the SCCM SHA/SHV, for example, then Server 2008 could be a NAP client because it does have the NAP agent service."
I have tried installing both ForeFront SHA and SHV on Server 2008 to make it works as a NAP client. Unfortunately the result is still the same, it doesn't get a valid ip / subnet with IPCONFIG /renew, after I have unchecked all requirements on Dcsrv1 NAP server.
Where should i find ForeFront SHA/SHV after installing them on Server 2008? Do i have to perform any configuration to enable the server 2008 client as a NAP client?
Thanks,
Pei Wai Hi Pei Wai,
After installing a new SHA and SHV, you will need to configure requirements in the SHV, and configure your network policies and health policies. Health policies are used to decide what and how SHVs are used in a health check. Network policies use the health policies as conditions to match an access request.
When you are configuring policies, make sure you do a couple things:
1. Enable only the connection request policies and network policies you need, and order them so that the more specific policies are first. This is to ensure the correct policies are matched when a client requests network access.
2. Review the event logs on your NAP health policy server (NPS) and verify the policies are matched that you expect.
When a client doesn't get an IP address in a NAP DHCP enforcement setup, it typically means that the client access request didn't match any network policy.
-Greg- Edited byGreg LindsayMSFT, OwnerSunday, June 28, 2009 6:47 PMtypo
