Remove From My Forums

DHCP NAP Problem (Remediation)

Question
0

Sign in to vote
Hi All

We are having a problem in production with a DHCP NAP implementation (worked in LAB?).

The Infrastructure is as follows:

Server 2008 DHCP Cluster (Also running NPS as RADIUS Proxy)

2 x NPS Servers

We have configured the DHCP cluster as a RADIUS Client and supplied a shared secret. NPS has been installed on each Node and been configured to Proxy all requests (DHCP) to the remote RADUIS group.

What we see in the NPS logs is that the requests are recieved from the RADIUS client, the DHCP request is matched to the NAP Non-Compliant policy, but the client is not remediated?

It appears as if the request gets to the DHCP is forwarded onto NPS processed with the SoH, NPS replies with the clients status, but DHCP never gets a reply... and therfore gives a non-compliant client an IP. If we set the DHCP to restrict clients if NPS validation fails clients are restricted confirming our suspision.

We thought that DHCP cluster may possibly not support NAP, so we installd DHCP locally on the NPS server with the same results?

Clients do not recieve any pop-ups...

Any thoughts/help?

Thanks
Gavin
- Changed type Greg LindsayMicrosoft employee Monday, August 4, 2008 7:10 PM This is a question
Thursday, July 31, 2008 9:49 AM

Answers

0

Sign in to vote
Hi Gavin,

I think you are headed in the right directiion troubleshooting by looking at the event log on the proxy, but you should also examine events on the other server. Look for event 6274 I believe. It should say that NPS discarded the request and provide a reason. Do you see this event? If so, what is the reason?

If you don't see any events on the NPS that is providing authorization, then there is a communication problem between the proxy and NPS or the RADIUS client and remote RADIUS server group configurations are not quite right.

-Greg
- Proposed as answer by Greg LindsayMicrosoft employee Tuesday, August 12, 2008 9:17 AM
- Marked as answer by Greg LindsayMicrosoft employee Sunday, August 17, 2008 2:39 AM
Tuesday, August 12, 2008 9:16 AM

All replies

0

Sign in to vote
Hi Gavin,

Do you see an event on NPS that access was granted and the client matched the non-compliant policy? If so, then you have set NAP enforcement in your non-compliant policy to grant full access. This type of configuration is called reporting mode, and there are no NAP notifications. Notifications will occur if you set non-compliant policy to restrict access at a specified time, or to restrict access immediately.

To enable remediation, confirm that you have checked this option in your non-compliant policy. If you have further questions, please provide the output of "netsh nps show config" so we can examine the NPS policy configuration.

Thanks,
-Greg
- Edited by Greg LindsayMicrosoft employee Monday, August 4, 2008 4:29 AM detail
- Proposed as answer by Greg LindsayMicrosoft employee Monday, August 4, 2008 7:11 PM
- Unproposed as answer by Gvniekerk Thursday, August 7, 2008 11:53 AM
Monday, August 4, 2008 4:28 AM
0

Sign in to vote

Hi Greg

Sorry for only replying now, was at Tech-Ed :)

Both the non-compliant and non-capable policies are set to restrict. I do not see any events for NAP, what is the event ID I should be looking for?

Here is the netsh output:

Client configuration:
---------------------------------------------------------
Name                = DHCP
Address             = 155.x.x.144
State               = Enabled
Shared secret       = 1234
Require auth attrib = No
NAP capable         = Yes
Vendor              = RADIUS Standard

Client configuration:
---------------------------------------------------------
Name                = DHCP Clust
Address             = 155.x.x.146
State               = Enabled
Shared secret       = 1234
Require auth attrib = No
NAP capable         = Yes
Vendor              = RADIUS Standard

Connection request policy configuration:
---------------------------------------------------------
Name             = NAP DHCP
State            = Enabled
Processing order = 1
Policy source    = 3

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Auth-Provider-Type                      0x1025      "0x1"
Override-RAP-Auth                       0x1fb0      "FALSE"

Event log configuration:
---------------------------------------------------------
Accepted authentication requests = Enabled
Rejected authentication requests = Enabled

File log configuration:
---------------------------------------------------------
Accounting                     = Enabled
Authentication                 = Enabled
Periodic accounting status     = Enabled
Periodic authentication status = Enabled
Directory                      = C:\Windows\system32\LogFiles
Format                         = ODBC formatting
Delete old logs                = Enabled
Frequency                      = Daily logs
Max size                       = 10 MB

