Answered by:
Non-NAP Capable computers not being processed by Exceptions policy

Question
-
OK, next problem I am having. I have a policy set up for exceptions for Nap-non capable computers but this policy is not being processed. I add the computer to the domain (I created an Org Unit called Non Nap-capable Computers), add it to my exception group (called NAP Computer Exceptions, set up as Global/Security). This group is added as one of the Machine Groups on the Conditions tab under Network Policies yet when I check the logs the computer is always processed as nap-non capable. I even have the Exceptions policy set as the first one to be processed but the non nap-capable is the policy that gets processed, it is 4 in the list. This happens with both Vista SP2 and XP SP3 computers.
- Edited by Lefty777 Monday, June 29, 2009 12:57 PM
Monday, June 29, 2009 12:53 PM
Answers
-
Hi,
The latest information is that the DHCP packet sent when the client is non NAP-capable doesn't contain the FQDN, which it needs to be recognized in a domain security group. Only the machine name is sent. One way of working around this would be to use the MAC address instead, but I know this isn't really an acceptable solution. We are still looking into it and perhaps there is another workaround such as a registry key that can be set to enable sending the FQDN. If not, this may require a patch.
-Greg- Marked as answer by Greg LindsayMicrosoft employee Sunday, July 26, 2009 5:18 AM
Wednesday, July 22, 2009 10:12 PM
All replies
-
Hi,
Add the group as a condition to your non-NAP capable policy and see if these computers continue to match that policy. If not, then the condition isn't configured right.
I imagine you've done this, but after adding a computer to a new security group you must reboot the computer in order to apply the membership. Run gpresult and make sure you see this group membership.
-Greg- Proposed as answer by Greg LindsayMicrosoft employee Friday, July 3, 2009 7:23 AM
Friday, July 3, 2009 7:23 AM -
I did a gpresult and found the computer was not in the group, so I added the computer thru My Computer/Properties/Computer Name (using XP SP3) to get it into the domain, and then added it to the NAP Computer Exceptions group, when I then run the gpresult it is showing up in the group. I am still not having the NAP Computer Exception policy processed. I have this policy set up as simple as one can be set up, it is 1st in the processing list. In the Overview tab, I have the policy Enabled, under Access permission, I have Grant Access, and under Type of Network Access Server I have DHCP server. Under the Conditions tab I only have one condition with a Condition of Machine Groups and a Value of GNB\NAP Computer Exceptions. I have verified that this computer is part of that group thru gpresult. Not sure what else I can check or do to remedy this.Monday, July 6, 2009 1:23 PM
-
Hi,
Add the computer group condition to the non-NAP capable policy and see if it still matches. Let me know what happens.
Also please post the output of "netsh nps show config" from your NPS server to help troubleshoot.
-GregTuesday, July 7, 2009 4:22 AM -
When I add that condition to the non-NAp capable policy it now tells me this connection request does not match any of the network policies. I know you earlier said this means it is not set up correctly but I do not know where I could have gone wrong. This tells me it thinks this computer is not part of the NAP Computer Exceptions group but it is, anyways, I am also attaching the information you requested, hope you see something I am not.
C:\Windows\system32>netsh nps show configConnection request policy configuration:
---------------------------------------------------------
Name = Use Windows authentication for all users
State = Enabled
Processing order = 2
Policy source = 0Condition attributes:
Name Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"Profile attributes:
Name Id Value
---------------------------------------------------------
Auth-Provider-Type 0x1025 "0x1"Connection request policy configuration:
---------------------------------------------------------
Name = NAP DHCP
State = Enabled
Processing order = 1
Policy source = 3Condition attributes:
Name Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"Profile attributes:
Name Id Value
---------------------------------------------------------
Auth-Provider-Type 0x1025 "0x1"
Override-RAP-Auth 0x1fb0 "FALSE"Event log configuration:
---------------------------------------------------------
Accepted authentication requests = Enabled
Rejected authentication requests = EnabledFile log configuration:
---------------------------------------------------------
Accounting = Enabled
Authentication = Enabled
Periodic accounting status = Enabled
Periodic authentication status = Enabled
Directory = C:\Windows\system32\LogFiles
Format = ODBC formatting
Delete old logs = Enabled
Frequency = Monthly logs
Max size = 10 MBPorts configuration:
