locked
A issue about NAP with DHCP enforcement RRS feed

  • Question

  • I've already start NAP with DHCP Enforcement in our network. But there are some wireless client can't get the right IP address sometimes  because they were reconginazed as "NAP DHCP Non NAP-Capable".

    We veryfy our wireless client with wpa
    I checked the clients, and find if the clients can't get the right IP address, there is a waring in system log. This is the details:

    Event Type: Warning
    Event Source: Dhcp
    Event Category: None
    Event ID: 1003
    Date:  2009-12-08
    Time:  9:08:13
    User:  N/A
    Computer: BMHKBJ00340
    Description:
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0019D2445BD0.  The following error occurred:
    The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: c7 04 00 00               Ç...   


    This Warning is before the log of napagent id 26(The NAP service has started.) . Sometimes this clients can get IP address correctly.

    Can anybody give me some advice?

    Thursday, December 10, 2009 1:57 AM

Answers

  • Yes, that is the correct state, but you didn't include the entire output. There is a section at the bottom with the header: System health agent (SHA) state that should provide information about whether or not the problem is with a SHA, or if (as you suggested) NAP agent is starting after the DHCP client service.

    It is possible to make the DHCP client service dependent on NAP agent, but I've never tried this so I can't recommend it. There have been others that tried something similar with the 802.1X enforcement method (sc config dot3svc depend= napagent) and had some success. As I mentioned, I don't recommend this but you could try sc config dhcp depend= napagent.

    -Greg



    • Marked as answer by BIGFAINT Monday, February 1, 2010 6:22 AM
    Wednesday, January 27, 2010 11:53 PM

All replies

  • Hi,

    If the computer is trying to obtain an IP address before NAP agent has started, this would explain why the computer is evaluated as non NAP-capable. I assume this only happens when the computer starts for the first time. You could change DHCP client to delayed start or make it dependent on NAP agent. I think you can also just repair the network connection and it should then work. Others may have a better solution for you.

    -Greg
    Thursday, December 10, 2009 6:04 AM
  • En, repairing the network cannot repair this issue.

    I need to restart NAPAGENT service to get the right IP address.

    Thursday, December 10, 2009 7:39 AM
  • On the client computer, please issue a "netsh nap client show state" and provide the results. This sounds like a SHA has not properly initialized, but I'm not sure.

    Thanks,
    -Greg
    Sunday, January 17, 2010 8:11 AM
  • Hi,

    Please let me know if the issue is resolved or if we need to continue troubleshooting. If it isn't resolved, the information from "netsh nap client show state" should help to indicate the problem.

    Thanks,
    -Greg
    Saturday, January 23, 2010 7:26 AM
  • netsh nap client show state

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes


    It's the right state, isn't it? I give a batch to users who meet this issue frequently, they can restart the nap service themselves. So I seldom see this issue, about once or twice per week.

    Sunday, January 24, 2010 11:52 PM
  • Yes, that is the correct state, but you didn't include the entire output. There is a section at the bottom with the header: System health agent (SHA) state that should provide information about whether or not the problem is with a SHA, or if (as you suggested) NAP agent is starting after the DHCP client service.

    It is possible to make the DHCP client service dependent on NAP agent, but I've never tried this so I can't recommend it. There have been others that tried something similar with the 802.1X enforcement method (sc config dot3svc depend= napagent) and had some success. As I mentioned, I don't recommend this but you could try sc config dhcp depend= napagent.

    -Greg



    • Marked as answer by BIGFAINT Monday, February 1, 2010 6:22 AM
    Wednesday, January 27, 2010 11:53 PM
  • Thanks for your help.

    A computer have this problem everyday in this week. Each time I need to restart napagent service to fix it. I runned "sc config dhcp depend= napagent" just now.

    This is the full output of the state(after I restart napagent service),:
    C:\WINDOWS\system32>netsh nap client show state

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Client
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Pro
    tection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79620
    Name                   = Wireless Eapol Quarantine Enforcement Client
    Description            = Provides wireless Eapol based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent checks the compliance
     of a computer with an administrator-defined policy.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has fi
    nished updating its security state.

    Compliance results     = (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -

    Remediation results    =

     

    Thursday, January 28, 2010 6:27 AM
  • Hi,

    There are no errors in the output, but that is probably because NAP agent was restarted. Please let me know if the command to create a dependency helps.

    Thanks,
    -Greg
    • Marked as answer by BIGFAINT Monday, February 1, 2010 6:22 AM
    • Unmarked as answer by BIGFAINT Monday, February 1, 2010 6:22 AM
    Thursday, January 28, 2010 9:23 AM
  • Thanks! The issue is solved.

    Monday, February 1, 2010 6:24 AM
  • Not able to view reporting on the client machines after creating the policies for dhcp enforcement please any help user's for the scope all getting block regardless of complaint or non complaint.

    Monday, July 26, 2010 8:03 AM