locked
DHCP NAP not working as it should RRS feed

  • Question

  • Hello,

    I'm trying to get NAT DHCP to work in a test enviroment. Everything appears to be ok, but it's not.

    The health policy is checking if Windows Firewall is turned on. The Remediatio Group consist of only one server.

    When I turn off the firewall on my test machine, I can see 2 entries in the event viewer on my NPS server:

    1) 6272 - Network Policy Server granted access to a user.

    2) 6278 - Network Policy Server quarantined a user.

    Authentication Details:
     Connection Request Policy Name: NAP DHCP
     Network Policy Name:  NAP DHCP Noncompliant
     Authentication Provider:  Windows
     Authentication Server:  WAWRADIUS01.contoso.com
     Authentication Type:  Unauthenticated
     EAP Type:   -
     Account Session Identifier:  3633373838343133

    Despite the client being quarantined, it stil has full access to the network.

    One thing to note is that the DHCP server is not on the NPS server, although the DHCP server seems to be properly configured to forward the requests to the NPS server. And The NPS and DHCP servers are both on the same subnet.

    Please advise where should I look for the source of the problem.

    Kind regards,

    Wojciech

    Saturday, November 22, 2014 6:17 PM

Answers

All replies

  • Hi Wojciech,

    Event ID 6272: Network Policy Server granted access to a user. This event occurs when a NAP client computer is successfully authenticated and, depending on its health state, obtains full or restricted access to the network.

    Event ID 6278: Network Policy Server granted full access to a user because the host met the defined health policy. This event occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access.

    Based on my understanding, this two events above shows that the NAP client was granted full access because it meet a certain policy indeed. Please double check what policy is being matched.

    Event ID 6276: Network Policy Server quarantined a user. This event occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow limited access. It can also occur if you have configured a setting of Allow full network access for a limited time and specified date is in the past.

    If it is event 6276, you need to check either the NAP client configuration or the health policies.

    Check if you have configured the settings which is similar with Allow full network access for a limited time.

    Review the health policy you have created for the NAP client. Configure the client according to the restrictions of the health policy.

    Also, please refer to the checklist below to check if the policies and other settings were configured properly.

    Event ID 6276 — NAP Client Health Status

    http://technet.microsoft.com/en-us/library/dd316174(v=WS.10).aspx

    Checklist: Configure NAP Enforcement for DHCP

    http://technet.microsoft.com/en-us/library/cc772356(v=WS.10).aspx

    Best Regards,

    Tina

    • Proposed as answer by Tina_Tan Thursday, November 27, 2014 1:38 AM
    Monday, November 24, 2014 8:21 AM
  • Hi Wojciech,

    What do you mean that the client still has full access to the network? How are you determining this?

    Check that you have not enabled automatic remediation. If it is enabled, the computer will just turn the firewall back on and become compliant. This would explain why the computer has full access.

    Thanks,

    -Greg

    Saturday, November 29, 2014 7:34 PM
  • Hello,

    I made a mistake in the first post. Of course the event ID I am getting is 6276.

    I had automatic remediation turned on. However even after turning off I'm still struggling to get this working.

    My understanding is that when a client is identified as non-compliant, and the NAP Enforcement Type is set to Limited Access, the only resource that client will be able to reach are those that are specified in the Remediation Groups. In my case, the client is able to reach all servers and the Internet.

    I've double checked what happens with the client with the firewall turned on and off:

    1) Firewall turned on - event 6272 followed by 6278. Full access is granted.

    2) Firewall turned off - event 6272 followed by 6276. Client is quarantined, but is still able to access every resource and is not limited to the only server sitting in the Remediation Group.

    So it would seem that the policies are properly configured, but the quarantine is not working as it should.

    Kind regards,

    Wojciech


    • Edited by rozanw Sunday, November 30, 2014 6:16 PM
    Sunday, November 30, 2014 6:02 PM
  • Please post the output of ipconfig/all on the client.

