Iniciar sesión
 
InicioBibliotecaAprendizajeDescargaSoporteComunidadForos
Recursos para Profesionales de TI >
DHCP NAP STATUS OFF

Answered DHCP NAP STATUS OFF

  • lunes, 06 de agosto de 2012 10:19
     
     
    Inicie sesión para votar
    0

    Hi,

    I have configured DHCP and NPS on same server. I  have enabled NPS on DHCP scope. But when ever i go to :

    Scope-->> Address leases  and check the column named Network Access protection, the status is OFF. NPS service is working fine on the server. I've tried restarting the service / server. But all in vain.

    My second question is, is it possible to configure DHCP on one server and NPS on another server?

    I'll be using SCCM NAP feature after implementation.

     

Todas las respuestas

  • martes, 07 de agosto de 2012 7:32
    Propietario
     
     Respondida
    Inicie sesión para votar
    0

    Hi,

    I will check the column you are talking about, but if my memory is correct I think this has to do with client-side. In other words, you must make sure that NAP agent and the DHCP enforcement client is running on the client.

    You can configure NPS on one computer and DHCP on another, but you must install NPS on the DHCP server and forward connection requests to the main NPS server. In other words, the DHCP server can be a RADIUS proxy. Although you must install NPS you don't have to configure network policies there.

    -Greg

    • Marcado como respuesta ArnavSharma martes, 28 de agosto de 2012 11:29
    • Desmarcado como respuesta ArnavSharma martes, 28 de agosto de 2012 11:29
    • Marcado como respuesta ArnavSharma viernes, 31 de agosto de 2012 14:57
    •  
     
  • miércoles, 08 de agosto de 2012 4:27
     
     
    Inicie sesión para votar
    0

    The required setting on client side are pushed by GPO. And the same GP is being used in other OU and is working fine.

    Any other reason for this?

    • Marcado como respuesta ArnavSharma martes, 28 de agosto de 2012 11:29
    • Desmarcado como respuesta ArnavSharma martes, 28 de agosto de 2012 11:29
    •  
     
  • miércoles, 08 de agosto de 2012 20:47
    Propietario
     
     
    Inicie sesión para votar
    0

    Hi,

    I can only add two graphics to a single reply so I'll just create two replies so I can get three graphics inserted.

    Pushing the GPO doesn't necessarily mean that it is working on the client side. Issue a netsh nap client show state to verify that the client is NAP-enabled.

    See the first image below. There is a non domain-joined client that is not NAP-enabled (NAP is Off).

    The reason this client is not nap-enabled is because the DHCP enforcement client is not initialized. When I initialize it this happens:


     
  • miércoles, 08 de agosto de 2012 20:49
    Propietario
     
     Respondida
    Inicie sesión para votar
    0

    Of course this wasn't done via GPO because the client is non domain-joined. I could also have just joined it to the domain and made sure that everything was enabled. By the way this computer is noncompliant because there is no AV installed.

    After turning on the DHCP enforcement client, the DHCP scope shows NAP is "On" - see below.

    -Greg

    • Marcado como respuesta Tiger LiModerator lunes, 13 de agosto de 2012 0:46
    • Desmarcado como respuesta ArnavSharma martes, 28 de agosto de 2012 11:29
    • Marcado como respuesta ArnavSharma martes, 28 de agosto de 2012 11:29
    • Desmarcado como respuesta ArnavSharma martes, 28 de agosto de 2012 11:29
    • Marcado como respuesta ArnavSharma martes, 28 de agosto de 2012 11:29
    • Desmarcado como respuesta ArnavSharma martes, 28 de agosto de 2012 11:29
    • Marcado como respuesta ArnavSharma viernes, 31 de agosto de 2012 14:57
    •  
     
  • martes, 28 de agosto de 2012 11:03
     
     
    Inicie sesión para votar
    0

    Thanks Greg. Everything seems to be place, GP and NPS.

    In how much time does the DHCP status is changed? I have around 200 systems in one scope and when ever i enable the NAP on DHCP scope the status remains OFF, also the clients are unable to recieve the IP (after enabling NAP on DHCP), even if i add en exception on NPS.