Ports configuration:
---------------------------------------------------------
Accounting ports     = 1813,1646
Authentication ports = 1812,1645

Network policy configuration:
---------------------------------------------------------
Name             = NAP DHCP Compliant
State            = Enabled
Processing order = 1
Policy source    = 3

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1fbd      "NAP DHCP Compliant"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Ignore-User-Dialin-Properties           0x1005      "TRUE"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
MS-Quarantine-State                     0x1faf      "0x0"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x2"

Network policy configuration:
---------------------------------------------------------
Name             = NAP DHCP Noncompliant
State            = Enabled
Processing order = 2
Policy source    = 3

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1fbd      "NAP DHCP Noncompliant"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Ignore-User-Dialin-Properties           0x1005      "TRUE"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
Quarantine-Fixup-Servers-Configuration 0x1fc2      "NAP"
MS-Quarantine-State                     0x1faf      "0x1"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"

Network policy configuration:
---------------------------------------------------------
Name             = NAP DHCP Non NAP-Capable
State            = Enabled
Processing order = 3
Policy source    = 3

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1fbb      "^1$"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Ignore-User-Dialin-Properties           0x1005      "TRUE"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
Quarantine-Fixup-Servers-Configuration 0x1fc2      "NAP"
MS-Quarantine-State                     0x1faf      "0x1"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"

Server registration:
---------------------------------------------------------
Status = Registered

Remediation server configuration:
---------------------------------------------------------
Group   = NAP
Address = 155.x.x.82
Name    = DNS 01

SHV configuration:
---------------------------------------------------------
Id                             = 79744
Name                           = Windows Security Health Validator

Vendor                         = Microsoft Corporation

Description                    = The Windows Security Health Validator defines t
he policy that client computers must be compliant with.

Version                        = 1.0

Policy server unreachable      = Noncompliant
Remediation server unreachable = Noncompliant
System Health Agent failure    = Noncompliant
NAP server failure             = Noncompliant
Other errors                   = Noncompliant

Health policy configuration:
---------------------------------------------------------
Name          = NAP DHCP Compliant
Configuration = All must pass
Id            = 79744

Health policy configuration:
---------------------------------------------------------
Name          = NAP DHCP Noncompliant
Configuration = One or more must fail
Id            = 79744

SQL log configuration:
---------------------------------------------------------
Connection                     = Provider=SQLOLEDB;Persist Security Info=False;U
ser ID=sa;Initial Catalog=NAPDB;Data Source=SQL001\SQL001;Use Procedure fo
r Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=NAP001;Use
Encryption for Data=False;Tag with column collation when possible=False
Description                    = SQL001\SQL001
Accounting                     = Enabled
Authentication                 = Enabled
Periodic accounting status     = Enabled
Periodic authentication status = Enabled
Max sessions                   = 2

Ok.

Thx
Gavin

Thursday, August 7, 2008 8:14 AM
0

Sign in to vote

Hi Greg

Here is the output from the DHCP server, configured as a NPS proxy:

Connection request policy configuration:
---------------------------------------------------------
Name             = NAP DHCP
State            = Enabled
Processing order = 1
Policy source    = 3

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Acct-Provider-Name                      0x102b      "NAP"
Acct-Provider-Type                      0x102a      "0x2"
Auth-Provider-Name                      0x1029      "NAP"
Auth-Provider-Type                      0x1025      "0x2"

Connection request policy configuration:
---------------------------------------------------------
Name             = Windows Auth
State            = Enabled
Processing order = 2
Policy source    = 0

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Acct-Provider-Name                      0x102b      "NAP"
Acct-Provider-Type                      0x102a      "0x2"
Auth-Provider-Name                      0x1029      "NAP"
Auth-Provider-Type                      0x1025      "0x2"

Event log configuration:
---------------------------------------------------------
Accepted authentication requests = Enabled
Rejected authentication requests = Enabled

File log configuration:
---------------------------------------------------------
Accounting                     = Enabled
Authentication                 = Enabled
Periodic accounting status     = Enabled
Periodic authentication status = Enabled
Directory                      = C:\Windows\system32\LogFiles
Format                         = ODBC formatting
Delete old logs                = Enabled
Frequency                      = Daily logs
Max size                       = 10 MB

Ports configuration:
---------------------------------------------------------
Accounting ports     = 1813,1646
Authentication ports = 1812,1645

Network policy configuration:
---------------------------------------------------------
Name             = Connections to other access servers
State            = Enabled
Processing order = 2
Policy source    = 0

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
NP-Allow-Dial-in                        0x100f      "FALSE"
NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"

