Non-NAP Capable computers receiving full network access using DHCP enforcement

Tue, 23 Jun 2009 16:28:42 Z

I have it set up so non-nap capable computers have restricted access yet they are receiving full access to the network. Once connected if I do a Repair or a Ipconfig/release then a renew then they revert to restricted access. If I unplug and then plug in the network cable or reboot they once again receive full access until I again do a Repair or ipconfig/release then renew. Everything else is working as I want.

Non-NAP Capable computers receiving full network access using DHCP enforcement

Wed, 24 Jun 2009 11:06:23 Z

I should add a little more information. If I check the DHCP server it tells me NAP is ON for this machine. If I check the NAP logs in tells me this computer is quarantined yet it still has full network access until the Repair or release/renew is done then it acts as it should, with restricted access.

Non-NAP Capable computers receiving full network access using DHCP enforcement

Wed, 24 Jun 2009 20:16:28 Z

Hi,

Is the client running XP SP3?

-Greg

Non-NAP Capable computers receiving full network access using DHCP enforcement

Thu, 25 Jun 2009 01:04:27 Z

Yes it is.

Non-NAP Capable computers receiving full network access using DHCP enforcement

Thu, 25 Jun 2009 01:21:21 Z

Hi,

The reason I ask is I've seen this issue before only with XP SP3 and DHCP enforcement - usually the first time a non-NAP capable client joins the network. You can also see it 50% of the time if you manually release and renew the IP address. It never happens if the client renews its DHCP lease normally, or if NAP agent is running.

You can confirm this is the same problem by reviewing the NPS event log. When a DHCP client requests network access in a NAP DHCP scenario, there must be an access request recorded. NPS will then accept/deny/restrict the client based on the contents of the request (health, computer group, etc). Even if the client is non-NAP capable, there should be a record of the DHCP request.

However, sometimes when a non-NAP capable XP SP3 client sends the first request this isn't processed at all by NPS. The result is that the DHCP server simply provides a typical IP address configuration. You can confirm this by looking at the NPS event log to see that no access request was logged.

We are already looking at this issue, but if this is indeed your problem then additional reports help. Can you confirm that no NPS events are recorded when this occurs? View NPS events at Custom Views\Server Roles\Network Policy and Access Services.

Thanks,
-Greg

Non-NAP Capable computers receiving full network access using DHCP enforcement

Thu, 25 Jun 2009 11:22:11 Z

I am pasting in the 4 log entries I get for this computer, as I get with any computer, they all show as Non Nap-capaple at first and then change to either Compliant or Non-compliant depending on their health state, they all change to a Result of Full Access as they should. This one shows as quarantined all the way thru despite getting full access. It looks to me as it should, but will let you examine it. You are right about the 50% also. I can do a release/renew, one time it restricts it, the next time it allows it, and back and forth it goes, even though the logs are the same each time. I also am having problems with computers being put in an Exception group not being processed as exceptions and being restricted instead of being allowed access but I figure I will tackle this problem first before moving on, maybe there is a common fix for both.

Here are the log entries. I should add, I have pasted the log entries in the order they get logged, so the first one you read is the first log entry posted.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/25/2009 7:47:43 AM
Event ID:      6272
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      LEG-FS1.gnb.ca
Description:
Network Policy Server granted access to a user.

User:
Security ID:   NULL SID
Account Name:   -
Account Domain:   -
Fully Qualified Account Name: -

Client Machine:
Security ID:   NULL SID
Account Name:   leg-co489486
Fully Qualified Account Name: -
OS-Version:   -
Called Station Identifier:  142.139.19.0
Calling Station Identifier:  001422EDA6CC

NAS:
NAS IPv4 Address:  142.139.19.161
NAS IPv6 Address:  -
NAS Identifier:   LEG-FS1
NAS Port-Type:   Ethernet
NAS Port:   -

RADIUS Client:
Client Friendly Name: -
Client IP Address: -

Authentication Details:
Proxy Policy Name:  NAP DHCP
Network Policy Name:  NAP DHCP Non NAP-Capable
Authentication Provider:  Windows
Authentication Server:  LEG-FS1.gnb.ca
Authentication Type:  Unauthenticated
EAP Type:   -
Account Session Identifier:  323732393137363738

