locked
Unknown Machines and NAP RRS feed

  • Question

  • Hi all,

    The company I work for is having a major network upgrade including the replacement of all edge and core switches.  Part of this upgrade will be the introduction of NAP.  We have just had two new 2012 r2 servers installed running NAP.

    During our last meeting it was mentioned that only computers with an AD computer account will be allowed onto the network.  I'm not a network engineer, but look after the SCCM solution we have.

    We would like to pay our hardware vendor to bring new pcs to site and install them on the users desks.  They can provide us with a text file containing the computers name in our company format and the machines mac address (eg PC123562*43:f3:00:e1:f3).  The local hard disks are blank and the bios is set to 1st boot PXE.

    Currently on the old network, when a brand new machine connects to the network we press F12 to pxe boot.  SCCM has a task sequence deployed to the unknown machines collection and with a combination of UDI, VBS scripts and TS variables is able to determine where the machine is physically, what model and deploys the wmi file, drivers, packages and updates.  This is working fantastic for us.

    so my question....

    Once we have the new network in place and NAP, unknown machines won't be allowed onto the network as NAP won't have a record of it in AD.  How then do we go about being able to PXE boot machines and deploy images to them?

    has anyone else been able to successfully deploy images to the unknown machines collection in a NAP environment?

    Can the NAP server have a rule against SCCM objects?  We could import the new machines into the SCCM database which the NAP server could reference?

    I'm still waiting for the new engineer to come back to me with models of switches and how they are using those in conjunction with the new 2012 nap servers.  My feeling is they are using an nps profile set to "if machine object does not exist in ad, do not obtain an ip from dhcp"

    Thanks,

    Glen.


    Tuesday, November 4, 2014 3:05 PM

Answers

  • Add the PXE enabled DP to the NPS Remediation Server Group. I've never had to do this but in theory it should work. NPS should not allow the computer to get an IP address but it should redirect it to contact the DP (in the same way that you would re-direct to an AV server for example). You'd have to test this.



    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson


    • Edited by Gerry HampsonMVP Tuesday, November 4, 2014 4:11 PM
    • Proposed as answer by Joyce L Tuesday, November 11, 2014 8:52 AM
    • Marked as answer by Garth JonesMVP Friday, February 5, 2016 5:19 PM
    Tuesday, November 4, 2014 4:09 PM
  • First note that NAP = NPS (two different names for the same solution set in Windows). It's a deprecated solution as pointed out and will most likely not exist in future version of Windows Server.

    Next, what method of enforcement is being used? DHCP, 802.1x, or IPSEC?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Friday, November 7, 2014 1:14 AM
    • Marked as answer by Garth JonesMVP Friday, February 5, 2016 5:19 PM
    Tuesday, November 4, 2014 5:01 PM
  • OK, then your 802.1x enforcement sounds like it is entirely based on AD membership of the system.

    WinPE is not and cannot be a member of the domain so that won't work for OSD. You'll need to find some way of excluding WinPE from that health policy or creating a new one that only applies to WinPE systems. It's been a while since I've implemented NAP so I don't know what all of the possibilities are though. You'll probably have to get with them and discuss what can be done as ultimately this is a NAP issue. You should try posting on a Win security forum and ask them how to exclude and create a WinPE specific health policy.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Monday, November 10, 2014 8:13 AM
    • Marked as answer by Garth JonesMVP Friday, February 5, 2016 5:19 PM
    Friday, November 7, 2014 4:19 PM

All replies

  • Create an OSD Collection and deploy your task sequences to it. Import the new computers using their MAC addresses and add them to this collection. Then your F12 deployments will work as normal. 

    (To get around any DHCP addressing restrictions imposed by NAP you could add a static IP address for the duration of the build. Once the computer joins the domain you could run a netsh command to change this back to dynamic).



    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson



    Tuesday, November 4, 2014 3:13 PM
  • Thanks, but I'm not sure your solution would work

    as soon as the machine boots to pxe, it needs to find a dhcp server in order to then find the sccm task sequence.  The machine is unable to get an IP as the NPS policy is rejected (machine not in AD).

    I did think about having an NPS policy for unknown machines putting them on a seperate VLAN but thought maybe NPS and SCCM could work together a bit better

    Tuesday, November 4, 2014 3:25 PM
  • I understand that. I already added a possible solution above.

    To get around any DHCP addressing restrictions imposed by NAP you could add a static IP address for the duration of the build. Once the computer joins the domain you could run a netsh command to change this back to dynamic. You would configure IP Helpers so that the computer can find the ConfigMgr server.

    "Configure Network Settings" to add static IP address



    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson


    Tuesday, November 4, 2014 3:36 PM
  • forgive my ignorance, how am I able to set an IP address?

    the hardware vendor will be dropping the machines on to users desks, pressing the power button and walking away

    I have seen options in SCCM for 802.1x wired authentication so there must be a 'best practice' way
    Tuesday, November 4, 2014 3:39 PM
  • Screenshot above


    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    Tuesday, November 4, 2014 3:40 PM
  • Screenshot above


    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    sorry, I must be sounding really stupid.  How will the task sequence run, if pxe can't get an ip address?
    Tuesday, November 4, 2014 3:43 PM
  • Create boot media rather than use PXE

