locked
DHCP enforcement: issue special IP adresses for noncompliant clients? RRS feed

  • Question

  • Is it possible to issue special IP adressed from a dedicated subnet to noncompliant NAP clients using DHCP enforcement?
    Tuesday, July 24, 2007 11:36 AM

Answers

  • No, this is not possible with NAP DHCP Enforcement.

     

    If you wish to isolate clients onto different subnets, you might try 802.1x enforcement instead - with 802.1x enforcement, one can isolate clients onto different vLANs depending on health state.

     

    Please look to http://www.microsoft.com/nap for more information about various NAP enforcement methods.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, July 25, 2007 9:37 PM

All replies

  • I have not tested what I am going to suggest you, but you could try your own...

    you can create two scope (with different start and end ip address whatever you like) in your dhcp server (Let say Scope A and Scope B),

    now enable the NAP on scope A and disable the NAP on scope B.

    I guess the non compliant NAP clients will get the IP address from Scope B.

    Try to play with this setting..

     

    Brijesh Shukla

    Wednesday, July 25, 2007 5:58 AM
  • This also was my first idea. But all machines get their IP addresses from the first scope no matter whether they are compliant or non compliant clients. This would only work if NAP would allow you issuing IP addresses from a certain scope if a client doesn't meet the health requirements.
    Wednesday, July 25, 2007 7:19 AM
  • Not sure on my idea, yet I would like to confirm, do you have enabled "auto remediationl" policy under NAS server for non compliant client..if yes try to execute your test case after clearing the check box for "auto remediation"

     

    Brijesh Shukla

    Wednesday, July 25, 2007 7:59 AM
  • No, this is not possible with NAP DHCP Enforcement.

     

    If you wish to isolate clients onto different subnets, you might try 802.1x enforcement instead - with 802.1x enforcement, one can isolate clients onto different vLANs depending on health state.

     

    Please look to http://www.microsoft.com/nap for more information about various NAP enforcement methods.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, July 25, 2007 9:37 PM
  • Chris, Thanks to make is clear that DHCP will not work ...

    But I have doubt, In 802.1x enforcement client can be placed assigned on different VLAN using the switch, and VLAN is distinguished by port on the switch.

     then how a client will get a special IP address IP address from DHCP, because in this schenario Controller is only NAP server and upto some extent switch to reassign the port for client on switch.

     My issue is that, suppose i want to give only "192.168.1.0 -----192.168.1.250" dynaminc IP address only for non compliant clients, how could I teach this to DHCP.

     

    Regards

    Brijesh Shukla

     

    Thursday, July 26, 2007 3:58 AM
  • Brijesh, I suppose the trick is to just place another DHCP server in the VLAN of the noncompliant machines.
    Thursday, July 26, 2007 1:36 PM
  • Usually, you have different subnets assigned to different vLANs - in practice, the terms vLAN and subnet are often interchangeable.

     

    In a NAP deployment for 802.1x enforcement, you would assign healthy clients to vLAN X, and provide addresses from DHCP scope x (typically via DHCP Relay Agent that resides on the specified vLAN).  Unhealthy clients would be assigned to vLAN Y, and addresses provide from DHCP scope y.

     

    While ports can be assigned to vLANs statically at the switch level - NAP requires further support form the switch: the switch must allow the NAP Server (NPS doing RADIUS, and providing EAP-based authentication support) to assign ports dynamically to specified vLANs.  If this support is provided, a client can then be moved from vLAN to vLAN based on health state, and will thus have different IPs depending on health state, as well.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, July 26, 2007 6:33 PM
  • No, its not possible
    • Proposed as answer by arnavsharma Monday, October 1, 2012 8:24 AM
    Monday, October 1, 2012 8:24 AM