     
  • martes, 28 de agosto de 2012 11:30
     
     
    Inicie sesión para votar
    0
    And, how much aprox time does NPS server takes to generate Event ID 4400, for proper DC-NPS communication?
     
  • martes, 28 de agosto de 2012 15:31
    Propietario
     
     Respondida
    Inicie sesión para votar
    0

    Hi,

    There is no delay. As soon as the lease is renewed for a NAP-capable computer, the DHCP console should show that NAP is On. In the screen shots above I viewed them immediately. The answer is the same for event 4400, this should happen immediately.

    Please understand that NAP = Off does not mean you have enabled NAP on the scope. It is referring to the client. If the client does not have NAP configured correctly, then NAP = Off. The client also might not get an IP address (depending on your configuration). Even if the client does get an IP address because of an exception, NAP is still Off on the client.

    -Greg

    • Marcado como respuesta ArnavSharma viernes, 31 de agosto de 2012 14:57
    •  
     
  • miércoles, 29 de agosto de 2012 4:10
     
     
    Inicie sesión para votar
    0

    PFB the config i have set, now i have made a machine group(that contains machines, that should respond to NAP) on which i have applied GP for enabling DHCP NAP (tested the same, using command line). The required machines are working fine and getting required IP when ever i Start NPS and DHCP servers. But other machines(machines not in NAP testing group, but in same scope) are not renewing the IP address.

    What could be the reason? as i have enabled the NPS group only.

     
  • miércoles, 29 de agosto de 2012 8:30
    Propietario
     
     Respondida
    Inicie sesión para votar
    0

    Hi,

    On your NPS server, open Event Viewer and look at Custom Views\Server Roles\Network Policy and Access Services. There will be events there that tell you what policy was matched by computers in the NAP testing group and also the policy matched by other computers (not in this group). It will probably show that the other computers are matching the NAP DHCP Non NAP-Capable policy and this pollicy is probably configured to deny network access. This is why they do not get an IP address. You can change the policy to allow restricted access. They will still appear in the DHCP console as NAP = Off but they will get an IP address.

    -Greg


    P.S. You can also configure the non NAP-capable policy to grant full access, but this sort of defeats the purpose of enabling NAP.
     
  • jueves, 30 de agosto de 2012 9:56
     
     Respondida
    Inicie sesión para votar
    0

    Thanks Greg. I somehow figured this out by configuring a policy for Non-capable clients. Now its working fine. :)

    But, I'm having some issue with Win XP SP3 OS. On NAP agent, the error is SHA Not Present, error 79745. Event ID 17.

    This is mentioned in your thread http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/0736846f-60c3-4871-8902-d5b00ffe58ef

    but, no solutions on this. Can you please let me know how can we correct this?

    Regards,

    Arnav Sharma

    • Marcado como respuesta ArnavSharma viernes, 31 de agosto de 2012 14:57
    •  
     
  • jueves, 30 de agosto de 2012 10:47
    Propietario
     
     Respondida
    Inicie sesión para votar
    0

    Hi Arnav,

    The other issue you bring up is from a long time ago. It's hard to recall when this was discussed, but there was a lot of email about it 3 1/2 years ago. This is a separate issue and we should probably not fork this forum thread into a new problem, but I will provide the information that I have:

    Explanation why “SHA Not Present” is being shown: The “SHA Not Present” is displayed when an SoH Response is received from the server for a SHA that is not bound with the NAP Agent.

    This can happen for three reasons:

      • The SHA is not installed on the client
      • The SHA has not initialized.
      • The health state reference (cached SoH) is stale.

    For #1 the client computers will always have this problem and the only way to correct it is to install the SHA.

    For #2 the client computers will have this problem when they reboot, but it will often resolve after a few minutes.

    For #3 the client computers will have this problem sometimes when they reboot, but not always. It coincides with updates from Microsoft being released. If the computer is left on overnight then the problem doesn't usually happen.

    You can check the state of the SHA by issuing a "netsh nap client show state" on the client. This will tell you if the SCCM SHA is installed and initialized.

    -Greg

    • Marcado como respuesta ArnavSharma viernes, 31 de agosto de 2012 14:56
    •  
     
  • viernes, 31 de agosto de 2012 14:57
     
     
    Inicie sesión para votar
    0
    Thanks a lot Greg, Finally everything seems to be in place. :)