Network policy configuration:
---------------------------------------------------------
Name             = Connections to Microsoft Routing and Remote Access server
State            = Enabled
Processing order = 1
Policy source    = 0

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1033      "^311$"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
NP-Allow-Dial-in                        0x100f      "FALSE"
NP-Allowed-EAP-Type                     0x100a      "0D0000000000000000000000000
00000"
NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9
"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
MS-Filter                               0x102f

        ===============================================================
        IPFILTER_IPV4INFILTER   Action: DENY
        ---------------------------------------------------------------
        Address . . . . . : 0.0.0.0
        Mask. . . . . . . : 0.0.0.0
        Protocol. . . . . : 0
        Source Port . . . : 0
        Destination Port. : 0
        ---------------------------------------------------------------

MS-MPPE-Encryption-Policy               0xffffffa7 "0x2"
MS-MPPE-Encryption-Types                0xffffffa6 "0xe"

Server registration:
---------------------------------------------------------
Status = Un-registered

Remote server configuration:
---------------------------------------------------------
Group                        = NAP
Address                      = 155.x.x.82
Accounting port              = 1813
Authentication port          = 1812
Accounting shared secret     =
Authentication shared secret = 1234
Require auth attrib          = No
Priority                     = 1
Weight                       = 50
Timeout                      = 3 seconds
Max dropped                  = 20
Blackout                     = 30 seconds
Notifications                = Yes

Remote server configuration:
---------------------------------------------------------
Group                        = NAP
Address                      = 155.x.x.83
Accounting port              = 1813
Authentication port          = 1812
Accounting shared secret     =
Authentication shared secret = 1234
Require auth attrib          = No
Priority                     = 1
Weight                       = 50
Timeout                      = 3 seconds
Max dropped                  = 5
Blackout                     = 30 seconds
Notifications                = Yes

SHV configuration:
---------------------------------------------------------
Id                             = 79744
Name                           = Windows Security Health Validator

Vendor                         = Microsoft Corporation

Description                    = The Windows Security Health Validator defines t
he policy that client computers must be compliant with.

Version                        = 1.0

Policy server unreachable      = Noncompliant
Remediation server unreachable = Noncompliant
System Health Agent failure    = Noncompliant
NAP server failure             = Noncompliant
Other errors                   = Noncompliant

SQL log configuration:
---------------------------------------------------------
Connection                     =
Description                    =
Accounting                     = Enabled
Authentication                 = Enabled
Periodic accounting status     = Enabled
Periodic authentication status = Enabled
Max sessions                   = 2

Ok.

Thx
Gavin

Thursday, August 7, 2008 11:52 AM
0

Sign in to vote

Hi Greg

This is what I picked up on the NPS Proxy:

Event ID: 36
The remote RADIUS server 155.x.x.82 has not responded to 3 consecutive requests. The server has been marked as unavailable.

I ran netmon and captured RADIUS packets being passed bewteen the two servers? So it doesn't appear to be a network problem.

Thx
Gavin

Thursday, August 7, 2008 1:06 PM
0

Sign in to vote
Hi Gavin,

I think you are headed in the right directiion troubleshooting by looking at the event log on the proxy, but you should also examine events on the other server. Look for event 6274 I believe. It should say that NPS discarded the request and provide a reason. Do you see this event? If so, what is the reason?

If you don't see any events on the NPS that is providing authorization, then there is a communication problem between the proxy and NPS or the RADIUS client and remote RADIUS server group configurations are not quite right.

-Greg
- Proposed as answer by Greg LindsayMicrosoft employee Tuesday, August 12, 2008 9:17 AM
- Marked as answer by Greg LindsayMicrosoft employee Sunday, August 17, 2008 2:39 AM
Tuesday, August 12, 2008 9:16 AM
0

Sign in to vote

Hi Gavin,

Please let me know if you are still having problems with the setup.

-Greg

Sunday, August 17, 2008 2:39 AM
0

Sign in to vote

Hi Greg

I have moved the NAP role onto the DHCP cluster and NAP now works.

There are two DHCP helpers that are configured on the LAN switches that i suspect are interfering somehow with the traffic between the NAP and DHCP servers?

This implementaion is a pilot deployment in the live environment, so when the client decides to cut-over to the new infrastructure we will remove the DHCP helpers and see if that solves it.

Thx for you help
Gavin

Wednesday, August 20, 2008 11:29 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

DHCP NAP Problem (Remediation)

Question

Answers

All replies