locked
Non-NAP Capable computers not being processed by Exceptions policy RRS feed

  • Question

  • OK, next problem I am having.  I have a policy set up for exceptions for Nap-non capable computers but this policy is not being processed.  I add the computer to the domain (I created an Org Unit called Non Nap-capable Computers), add it to my exception group (called NAP Computer Exceptions, set up as Global/Security).  This group is added as one of the Machine Groups on the Conditions tab under Network Policies yet when I check the logs the computer is always processed as nap-non capable.  I even have the Exceptions policy set as the first one to be processed but the non nap-capable is the policy that gets processed, it is 4 in the list.  This happens with both Vista SP2 and XP SP3 computers.
    • Edited by Lefty777 Monday, June 29, 2009 12:57 PM
    Monday, June 29, 2009 12:53 PM

Answers

  • Hi,

    The latest information is that the DHCP packet sent when the client is non NAP-capable doesn't contain the FQDN, which it needs to be recognized in a domain security group. Only the machine name is sent. One way of working around this would be to use the MAC address instead, but I know this isn't really an acceptable solution. We are still looking into it and perhaps there is another workaround such as a registry key that can be set to enable sending the FQDN. If not, this may require a patch.

    -Greg
    Wednesday, July 22, 2009 10:12 PM

All replies

  • Hi,

    Add the group as a condition to your non-NAP capable policy and see if these computers continue to match that policy. If not, then the condition isn't configured right.

    I imagine you've done this, but after adding a computer to a new security group you must reboot the computer in order to apply the membership. Run gpresult and make sure you see this group membership.

    -Greg
    Friday, July 3, 2009 7:23 AM
  • I did a gpresult and found the computer was not in the group, so I added the computer thru My Computer/Properties/Computer Name (using XP SP3) to get it into the domain, and then added it to the NAP Computer Exceptions group, when I then run the gpresult it is showing up in the group.  I am still not having the NAP Computer Exception policy processed.  I have this policy set up as simple as one can be set up, it is 1st in the processing list.  In the Overview tab, I have the policy Enabled, under Access permission, I have Grant Access, and under Type of Network Access Server I have DHCP server.  Under the Conditions tab I only have one condition with a Condition of Machine Groups and a Value of GNB\NAP Computer Exceptions.  I have verified that this computer is part of that group thru gpresult.  Not sure what else I can check or do to remedy this.
    Monday, July 6, 2009 1:23 PM
  • Hi,

    Add the computer group condition to the non-NAP capable policy and see if it still matches. Let me know what happens.

    Also please post the output of "netsh nps show config" from your NPS server to help troubleshoot.

    -Greg
    Tuesday, July 7, 2009 4:22 AM
  • When I add that condition to the non-NAp capable policy it now tells me this connection request does not match any of the network policies.  I know you earlier said this means it is not set up correctly but I do not know where I could have gone wrong.  This tells me it thinks this computer is not part of the NAP Computer Exceptions group but it is, anyways, I am also attaching the information you requested, hope you see something I am not.

    C:\Windows\system32>netsh nps show config

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = Use Windows authentication for all users
    State            = Enabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP
    State            = Enabled
    Processing order = 1
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"
    Override-RAP-Auth                       0x1fb0      "FALSE"

    Event log configuration:
    ---------------------------------------------------------
    Accepted authentication requests = Enabled
    Rejected authentication requests = Enabled

    File log configuration:
    ---------------------------------------------------------
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Directory                      = C:\Windows\system32\LogFiles
    Format                         = ODBC formatting
    Delete old logs                = Enabled
    Frequency                      = Monthly logs
    Max size                       = 10 MB

    Ports configuration:
    ---------------------------------------------------------
    Accounting ports     = 1813,1646
    Authentication ports = 1812,1645

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to other access servers
    State            = Enabled
    Processing order = 6
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to Microsoft Routing and Remote Access server
    State            = Enabled
    Processing order = 5
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1033      "^311$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Allowed-EAP-Type                     0x100a      "0D0000000000000000000000000
    00000"
    NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9
    "
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Filter                               0x102f

            ===============================================================
            IPFILTER_IPV4INFILTER   Action: DENY
            ---------------------------------------------------------------
            Address . . . . . : 0.0.0.0
            Mask. . . . . . . : 0.0.0.0
            Protocol. . . . . : 0
            Source Port . . . : 0
            Destination Port. : 0
            ---------------------------------------------------------------