---------------------------------------------------------
Accounting ports = 1813,1646
Authentication ports = 1812,1645Network policy configuration:
---------------------------------------------------------
Name = Connections to other access servers
State = Enabled
Processing order = 6
Policy source = 0Condition attributes:
Name Id Value
---------------------------------------------------------
Condition0 0x1006 "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"Profile attributes:
Name Id Value
---------------------------------------------------------
NP-Allow-Dial-in 0x100f "FALSE"
NP-Authentication-Type 0x1009 "0x3" "0x4" "0x9" "0xa"
Quarantine-Update-Non-Compliant 0x1fc8 "TRUE"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"Network policy configuration:
---------------------------------------------------------
Name = Connections to Microsoft Routing and Remote Access server
State = Enabled
Processing order = 5
Policy source = 0Condition attributes:
Name Id Value
---------------------------------------------------------
Condition0 0x1033 "^311$"Profile attributes:
Name Id Value
---------------------------------------------------------
NP-Allow-Dial-in 0x100f "FALSE"
NP-Allowed-EAP-Type 0x100a "0D0000000000000000000000000
00000"
NP-Authentication-Type 0x1009 "0x5" "0x4" "0xa" "0x3" "0x9
"
Quarantine-Update-Non-Compliant 0x1fc8 "TRUE"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
MS-Filter 0x102f===============================================================
IPFILTER_IPV4INFILTER Action: DENY
---------------------------------------------------------------
Address . . . . . : 0.0.0.0
Mask. . . . . . . : 0.0.0.0
Protocol. . . . . : 0
Source Port . . . : 0
Destination Port. : 0
---------------------------------------------------------------MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"Network policy configuration:
---------------------------------------------------------
Name = NAP DHCP Compliant
State = Enabled
Processing order = 2
Policy source = 3Condition attributes:
Name Id Value
---------------------------------------------------------
Condition0 0x1fbd "NAP DHCP Compliant"Profile attributes:
Name Id Value
---------------------------------------------------------
MS-Extended-Quarantine-State 0x1fd9 "0x0"
Ignore-User-Dialin-Properties 0x1005 "TRUE"
NP-Allow-Dial-in 0x100f "TRUE"
NP-Authentication-Type 0x1009 "0x7"
MS-Quarantine-State 0x1faf "0x0"
Quarantine-Update-Non-Compliant 0x1fc8 "FALSE"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
Saved-Machine-HealthCheck-Only 0x1fdc "0x1"Network policy configuration:
---------------------------------------------------------
Name = NAP DHCP Noncompliant
State = Enabled
Processing order = 3
Policy source = 3Condition attributes:
Name Id Value
---------------------------------------------------------
Condition0 0x1fbd "NAP DHCP Noncompliant"Profile attributes:
Name Id Value
---------------------------------------------------------
MS-Extended-Quarantine-State 0x1fd9 "0x0"
Ignore-User-Dialin-Properties 0x1005 "TRUE"
NP-Allow-Dial-in 0x100f "TRUE"
NP-Authentication-Type 0x1009 "0x7"
Quarantine-Fixup-Servers-Configuration 0x1fc2 "NAP Client Services"
MS-Quarantine-State 0x1faf "0x1"
Quarantine-Update-Non-Compliant 0x1fc8 "TRUE"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
Saved-Machine-HealthCheck-Only 0x1fdc "0x1"Network policy configuration:
---------------------------------------------------------
Name = NAP DHCP Non NAP-Capable Exceptions
State = Enabled
Processing order = 1
Policy source = 3Condition attributes:
Name Id Value
---------------------------------------------------------
Condition0 0x1fb4 "S-1-5-21-4191016595-1503350
669-2086681662-145014"Profile attributes:
Name Id Value
---------------------------------------------------------
MS-Extended-Quarantine-State 0x1fd9 "0x0"
NP-Allow-Dial-in 0x100f "TRUE"
NP-Authentication-Type 0x1009 "0x7"
MS-Quarantine-State 0x1faf "0x0"
Quarantine-Update-Non-Compliant 0x1fc8 "FALSE"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
Saved-Machine-HealthCheck-Only 0x1fdc "0x1"Network policy configuration:
---------------------------------------------------------
Name = NAP DHCP Non NAP-Capable
State = Enabled
Processing order = 4
Policy source = 3Condition attributes:
Name Id Value
---------------------------------------------------------
Condition0 0x1fbb "^1$"
Condition1 0x1fb4 "S-1-5-21-4191016595-1503350
669-2086681662-145014"Profile attributes:
Name Id Value
---------------------------------------------------------
NP-Allow-Dial-in 0x100f "TRUE"
NP-Authentication-Type 0x1009 "0x7"
MS-Quarantine-State 0x1faf "0x0"
Quarantine-Update-Non-Compliant 0x1fc8 "FALSE"
Framed-Protocol 0x7 "0x1"
Service-Type 0x6 "0x2"
Saved-Machine-HealthCheck-Only 0x1fdc "0x1"Remediation server configuration:
---------------------------------------------------------
Group = NAP Client Services
Address = 142.139.11.25
Name = Domain ControllerRemediation server configuration:
