locked
Question of DHCP Network Access Protection with IP reservation for non-compliant machine behaviour RRS feed

  • Question

  •  

    Dear Sir,

        In the Customer existing network, they are using Microsoft Windows 2008R2 DHCP server as an IP assignment to client. Each machines / devices will have MAC address which has configured in DHCP server for same IP address reservation.

        Customer would like to apply DHCP NAP into their network, I found that if the DHCP with NAP tab of "Enable for this scope" selected. All printers will not obtained IP as printers doesn't have NAP clients software.

    Q1. Does it mean all printers / network devices which must use static IP manual configure method if customer need to implement DHCP NAP?

    Q2. May I want to confirm DHCP NAP feature

    If machine has NAP clients installed: It can obtain IP based on policy server (Restricted / Full access etc).

    If machine hasn't NAP client installed (e.g.Printer): It will not allow to obtain IP from DHCP server.

    Q3. Is it possible to configure DHCP with 2 scope, 1 for NAP enabled, 1 for no NAP enabled for MAC address reservation?

    Regards,

    Joe

    Monday, July 9, 2012 9:21 AM

Answers

All replies

  • Hi Joe,

    If a device is not NAP capable it will not receive a default gateway, but it will get an IP address (can communicate in the subnet).

    You can configure several scopes and enable DHCP NAP at scope level. Probably you want to create a scope for Non-NAP capable devices with turned off NAP. Another solution to exclude a range from the scope and configure static IP addresses for the device, but this has a lot of configuration overhead.


    Csaba

    Monday, July 9, 2012 2:21 PM
  • Dear Csaba,

        But I found that:

    If DHCP NAP is disabled on the client and enabled on the DHCP server: In this scenario, the DHCP server will not lease the IP address.  Thus not NAP capable device will not even receive IP too.

    For the DHCP scope, how to create several scopes?  (If the network is 192.168.1.0/24).  I found that it can only allow to multiple several scope if the subnet is not using class C of 255.255.255.0.  (such as configured as 255.255.255.128), but such configuration will not allow to obtain IP from DHCP client.

    So I cannot both of suggestions are working in my environment. Can you give me from step on it?

    Joe

    Monday, July 9, 2012 2:35 PM
  • Hi Joe,

    When I tested the configuration in our environment, I found that non-nap capable devices receive IP, but not gateway. Also you can configure NPS to grant full network access to non-nap capable devices (obviously this is much less secure).

    If you have a /24 scope you can split it to 2 /25 scope. One from 192.168.1.0 (lets say this one is NAP enabled), the other one from 192.168.1.128 (non-nap enabled).


    Csaba

    Monday, July 9, 2012 2:46 PM
  • Dear Csaba,

         How can you get the IP without gateway for non-nap capable devices? For example, if it is Windows XP with SP1, it will show quarantine to restricted zone?

        For the DHCP, I try that if the scope created with 192.168.1.0 with mask = 255.255.255.128, client will not able to obtain DHCP even only configure for 1 scope.    Do you think it will obtain IP address result as e.g. : 192.168.1.1 & mask: 255.255.255.128? or it can obtain IP 192.168.1.1 with mask 255.255.255.0?

    Regards,

    Joe

    Tuesday, July 10, 2012 12:41 AM
  • Hi Joe,

    Thanks for posting here.

    For the devices that don’t support NAP , we can set NAP exemption for it which will allow to access network with obtaining address form NAP enabled DHCP scopes. Since we have already collected the MAC addresses of devices I belive the workaround in the blog article should work for you and should also answer the questions you mentioned  :

    NAP Enforcement Exemption for Printers and other Network Appliances

    http://blogs.technet.com/b/teamdhcp/archive/2008/06/15/nap-enforrcement-exemption-for-printers-and-other-network-appliances.aspx

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support


    Tuesday, July 10, 2012 2:02 AM
  • Dear Tiger,

          Yes. It is what the information I needed.

    I will test it.

    Thanks,

    Joe

    Tuesday, July 10, 2012 2:21 AM
  • Hi Joe,

    OK, if there is any update on this issue, please feel free to let us know.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Wednesday, July 11, 2012 1:52 AM