locked
DHCP health check re-evaluation after quarantine RRS feed

  • Question

  • When a client has been quarantined using DHCP health checking it seems that the only way that they can be re-evaluated (the health check run again on the client) is by calling "ipconfig /release" and then "ipconfig /renew". This seems a bit of a shame given that the client has a try again button on it that surely could perform this operation for the user.

    Have I got this right? Also, why has it been done this way and not made easier for the user for this type of health checking?

    Thanks
    Marc
    Monday, June 11, 2007 1:45 PM

Answers

  •  

    Yes, you should see the client re-checking and being brought back to 'normal'.

     

    When a DHCP renew is performed, it is performed via unicast, not broadcast.

    This is different than what happens when you do a manual release/renew; a manual release/renew causes the client to move back to base state, which dictates that it use broadcast.

     

    I'm assuming you have provided a DHCP relay on your subnet, otherwise you would not be getting an address at all on that subnet.

     

    Have you added a 'router' option value to your DHCP Scope under the NAP user class?  This value is what the DHCP Server uses to calculate the Classless Static Routes to pass to the client in order to give the client connectivity to the DHCP Server.

     

    You also need to provide a router at that IP that knows how to communicate between the subnets.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

     

    Tuesday, June 12, 2007 7:01 PM

All replies

  • When the client's health state is changed (something that is monitored by and SHA is changed), the SHA can re-trigger a health check by calling the NotifySoHChange API.  This is independent of enforcement method.

     

    IPConfig /release - IPConfig /renew will work to indirectly manually re-trigger in the DHCP enforcement case, but it should not be required if the SHA is notifying the NAP Agent process correctly when health state changes.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, June 12, 2007 12:22 AM
  • Hi,

    I have been following the guide from the MS site for DHCP health checking. Using just the firewall check in the policy. When the PC is compliant I disable the firewall and the client is quarantined using the NAP DHCP response. The PC has no default gateway and a subnet mask of 255.255.255.255 (It was 255.255.255.224 when the PC was compliant). I have noticed that I cannot ping the NPS / DHCP server which is on a different subnet where as I could when the client was compliant.

    When I then re-enable the firewall I am still quarantined because nothing seems to be happening. Is it due to the lack of connectivity to the NPS/DHCP server? If so, how should this be resolved?

    Are you saying that the client PC is non-compliant and it then sees that the firewall has been re-enabled that it should run another check and when it verifies that it is compliant it obtains an IP address again and everything should be back to normal? I am not seeing this.

    Thanks
    Marc
    Tuesday, June 12, 2007 9:15 AM
  •  

    Yes, you should see the client re-checking and being brought back to 'normal'.

     

    When a DHCP renew is performed, it is performed via unicast, not broadcast.

    This is different than what happens when you do a manual release/renew; a manual release/renew causes the client to move back to base state, which dictates that it use broadcast.

     

    I'm assuming you have provided a DHCP relay on your subnet, otherwise you would not be getting an address at all on that subnet.

     

    Have you added a 'router' option value to your DHCP Scope under the NAP user class?  This value is what the DHCP Server uses to calculate the Classless Static Routes to pass to the client in order to give the client connectivity to the DHCP Server.

     

    You also need to provide a router at that IP that knows how to communicate between the subnets.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

     

    Tuesday, June 12, 2007 7:01 PM