locked
DHCP NAP Problem (Remediation) RRS feed

  • Question

  • Hi All

    We are having a problem in production with a DHCP NAP implementation (worked in LAB?).

    The Infrastructure is as follows:

    Server 2008 DHCP Cluster (Also running NPS as RADIUS Proxy)

    2 x NPS Servers

    We have configured the DHCP cluster as a RADIUS Client and supplied a shared secret. NPS has been installed on each Node and been configured to Proxy all requests (DHCP) to the remote RADUIS group.

    What we see in the NPS logs is that the requests are recieved from the RADIUS client, the DHCP request is matched to the NAP Non-Compliant policy, but the client is not remediated?

    It appears as if the request gets to the DHCP is forwarded onto NPS processed with the SoH, NPS replies with the clients status, but DHCP never gets a reply... and therfore gives a non-compliant client an IP. If we set the DHCP to restrict clients if NPS validation fails clients are restricted confirming our suspision.

    We thought that DHCP cluster may possibly not support NAP, so we installd DHCP locally on the NPS server with the same results?

    Clients do not recieve any pop-ups...

    Any thoughts/help?

    Thanks
    Gavin 

     

     

     

    Thursday, July 31, 2008 9:49 AM

Answers

  • Hi Gavin,

    I think you are headed in the right directiion troubleshooting by looking at the event log on the proxy, but you should also examine events on the other server. Look for event 6274 I believe. It should say that NPS discarded the request and provide a reason. Do you see this event? If so, what is the reason?

    If you don't see any events on the NPS that is providing authorization, then there is a communication problem between the proxy and NPS or the RADIUS client and remote RADIUS server group configurations are not quite right.

    -Greg

    Tuesday, August 12, 2008 9:16 AM

All replies

  •  Hi Gavin,

    Do you see an event on NPS that access was granted and the client matched the non-compliant policy? If so, then you have set NAP enforcement in your non-compliant policy to grant full access. This type of configuration is called reporting mode, and there are no NAP notifications. Notifications will occur if you set non-compliant policy to restrict access at a specified time, or to restrict access immediately.

    To enable remediation, confirm that you have checked this option in your non-compliant policy. If you have further questions, please provide the output of "netsh nps show config" so we can examine the NPS policy configuration.

    Thanks,
    -Greg
    Monday, August 4, 2008 4:28 AM
  • Hi Greg

    Sorry for only replying now, was at Tech-Ed :)

    Both the non-compliant and non-capable policies are set to restrict. I do not see any events for NAP, what is the event ID I should be looking for?

    Here is the netsh output:

    Client configuration:
    ---------------------------------------------------------
    Name                = DHCP
    Address             = 155.x.x.144
    State               = Enabled
    Shared secret       = 1234
    Require auth attrib = No
    NAP capable         = Yes
    Vendor              = RADIUS Standard

    Client configuration:
    ---------------------------------------------------------
    Name                = DHCP Clust
    Address             = 155.x.x.146
    State               = Enabled
    Shared secret       = 1234
    Require auth attrib = No
    NAP capable         = Yes
    Vendor              = RADIUS Standard

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP
    State            = Enabled
    Processing order = 1
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"
    Override-RAP-Auth                       0x1fb0      "FALSE"

    Event log configuration:
    ---------------------------------------------------------
    Accepted authentication requests = Enabled
    Rejected authentication requests = Enabled

    File log configuration:
    ---------------------------------------------------------
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Directory                      = C:\Windows\system32\LogFiles
    Format                         = ODBC formatting
    Delete old logs                = Enabled
    Frequency                      = Daily logs
    Max size                       = 10 MB

    Ports configuration:
    ---------------------------------------------------------
    Accounting ports     = 1813,1646
    Authentication ports = 1812,1645

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP Compliant
    State            = Enabled
    Processing order = 1
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP DHCP Compliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP Noncompliant
    State            = Enabled
    Processing order = 2
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP DHCP Noncompliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    Quarantine-Fixup-Servers-Configuration  0x1fc2      "NAP"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP Non NAP-Capable
    State            = Enabled
    Processing order = 3
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbb      "^1$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    Quarantine-Fixup-Servers-Configuration  0x1fc2      "NAP"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Server registration:
    ---------------------------------------------------------
    Status = Registered

    Remediation server configuration:
    ---------------------------------------------------------
    Group   = NAP
    Address = 155.x.x.82
    Name    = DNS 01

    SHV configuration:
    ---------------------------------------------------------
    Id                             = 79744
    Name                           = Windows Security Health Validator

    Vendor                         = Microsoft Corporation

    Description                    = The Windows Security Health Validator defines t
    he policy that client computers must be compliant with.

    Version                        = 1.0

    Policy server unreachable      = Noncompliant
    Remediation server unreachable = Noncompliant
    System Health Agent failure    = Noncompliant
    NAP server failure             = Noncompliant
    Other errors                   = Noncompliant

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP DHCP Compliant
    Configuration = All must pass
    Id            = 79744

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP DHCP Noncompliant
    Configuration = One or more must fail
    Id            = 79744

    SQL log configuration:
    ---------------------------------------------------------
    Connection                     = Provider=SQLOLEDB;Persist Security Info=False;U
    ser ID=sa;Initial Catalog=NAPDB;Data Source=SQL001\SQL001;Use Procedure fo
    r Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=NAP001;Use
     Encryption for Data=False;Tag with column collation when possible=False
    Description                    = SQL001\SQL001
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Max sessions                   = 2

    Ok.