---------------------------------------------------------
Group = NAP Client Services
Address = 142.139.17.130
Name = EPO ServerRemediation server configuration:
---------------------------------------------------------
Group = NAP Client Services
Address = 142.139.19.166
Name = WSUS ServerSHV configuration:
---------------------------------------------------------
Id = 79744
Name = Windows Security Health ValidatorVendor = Microsoft Corporation
Description = The Windows Security Health Validator defines t
he policy that client computers must be compliant with.Version = 1.0
Policy server unreachable = Noncompliant
Remediation server unreachable = Noncompliant
System Health Agent failure = Noncompliant
NAP server failure = Noncompliant
Other errors = NoncompliantHealth policy configuration:
---------------------------------------------------------
Name = NAP DHCP Compliant
Configuration = All must pass
Id = 79744Health policy configuration:
---------------------------------------------------------
Name = NAP DHCP Noncompliant
Configuration = One or more must fail
Id = 79744SQL log configuration:
---------------------------------------------------------
Connection =
Description =
Accounting = Enabled
Authentication = Enabled
Periodic accounting status = Enabled
Periodic authentication status = Enabled
Max sessions = 2Ok.
C:\Windows\system32>Tuesday, July 7, 2009 11:03 AM -
Good morning, I have not heard anything back since last Tuesday, is there a solution to this problem or is it still being investigated???Thursday, July 16, 2009 1:19 PM
-
Hi,
Sorry for the delay in answering.
I've reproduced your scenario and this may be a bug. I'll need to have others reproduce it and see if they have an explanation or if it is truly a bug.
I noticed the following behavior:
--> A policy configured with *only* a computer group condition that is placed at the top of the processing order will match a DHCP NAP client access request, but only if the computer is NAP-capable and is a member of the security group used in the condition.
Essentially, this verifies that the computer group condition is working as expected with NAP-capable systems.
I set the policy to quarantine (provide limited access) for any computer that matched the condition. Immediately I see this policy works because a NAP-capable compliant computer that is a member of the security group will be provided with a restricted IP address (255.255.255.255 netmask). If I stop napagent and release/renew the IP address the computer will immediately fail to match this policy even though there is no other condition than the computer group.
I'll send this on to the product team right away for investigation and let you know what they find out.
Thanks for noticing this! I'll keep you apprised here of anything we find out. For now, it appears that a group condition isn't working with DHCP enforcement when the client is non NAP-capable.
-Greg- Edited by Greg LindsayMicrosoft employee Thursday, July 16, 2009 8:55 PM detail
Thursday, July 16, 2009 8:51 PM -
Good morning. Yes, just to confirm a few things you seemed to have tried already, this might be the problem. I added a condition to the NAP Compliant policy that all computers must also belong to the group NAP Enforced Computers, this is the group I use to apply the polices need by NAP clients. This policy was still processed to I was able to eliminate the idea that maybe NAP was not processing conditions with computer groups in them.
With my Exceptions policy I removed the condition that they needed to belong to the NAP Computer Exceptions group and created the condition that they needed to be Non-nap Capable and that condition began to be processed. I removed the Non-nap capable condition, put back the condition that they belong to the NAP Computer Exceptions group, and then made that computer NAP capable and it began processing the Exceptions policy.From all this it seems you are bang on that for some reason, when a computer is Non-nap Capable, it will not process conditions that contain Computer groups. Hope you find an explanation or work around.
Monday, July 20, 2009 10:50 AM -
Hi,
The latest information is that the DHCP packet sent when the client is non NAP-capable doesn't contain the FQDN, which it needs to be recognized in a domain security group. Only the machine name is sent. One way of working around this would be to use the MAC address instead, but I know this isn't really an acceptable solution. We are still looking into it and perhaps there is another workaround such as a registry key that can be set to enable sending the FQDN. If not, this may require a patch.
-Greg- Marked as answer by Greg LindsayMicrosoft employee Sunday, July 26, 2009 5:18 AM
Wednesday, July 22, 2009 10:12 PM -
Hi,
I marked this as answered for now. If there is a workaround I will provide it. Currently this is under investigation and there is no available solution.
-GregSunday, July 26, 2009 5:19 AM