locked
Problem with DHCP NAP with separated Server RRS feed

  • Question

  • Trying to setup DHCP NAP with two servers, here is the setup

    DC1 - ADDS, DHCP Server, NPS role added, configured a Remote RADIUS Server Group to WS1, only one scope on DHCP, NAP Enabled. (10.10.1.1)

    WS1 - NPS role with DHCP NAP configured, DC1 as a RADIUS client (10.5.0.1)
    WS2 - DNS server hosting the restricted zone: restricted.domain.com (10.5.0.2)
    KV1 - Client computer trying to connect

    Aiming to distribute 10.5.0.2 as DNS server and restricted.systematic.com as the scope option if client is non-compliant.


    When I configured everything, client computer simply can't obtain IP address when NAP is enabled on the scope, when I disabled NAP on the scope, client computer can obtain IP immediately

    I've tried the Step By Step before and was successful.

    I'd like to get through this as well

    Thank you
    Thursday, May 29, 2008 10:27 AM

Answers

  • Hi,

     

    Generally when a NAP-enabled DHCP client can't obtain a DHCP address from a NAP-enabled scope, this is a problem with a network policy setting - usually because the client doesn't match one or more of the conditions. When the client can't match a policy, it isn't allowed access to the network.

     

    One way to troubleshoot this is to configure a "failover" policy that will always match the client request. Use a condition such as time of day and allow all times. Have this policy last in the processing order so it will only be matched if all other policies do not match. If the client matches this policy, you know the DHCP request is reaching the correct place and you can begin troubleshooting the conditions in your other policies.

     

    I hope this helps.

    -Greg

     

    Thursday, May 29, 2008 6:31 PM

All replies

  • Hi,

     

    Generally when a NAP-enabled DHCP client can't obtain a DHCP address from a NAP-enabled scope, this is a problem with a network policy setting - usually because the client doesn't match one or more of the conditions. When the client can't match a policy, it isn't allowed access to the network.

     

    One way to troubleshoot this is to configure a "failover" policy that will always match the client request. Use a condition such as time of day and allow all times. Have this policy last in the processing order so it will only be matched if all other policies do not match. If the client matches this policy, you know the DHCP request is reaching the correct place and you can begin troubleshooting the conditions in your other policies.

     

    I hope this helps.

    -Greg

     

    Thursday, May 29, 2008 6:31 PM
  • Thank you very much Greg

    I forgot to forward the authentication from DC1

    also, would you suggest a modification in the NAP_DHCP_StepbyStep guide??

    adding a few remarks for ppl want to use seperate server ( like forwarding the authentiction)


    Thanks .

    Regards
    Andrew.

    MCSE CCNP
    Friday, May 30, 2008 4:12 AM
  • Hi,

    I can add this the next time the step by step guide is updated - thanks for the suggestion. The next document that I'm trying to get published asap is the design and deployment guide, which will cover this scenario.

    -Greg
    Sunday, June 22, 2008 12:16 AM
  • Hello everyone,

    Could you please refer me to a link or a step by step guide on how to deploy NAP DHCP Enforcement on a separate DHCP Server and NPServer? All I’m seeing are implementing NAP in the same box with the DHCP. I hope you would still have the time on this. Thank you in advance!
    Monday, November 17, 2014 11:50 PM
  • Hi,

    NPS and DHCP must be installed on the same computer for NAP with DHCP enforcement to work.

    However, the instance of NPS that you install on the DHCP server can be a proxy. You just need to configure the proxy NPS (on the DHCP server) to forward all authentication requests to your other NPS server.

    http://technet.microsoft.com/en-us/library/cc772591.aspx

    Thanks,

    -Greg

    Tuesday, November 18, 2014 12:39 AM