Quarantine Information:
Result: Quarantined
Session Identifier: -

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>6272</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-25T10:47:43.855Z" />
    <EventRecordID>149022</EventRecordID>
    <Correlation />
    <Execution ProcessID="712" ThreadID="6220" />
    <Channel>Security</Channel>
    <Computer>LEG-FS1.gnb.ca</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="FullyQualifiedSubjectUserName">-</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">leg-co489486</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">142.139.19.0</Data>
    <Data Name="CallingStationID">001422EDA6CC</Data>
    <Data Name="NASIPv4Address">142.139.19.161</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">LEG-FS1</Data>
    <Data Name="NASPortType">Ethernet </Data>
    <Data Name="NASPort">-</Data>
    <Data Name="ClientName">-</Data>
    <Data Name="ClientIPAddress">-</Data>
    <Data Name="ProxyPolicyName">NAP DHCP</Data>
    <Data Name="NetworkPolicyName">NAP DHCP Non NAP-Capable</Data>
    <Data Name="AuthenticationProvider">Windows </Data>
    <Data Name="AuthenticationServer">LEG-FS1.gnb.ca</Data>
    <Data Name="AuthenticationType">Unauthenticated </Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">323732393137363738</Data>
    <Data Name="QuarantineState">Quarantined </Data>
    <Data Name="QuarantineSessionIdentifier">-</Data>
</EventData>
</Event>

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/25/2009 7:47:43 AM
Event ID:      6272
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      LEG-FS1.gnb.ca
Description:
Network Policy Server granted access to a user.

User:
Security ID:   NULL SID
Account Name:   -
Account Domain:   -
Fully Qualified Account Name: -

Client Machine:
Security ID:   NULL SID
Account Name:   leg-co489486
Fully Qualified Account Name: -
OS-Version:   -
Called Station Identifier:  142.139.19.0
Calling Station Identifier:  001422EDA6CC

NAS:
NAS IPv4 Address:  142.139.19.161
NAS IPv6 Address:  -
NAS Identifier:   LEG-FS1
NAS Port-Type:   Ethernet
NAS Port:   -

RADIUS Client:
Client Friendly Name: -
Client IP Address: -

Quarantine Information:
Result: Quarantined
Session Identifier: -

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>6272</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-25T10:47:43.855Z" />
    <EventRecordID>149023</EventRecordID>
    <Correlation />
    <Execution ProcessID="712" ThreadID="6220" />
    <Channel>Security</Channel>
    <Computer>LEG-FS1.gnb.ca</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="FullyQualifiedSubjectUserName">-</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">leg-co489486</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">142.139.19.0</Data>
    <Data Name="CallingStationID">001422EDA6CC</Data>
    <Data Name="NASIPv4Address">142.139.19.161</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">LEG-FS1</Data>
    <Data Name="NASPortType">Ethernet </Data>
    <Data Name="NASPort">-</Data>
    <Data Name="ClientName">-</Data>
    <Data Name="ClientIPAddress">-</Data>
    <Data Name="ProxyPolicyName">NAP DHCP</Data>
    <Data Name="NetworkPolicyName">NAP DHCP Non NAP-Capable</Data>
    <Data Name="AuthenticationProvider">Windows </Data>
    <Data Name="AuthenticationServer">LEG-FS1.gnb.ca</Data>
    <Data Name="AuthenticationType">Unauthenticated </Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">323732393137363738</Data>
    <Data Name="QuarantineState">Quarantined </Data>
    <Data Name="QuarantineSessionIdentifier">-</Data>
</EventData>
</Event>

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/25/2009 7:47:43 AM
Event ID:      6276
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      LEG-FS1.gnb.ca
Description:
Network Policy Server quarantined a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:   NULL SID
Account Name:   -
Account Domain:   -
Fully Qualified Account Name: -

Client Machine:
Security ID:   NULL SID
Account Name:   leg-co489486
Fully Qualified Account Name: -
OS-Version:   -
Called Station Identifier:  142.139.19.0
Calling Station Identifier:  001422EDA6CC

NAS:
NAS IPv4 Address:  142.139.19.161
NAS IPv6 Address:  -
NAS Identifier:   LEG-FS1
NAS Port-Type:   Ethernet
NAS Port:   -

RADIUS Client:
Client Friendly Name: -
Client IP Address: -

Quarantine Information:
Result:    Quarantined
Extended-Result:   -
Session Identifier:   -
Help URL:   -
System Health Validator Result(s): -