    MS-MPPE-Encryption-Policy               0xffffffa7  "0x2"
    MS-MPPE-Encryption-Types                0xffffffa6  "0xe"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP Compliant
    State            = Enabled
    Processing order = 2
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP DHCP Compliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    MS-Extended-Quarantine-State            0x1fd9      "0x0"
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP Noncompliant
    State            = Enabled
    Processing order = 3
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP DHCP Noncompliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    MS-Extended-Quarantine-State            0x1fd9      "0x0"
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    Quarantine-Fixup-Servers-Configuration  0x1fc2      "NAP Client Services"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP Non NAP-Capable Exceptions
    State            = Enabled
    Processing order = 1
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fb4      "S-1-5-21-4191016595-1503350
    669-2086681662-145014"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    MS-Extended-Quarantine-State            0x1fd9      "0x0"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP Non NAP-Capable
    State            = Enabled
    Processing order = 4
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbb      "^1$"
    Condition1                              0x1fb4      "S-1-5-21-4191016595-1503350
    669-2086681662-145014"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

    Remediation server configuration:
    ---------------------------------------------------------
    Group   = NAP Client Services
    Address = 142.139.11.25
    Name    = Domain Controller

    Remediation server configuration:
    ---------------------------------------------------------
    Group   = NAP Client Services
    Address = 142.139.17.130
    Name    = EPO Server

    Remediation server configuration:
    ---------------------------------------------------------
    Group   = NAP Client Services
    Address = 142.139.19.166
    Name    = WSUS Server

    SHV configuration:
    ---------------------------------------------------------
    Id                             = 79744
    Name                           = Windows Security Health Validator

    Vendor                         = Microsoft Corporation

    Description                    = The Windows Security Health Validator defines t
    he policy that client computers must be compliant with.

    Version                        = 1.0

    Policy server unreachable      = Noncompliant
    Remediation server unreachable = Noncompliant
    System Health Agent failure    = Noncompliant
    NAP server failure             = Noncompliant
    Other errors                   = Noncompliant

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP DHCP Compliant
    Configuration = All must pass
    Id            = 79744

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP DHCP Noncompliant
    Configuration = One or more must fail
    Id            = 79744

    SQL log configuration:
    ---------------------------------------------------------
    Connection                     =
    Description                    =
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Max sessions                   = 2

    Ok.


    C:\Windows\system32>

    Tuesday, July 7, 2009 11:03 AM
  • Good morning, I have not heard anything back since last Tuesday, is there a solution to this problem or is it still being investigated???
    Thursday, July 16, 2009 1:19 PM
  • Hi,

    Sorry for the delay in answering.

    I've reproduced your scenario and this may be a bug. I'll need to have others reproduce it and see if they have an explanation or if it is truly a bug.

    I noticed the following behavior:

    --> A policy configured with *only* a computer group condition that is placed at the top of the processing order will match a DHCP NAP client access request, but only if the computer is NAP-capable and is a member of the security group used in the condition.

    Essentially, this verifies that the computer group condition is working as expected with NAP-capable systems.

    I set the policy to quarantine (provide limited access) for any computer that matched the condition. Immediately I see this policy works because a NAP-capable compliant computer that is a member of the security group will be provided with a restricted IP address (255.255.255.255 netmask). If I stop napagent and release/renew the IP address the computer will immediately fail to match this policy even though there is no other condition than the computer group.

    I'll send this on to the product team right away for investigation and let you know what they find out.

    Thanks for noticing this! I'll keep you apprised here of anything we find out. For now, it appears that a group condition isn't working with DHCP enforcement when the client is non NAP-capable.

    -Greg
    Thursday, July 16, 2009 8:51 PM
  • Good morning.  Yes, just to confirm a few things you seemed to have tried already, this might be the problem.  I added a condition to the NAP Compliant policy that all computers must also belong to the group NAP Enforced Computers, this is the group I use to apply the polices need by NAP clients.  This policy was still processed to I was able to eliminate the idea that maybe NAP was not processing conditions with computer groups in them.
    With my Exceptions policy I removed the condition that they needed to belong to the NAP Computer Exceptions group and created the condition that they needed to be Non-nap Capable and that condition began to be processed.   I removed the Non-nap capable condition, put back the condition that they belong to the NAP Computer Exceptions group, and then made that computer NAP capable and it began processing the Exceptions policy.

    From all this it seems you are bang on that for some reason, when a computer is Non-nap Capable, it will not process conditions that contain Computer groups.  Hope you find an explanation or work around.

    Monday, July 20, 2009 10:50 AM
  • Hi,

    The latest information is that the DHCP packet sent when the client is non NAP-capable doesn't contain the FQDN, which it needs to be recognized in a domain security group. Only the machine name is sent. One way of working around this would be to use the MAC address instead, but I know this isn't really an acceptable solution. We are still looking into it and perhaps there is another workaround such as a registry key that can be set to enable sending the FQDN. If not, this may require a patch.

    -Greg
    Wednesday, July 22, 2009 10:12 PM
  • Hi,

    I marked this as answered for now. If there is a workaround I will provide it. Currently this is under investigation and there is no available solution.

    -Greg
    Sunday, July 26, 2009 5:19 AM