locked
NAP DHCP Deployment - Different Subnet RRS feed

  • Question

  • Dear All,

    I've tried to deploy DHCP Enforcement NAP following provided DHCP NAP Deployment Guide. NAP Environment is on different subnet, i.e. dhcp+nps server and remediation(DC) server located on 192.168.1.0/24 and clients located on 192.168.2.0/24 and 192.168.3.0/24. I allocated "restricted.mydomain.com" to subnet 192.168.253.0/24 and 192.168.254.0/24. Before that, existing DHCP server and VLAN settings provided by cisco server for all 192.168.0.0/16 network and also WINS server exist and required.

    First, I installed DHCP + NPS Roles on NAP Server (Windows Server 2008x64 Enterprise). I used existing DC as remediation server (Windows Server 2008x64 Enterprise). I allocated 2 Scope: 192.168.253.0/24 and 192.168.254.0/24 for DHCP Scope managed by NAP Server for restricted client. My Locale Settings for those two servers are non-English.

    Then, I configured accordingly to DHCP NAP Deployment Guide.doc, included added to NAP Client Computer Group and added Router for on Default User Class and Default NAP Class at dhcpmgmt. For trial reason, I still set DHCP Non-NAP Eligible to still have full access network.

    After group policy applied to client (XP SP3 updated to March 2011), NAP Agent started automatically and here is "netsh nap client show state" result:

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Client
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Pro
    tection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79620
    Name                   = Wireless Eapol Quarantine Enforcement Client
    Description            = Provides wireless Eapol based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent checks the compliance
     of a computer with an administrator-defined policy.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has fi
    nished updating its security state.

    Compliance results     =
    Remediation results    =

    Ok.

    And here is "netsh nap client show grouppolicy" result:

    NAP client configuration (group policy):
    ----------------------------------------------------

    NAP client configuration:
    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
    ider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Enabled

    Name            = Remote Access Quarantine Enforcement Client
    ID              = 79618
    Admin           = Disabled

    Name            = IPSec Relying Party
    ID              = 79619
    Admin           = Disabled

    Name            = Wireless Eapol Quarantine Enforcement Client
    ID              = 79620
    Admin           = Disabled

    Name            = TS Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Disabled

    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Disabled

    Client tracing:
    ----------------------------------------------------
    State = Disabled
    Level = Disabled

    Ok.

    I tried to disable firewall and automatic updates service on one client as SHV parameter for health settings set to those two. After that, its network suffix still not changed to "restricted.mydomain.com". Its IP still 192.168.2.X. And also I didnt find any event(zero event) for NPS role on NPS Server event viewer.

    Please kindly find solution for my problem.

    Big thanks.

    Tuesday, March 22, 2011 7:56 AM

Answers

All replies

  • Hi Customer,

     

    Have you configured the DHCP 003 Router option in default NAP Class? It's needed to setup when the non-compliant client is in a different subnet.

     

    Network Access Is Not Restored After Remediation

    http://technet.microsoft.com/en-us/library/dd363563(WS.10).aspx 

     

       And you just change SHV health setting on NPS server, it does not trigger client to take effect. Client needs to change security center status (firewall/update/antivirus setting), or restart nap agent service/server to active client NAP status check with NPS server.

     

       There is step by step NAP DHCP guide(same subnet) you could take reference.

     

    Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ac38e5bb-18ce-40cb-8e59-188f7a198897&displaylang=en


    Regards, Rick Tan
    • Marked as answer by Rick Tan Tuesday, March 29, 2011 2:01 AM
    Wednesday, March 23, 2011 9:51 AM
  • Thanks for your immediate reply. I took a break from my work for awhile.

    I have set DHCP 003 Router option for my Default NAP Class. And it still not working, no DHCP Event and also NAP Event monitored on my NAP Server. One thing that I still do not understand. Is it possible to use existing DHCP provider (Cisco router, Linux Server, etc) to work with Windows Server NAP / NPS Server? Without transferring DHCP role for a whole network to NPS Server

    Thursday, March 31, 2011 9:45 PM
  • Hi Customer,

         DHCP NAP need windows DHCP role due to windows 2008 could setup NAP function on specific DHCP scope. When DHCP server receive NAP enabled client DHCP request or health state request, it will forward message to NPS for analysis. If router or Linux works as DHCP provider, it couldn't configure to NAP-enabled DHCP server.

    DHCP Enforcement Example

    http://technet.microsoft.com/en-us/library/dd125379(WS.10).aspx

     


    Regards, Rick Tan
    Friday, April 1, 2011 2:49 AM
  • Hi,

    If DHCP option 003 is already configured. Then configure option 121 for Classless Static Route, for all the scope.

    The issue will get resolved.

    Regards,

    Arnav Sharma

    • Proposed as answer by arnavsharma Monday, October 1, 2012 8:23 AM
    Monday, October 1, 2012 8:23 AM