    Thanks,

    -Greg

    Sunday, November 30, 2014 11:33 PM
  • Hi Greg,

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : WAWLAP01
       Primary Dns Suffix  . . . . . . . : contoso.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : contoso.com
       System Quarantine State . . . . . : Not Restricted


    Ethernet adapter Ethernet:

       Connection-specific DNS Suffix  . : contoso.com
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
       Physical Address. . . . . . . . . : 08-00-27-87-46-69
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::1004:5b5b:7371:a93a%3(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.17.1.50(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : 6 grudnia 2014 14:33:06
       Lease Expires . . . . . . . . . . : 14 grudnia 2014 14:33:05
       Default Gateway . . . . . . . . . : 172.17.1.1
       DHCP Server . . . . . . . . . . . : 172.17.1.2
       DHCPv6 IAID . . . . . . . . . . . : 50855975
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-F6-AF-CA-08-00-27-87-46-69

       DNS Servers . . . . . . . . . . . : 172.17.1.2
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.contoso.com:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : contoso.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Kind regards,

    Wojciech

    Saturday, December 6, 2014 1:36 PM
  • Hi,

    This client is not quarantined. It does not have a NAP rule applied to it to restrict access.  See this line from the ipconfig:

    System Quarantine State . . . . . : Not Restricted

    This is working correctly from the client side. You might not have your NAP policies configured correctly.

    -Greg



    Saturday, December 6, 2014 3:28 PM
  • Hi Greg,

    Can you tell me why will the Client shows that it's not quarantined, while the NPS server logs show otherwise?

    Also, is this normal?

    (0xc0ff0001 - A system health component is not enabled. ..)

    Can this be the reason the system is not becoming restricted?

    Kind regards,

    Wojciech

    Saturday, December 6, 2014 10:00 PM
  • Hi,

    If the client is compliant it should not have a system health component not enabled -it should only report health components that are required in your WSHV.

    Do you have policies or failover configured on the scope? From what I've seen, NAP is disabled if you enable failover, and it does not work with policies.

    Also please make sure that you've disabled automatic remediation in your noncompliant policy (not the compliant one where this setting doesn't matter). Actually - make sure that the client is matching the correct policy. Did it match the noncompliant policy? This information will be in event 6276. See below.

    -Greg


    Monday, December 8, 2014 3:04 AM
  • Hi Greg,

    I don't have any policies or DHCP Failover configured for the scope.

    Automatic Remediation is disabled.

    When a client without the firewall enabled connects, the following 2 NPS events occur:

    Kind regards,

    Wojciech

    Friday, December 12, 2014 6:55 PM
  • Here is a screenshot from the event viewer on the NPS server

    Kind regards,

    Wojciech

    Friday, December 12, 2014 7:01 PM
  • Greg,

    Finally Solved it. Thanks to you anyway:)

    I found your post in this thread:

    https://social.technet.microsoft.com/forums/windowsserver/en-US/d122f796-c7c4-4aaf-a13c-905a4b92db02/nap-dhcp-does-not-work-via-radius-proxy-event-id-6273

    Specifically: on the advanced tab the checkbox is enabled for RADIUS client is NAP-capable

    I had this unchecked. After checking it everything works like a charm:)

    Kind regards,

    Wojciech

    • Marked as answer by rozanw Friday, December 12, 2014 7:16 PM
    Friday, December 12, 2014 7:14 PM
  • Hi,

    Please look at the client side logs? The location is documented here on this forum in one of the sticky posts at the top NAP troubleshooting basics. https://social.technet.microsoft.com/Forums/windowsserver/en-US/41e753f4-c350-4153-91a3-c1dc7e6f864a/nap-troubleshooting-basics?forum=winserverNAP - and I have pasted the location below.

    Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational

    The client-side events are listed here:

    http://technet.microsoft.com/en-us/library/dd348461(v=ws.10).aspx#napinfrastructureeventsanderrors

    These events should tell us what is going on with the client.

    -Greg

    Friday, December 12, 2014 7:15 PM
  • That's interesting.  You should have a policy for non-NAP-capable computers that catches those kinds of computers. The result of not checking that box is that your client will appear non-NAP-capable.
     Glad the problem is solved! :)
    Friday, December 12, 2014 7:21 PM