    Thx
    Gavin

    Thursday, August 7, 2008 8:14 AM
  • Hi Greg

    Here is the output from the DHCP server, configured as a NPS proxy:

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = NAP DHCP
    State            = Enabled
    Processing order = 1
    Policy source    = 3

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Acct-Provider-Name                      0x102b      "NAP"
    Acct-Provider-Type                      0x102a      "0x2"
    Auth-Provider-Name                      0x1029      "NAP"
    Auth-Provider-Type                      0x1025      "0x2"

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = Windows Auth
    State            = Enabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Acct-Provider-Name                      0x102b      "NAP"
    Acct-Provider-Type                      0x102a      "0x2"
    Auth-Provider-Name                      0x1029      "NAP"
    Auth-Provider-Type                      0x1025      "0x2"

    Event log configuration:
    ---------------------------------------------------------
    Accepted authentication requests = Enabled
    Rejected authentication requests = Enabled

    File log configuration:
    ---------------------------------------------------------
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Directory                      = C:\Windows\system32\LogFiles
    Format                         = ODBC formatting
    Delete old logs                = Enabled
    Frequency                      = Daily logs
    Max size                       = 10 MB

    Ports configuration:
    ---------------------------------------------------------
    Accounting ports     = 1813,1646
    Authentication ports = 1812,1645

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to other access servers
    State            = Enabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to Microsoft Routing and Remote Access server
    State            = Enabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1033      "^311$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Allowed-EAP-Type                     0x100a      "0D0000000000000000000000000
    00000"
    NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9
    "
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Filter                               0x102f

            ===============================================================
            IPFILTER_IPV4INFILTER   Action: DENY
            ---------------------------------------------------------------
            Address . . . . . : 0.0.0.0
            Mask. . . . . . . : 0.0.0.0
            Protocol. . . . . : 0
            Source Port . . . : 0
            Destination Port. : 0
            ---------------------------------------------------------------

    MS-MPPE-Encryption-Policy               0xffffffa7  "0x2"
    MS-MPPE-Encryption-Types                0xffffffa6  "0xe"

    Server registration:
    ---------------------------------------------------------
    Status = Un-registered

    Remote server configuration:
    ---------------------------------------------------------
    Group                        = NAP
    Address                      = 155.x.x.82
    Accounting port              = 1813
    Authentication port          = 1812
    Accounting shared secret     =
    Authentication shared secret = 1234
    Require auth attrib          = No
    Priority                     = 1
    Weight                       = 50
    Timeout                      = 3 seconds
    Max dropped                  = 20
    Blackout                     = 30 seconds
    Notifications                = Yes

    Remote server configuration:
    ---------------------------------------------------------
    Group                        = NAP
    Address                      = 155.x.x.83
    Accounting port              = 1813
    Authentication port          = 1812
    Accounting shared secret     =
    Authentication shared secret = 1234
    Require auth attrib          = No
    Priority                     = 1
    Weight                       = 50
    Timeout                      = 3 seconds
    Max dropped                  = 5
    Blackout                     = 30 seconds
    Notifications                = Yes

    SHV configuration:
    ---------------------------------------------------------
    Id                             = 79744
    Name                           = Windows Security Health Validator

    Vendor                         = Microsoft Corporation

    Description                    = The Windows Security Health Validator defines t
    he policy that client computers must be compliant with.

    Version                        = 1.0

    Policy server unreachable      = Noncompliant
    Remediation server unreachable = Noncompliant
    System Health Agent failure    = Noncompliant
    NAP server failure             = Noncompliant
    Other errors                   = Noncompliant

    SQL log configuration:
    ---------------------------------------------------------
    Connection                     =
    Description                    =
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Max sessions                   = 2

    Ok.


    Thx
    Gavin

    Thursday, August 7, 2008 11:52 AM
  • Hi Greg

    This is what I picked up on the NPS Proxy:

    Event ID: 36
    The remote RADIUS server 155.x.x.82 has not responded to 3 consecutive requests. The server has been marked as unavailable.

    I ran netmon and captured RADIUS packets being passed bewteen the two servers? So it doesn't appear to be a network problem.

    Thx
    Gavin
    Thursday, August 7, 2008 1:06 PM
  • Hi Gavin,

    I think you are headed in the right directiion troubleshooting by looking at the event log on the proxy, but you should also examine events on the other server. Look for event 6274 I believe. It should say that NPS discarded the request and provide a reason. Do you see this event? If so, what is the reason?

    If you don't see any events on the NPS that is providing authorization, then there is a communication problem between the proxy and NPS or the RADIUS client and remote RADIUS server group configurations are not quite right.

    -Greg

    Tuesday, August 12, 2008 9:16 AM
  • Hi Gavin,

    Please let me know if you are still having problems with the setup.

    -Greg
    Sunday, August 17, 2008 2:39 AM
  • Hi Greg

    I have moved the NAP role onto the DHCP cluster and NAP now works.

    There are two DHCP helpers that are configured on the LAN switches that i suspect are interfering somehow with the traffic between the NAP and DHCP servers?

    This implementaion is a pilot deployment in the live environment, so when the client decides to cut-over to the new infrastructure we will remove the DHCP helpers and see if that solves it.

    Thx for you help
    Gavin
    Wednesday, August 20, 2008 11:29 AM