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>6276</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-25T10:47:43.855Z" />
    <EventRecordID>149024</EventRecordID>
    <Correlation />
    <Execution ProcessID="712" ThreadID="6220" />
    <Channel>Security</Channel>
    <Computer>LEG-FS1.gnb.ca</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="FullyQualifiedSubjectUserName">-</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">leg-co489486</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">142.139.19.0</Data>
    <Data Name="CallingStationID">001422EDA6CC</Data>
    <Data Name="NASIPv4Address">142.139.19.161</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">LEG-FS1</Data>
    <Data Name="NASPortType">Ethernet </Data>
    <Data Name="NASPort">-</Data>
    <Data Name="ClientName">-</Data>
    <Data Name="ClientIPAddress">-</Data>
    <Data Name="ProxyPolicyName">NAP DHCP</Data>
    <Data Name="NetworkPolicyName">NAP DHCP Non NAP-Capable</Data>
    <Data Name="AuthenticationProvider">Windows </Data>
    <Data Name="AuthenticationServer">LEG-FS1.gnb.ca</Data>
    <Data Name="AuthenticationType">Unauthenticated </Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">323732393137363738</Data>
    <Data Name="QuarantineState">Quarantined </Data>
    <Data Name="ExtendedQuarantineState">-</Data>
    <Data Name="QuarantineSessionID">-</Data>
    <Data Name="QuarantineHelpURL">-</Data>
    <Data Name="QuarantineSystemHealthResult">-</Data>
</EventData>
</Event>

Contact the Network Policy Server administrator for more information.

User:
Security ID:   NULL SID
Account Name:   -
Account Domain:   -
Fully Qualified Account Name: -

Client Machine:
Security ID:   NULL SID
Account Name:   leg-co489486
Fully Qualified Account Name: -
OS-Version:   -
Called Station Identifier:  142.139.19.0
Calling Station Identifier:  001422EDA6CC

NAS:
NAS IPv4 Address:  142.139.19.161
NAS IPv6 Address:  -
NAS Identifier:   LEG-FS1
NAS Port-Type:   Ethernet
NAS Port:   -

RADIUS Client:
Client Friendly Name: -
Client IP Address: -

Quarantine Information:
Result:    Quarantined
Extended-Result:   -
Session Identifier:   -
Help URL:   -
System Health Validator Result(s): -

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>6276</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-25T10:47:43.855Z" />
    <EventRecordID>149025</EventRecordID>
    <Correlation />
    <Execution ProcessID="712" ThreadID="6220" />
    <Channel>Security</Channel>
    <Computer>LEG-FS1.gnb.ca</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="FullyQualifiedSubjectUserName">-</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">leg-co489486</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">142.139.19.0</Data>
    <Data Name="CallingStationID">001422EDA6CC</Data>
    <Data Name="NASIPv4Address">142.139.19.161</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">LEG-FS1</Data>
    <Data Name="NASPortType">Ethernet </Data>
    <Data Name="NASPort">-</Data>
    <Data Name="ClientName">-</Data>
    <Data Name="ClientIPAddress">-</Data>
    <Data Name="ProxyPolicyName">NAP DHCP</Data>
    <Data Name="NetworkPolicyName">NAP DHCP Non NAP-Capable</Data>
    <Data Name="AuthenticationProvider">Windows </Data>
    <Data Name="AuthenticationServer">LEG-FS1.gnb.ca</Data>
    <Data Name="AuthenticationType">Unauthenticated </Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">323732393137363738</Data>
    <Data Name="QuarantineState">Quarantined </Data>
    <Data Name="ExtendedQuarantineState">-</Data>
    <Data Name="QuarantineSessionID">-</Data>
    <Data Name="QuarantineHelpURL">-</Data>
    <Data Name="QuarantineSystemHealthResult">-</Data>
</EventData>
</Event>

Non-NAP Capable computers receiving full network access using DHCP enforcement

Fri, 26 Jun 2009 06:16:05 Z

Hi,
Yes, This behaviour has been noticed at my set up too. Client Getting 50% of times Full access despite client being Quarantined. This is only on XP S3 Clients

Non-NAP Capable computers receiving full network access using DHCP enforcement

Sun, 28 Jun 2009 22:39:29 Z

Lefty777,

Thanks for posting the event logs. The events all say that the policy that was matched is the Non-NAP capable policy:

Network Policy Name: NAP DHCP Non NAP-Capable

None of the events evaluate a client as compliant or non-compliant. In order to match one of these health states, the client must be NAP-capable. When it is non-NAP capable (because NAP agent is not running) it is quarantined because you have configured the non-NAP capable policy's "NAP enforcement" setting to provide limited network access. This is expected.

The problem you are seeing is due to a recently reported bug that only affects XP SP3 non-NAP capable clients using DHCP enforcement. We are investigating the cause. It may be a client side problem or an issue on the DHCP server. I'll update this thread if additional details or fixes become available. The only solution available at this time is to allow the client to renew its DHCP lease.

-Greg

Non-NAP Capable computers receiving full network access using DHCP enforcement

Mon, 29 Jun 2009 18:56:00 Z

I am also seeing the same pattern on XP SP3
I'm working with very basic DHCP based rules based on the article "Geek of all Trades Control network Access Using DHCP Enforcement"

If you run napstat.exe on the client...it thinks everything is good, and its not.

Is there better logging on the server side? Does anyone have details on how to read the accounting logs?

Non-NAP Capable computers receiving full network access using DHCP enforcement

Fri, 21 Aug 2009 19:40:54 Z

Is there a fix for XP SP3 clients or is this fixed in 2008 R2 DHCP servers?

Non-NAP Capable computers receiving full network access using DHCP enforcement

Fri, 21 Aug 2009 21:31:34 Z

Hi,

To answer tklose's question about logging, the best way to interpret client status is with SQL logging. We are working on making this simpler to implement, but for now you must create a SQL database, table, and stored procedure. I provided some example commands for this in this thread, and I've reproduced it below for you also.

USE [master]

CREATE DATABASE [NPSXML] ON PRIMARY

(NAME = N'NPSXML', FILENAME = N'D:\NPSSQL\NPSXML.mdf’)

LOG ON (NAME = N'NPSXML_log', FILENAME = N'D:\NPSSQL\NPSXML_log.LDF')

USE [NPSXML]

CREATE TABLE [dbo].[NPS_Packets] ([PacketTime] [datetime] NOT NULL DEFAULT (getutcdate()),

[NPS_Attributes] [xml] NOT NULL) ON [PRIMARY]

CREATE PROCEDURE [dbo].[Report_Event]

(@doc nvarchar(max))

INSERT INTO NPS_Packets (PacketTime, NPS_Attributes)

VALUES (GETUTCDATE(), @doc)

To answer MyGposts, question, there isn't a fix yet. I've just updated the bug with more information. Please add any information you can about how this problem is affecting your NAP deployment. This will help to expedite a hotfix.

-Greg

Non-NAP Capable computers receiving full network access using DHCP enforcement

Thu, 27 Aug 2009 13:22:16 Z

I would think the fact that there are known bugs in NAP would be enough to expedite a hotfix.

Non-NAP Capable computers receiving full network access using DHCP enforcement

Thu, 27 Aug 2009 13:37:13 Z

We were planning to upgrade our domain from 2003 to 2008 and DHCP enforcement was one of the most important reasons why. The majority of clients will be XPSP3, so this is a complete show stopper. We are not going forward with the domain upgrade at all until this is resolved.

Non-NAP Capable computers receiving full network access using DHCP enforcement

Mon, 31 Aug 2009 10:35:02 Z

I have the same problems when i test with ws08-R2...
Anyone solved this problem?

Marcos Vinícios Wasem Ferreira da Costa [ MCP / MCSA / MCSA+S / MCSE / MCSE+S ]

Non-NAP Capable computers receiving full network access using DHCP enforcement

Tue, 20 Oct 2009 03:16:43 Z

Hi all,

Read through all of yours message and got the answer that NAP with XP SP3 have know bug issue.
May i know where can i see the update infromation/hotfix, for this problem . Our company also want to control user network access by antivirus.

Regard,
Vincent

Non-NAP Capable computers receiving full network access using DHCP enforcement

Tue, 20 Oct 2009 04:56:23 Z

Hi,

There is not a hotfix available for this yet. A workaround would be to use ipconfig/renew in the logon script for XP computers only, but I know this is not ideal.

I believe the problem is still under investigation, but I have notified the product group that handles this of your request.

-Greg

Non-NAP Capable computers receiving full network access using DHCP enforcement

Tue, 27 Oct 2009 03:21:29 Z

Finally, i've got a test with those NAP supported client platform Window XP SP3,Window Vista, Winodw 7 and One Non supported platform Winodw XP SP2...

My enviroment is as follow...

Window 2003        Role: DC + DNS
Window 2008        Role: NAP Server + DHCP Server
Window XP SP3      Role: Client without AntiVirus Client
Window Vista         Role:Client with AntiVirus Symantec Endpoint 11 Client
Window 7              Role:Client with AntiVirus AVG Free Edition 9.0

Such that the result i've got is

Window XP SP2 ....match the expected result that it does not have NAP agent , and it never got a Health IP *Even do ipconfig /release + renew

Window XP SP3 ....match the expected result that this version have known bug issue , no matter disable the NAP agent , client status is match or no match of the SHVs , client can get the Health/Limited IP after they do ipconfig /release + renew

Window Vista ....match the expected result and it support with Symantec Endpoint 11 Client

Window 7 .....match the expected result and it support with AVG Free Edition 9.0

It's a great technology but just very hope that to fix XP SP3 issue ....otherwise i will thinks that NAP is NOT support in XP!!!!

P.S If the situation like that , i think it is better to make XP SP3 Client same as XP SP2 result....that...make me feel normal....

P.S.2 Thanks Greg answer !

P.S.3 Did anybody know a list for antivirus support client in NAP, or i need to test one by one?

Regards and thanks,
Vincent