    Cheers

    Paul | sccmentor.wordpress.com

    Tuesday, November 4, 2014 3:51 PM
  • Create boot media rather than use PXE

    Cheers

    Paul | sccmentor.wordpress.com

    Sorry, that's not really what we want

    The hardware vendor is going to press the power button and walk away.  They have no IT skills, and we don't want them having any knowledge about our environment.  Think of them like delivery men.  If we have 100 new machines to deploy, in your solution someone would have to have 100 usb disks, boot each machine up and configure 100 network settings.  Then we would have to scope off 100 ip addresses to avoid ip conflicts

    This has to be pxe

    If NPS doesn't have the ability to reference sccm, what about the vlan option I mentioned?

    don't really want the headache of AMT if I can help it.  Someone must have done this before :-)




    Tuesday, November 4, 2014 3:54 PM
  • Add the PXE enabled DP to the NPS Remediation Server Group. I've never had to do this but in theory it should work. NPS should not allow the computer to get an IP address but it should redirect it to contact the DP (in the same way that you would re-direct to an AV server for example). You'd have to test this.



    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson


    • Edited by Gerry HampsonMVP Tuesday, November 4, 2014 4:11 PM
    • Proposed as answer by Joyce L Tuesday, November 11, 2014 8:52 AM
    • Marked as answer by Garth JonesMVP Friday, February 5, 2016 5:19 PM
    Tuesday, November 4, 2014 4:09 PM
  • Also note that with Server 2012 R2 NAP is deprecated. 

    http://windowsitpro.com/blog/what-s-happening-network-access-protection


    Cheers

    Paul | sccmentor.wordpress.com

    Tuesday, November 4, 2014 4:14 PM
  • Add the PXE enabled DP to the NPS Remediation Server Group. I've never had to do this but in theory it should work. NPS should not allow the computer to get an IP address but it should redirect it to contact the DP.


    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    Thanks Gerry,  I shall look into that but I think it's gonna need an IP

    I'm starting to think I basically have two options (unless I'm missing something).  Create a new VLAN for un-authenticated machines and stick them in there whilst they are imaged....or go down the Intel AMT route.

    Neither option is ideal to be honest.  There are times where we have to image quite old machines (no amt technology onboard) which will be unknown to both sccm and nps.  The vlan option isnt great either as we are opening ourselves up and having to mess around bring new servers online for this "safe area"

    The best way would be to create an NPS policy saying something like "if machine exits in sccm all systems collection allow lan access"


    Tuesday, November 4, 2014 4:16 PM
  • Also note that with Server 2012 R2 NAP is deprecated. 

    http://windowsitpro.com/blog/what-s-happening-network-access-protection


    Cheers

    Paul | sccmentor.wordpress.com

    Thanks Paul

    I think it is NPS we are using

    Tuesday, November 4, 2014 4:19 PM
  • First note that NAP = NPS (two different names for the same solution set in Windows). It's a deprecated solution as pointed out and will most likely not exist in future version of Windows Server.

    Next, what method of enforcement is being used? DHCP, 802.1x, or IPSEC?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Friday, November 7, 2014 1:14 AM
    • Marked as answer by Garth JonesMVP Friday, February 5, 2016 5:19 PM
    Tuesday, November 4, 2014 5:01 PM
  • 802.1x is currently being used

    I've spent today thinking about ways around this, and may have come up with a simple yet effective solution so I am posting it here in case anyone runs into a similar issue

    for unknown computers coming into our network, we may use the wdsutil.exe command to prestage their computer object into AD, before they even boot up for the first time

    NPS should then allow them access to DHCP in order to pxe

    obviously I will have to make sure they are assigned to a collection in sccm, and move our task sequence from the unknown computer collection to the new one

    if anyone has prestaged an object into ad for sccm before, is it best to use the mac or guid?

    hopefully this 'should' all work (theory sounds good to me anyway lol)


    Friday, November 7, 2014 3:50 PM
  • If you are using 802.1x, then it has nothing to do with DHCP or AD. 802.1x controls the actual switch port the device is connected to. If the device is not authenticated after initially connecting to the switch itself (and in the case of NAP, passing the health check since it's really the NAP/RADIUS server telling the switch whether to enable or disable the port), then the switch port is disabled.

    WinPE 5.0 does support 802.1x but I can't find any definitive articles (in some limited web searching) on configuring it. You may be able to find something with more extensive web searching.

    Also note that I doubt that WinPE has a NAP client built into it so you will have to exclude it from your health policies.

    What many folks end up doing with 802.1x in-place is having a build network where 802.1x is not enforce.

    The use of MAC of SMBIOS GUID is irrelevant technically (for the most part); however, finding the MAC address is usually a lot easier and they are much shorter to type in and are thus generally preferred.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, November 7, 2014 3:59 PM
  • Thanks Jason,

    I'm really not sure what the network team has put in place (still waiting for documents to come through), but I know it all ends up being controlled via a policy on our NPS server which checks if the machine is a member of the "domain computers" group.

    If I take a brand new laptop (straight out the box) and plug it into an outlet on the new network it doesnt get an IP address.  If I then move it back to the old network, join it to the domain, then move it back to the new network again it does.


    Friday, November 7, 2014 4:04 PM
  • OK, then your 802.1x enforcement sounds like it is entirely based on AD membership of the system.

    WinPE is not and cannot be a member of the domain so that won't work for OSD. You'll need to find some way of excluding WinPE from that health policy or creating a new one that only applies to WinPE systems. It's been a while since I've implemented NAP so I don't know what all of the possibilities are though. You'll probably have to get with them and discuss what can be done as ultimately this is a NAP issue. You should try posting on a Win security forum and ask them how to exclude and create a WinPE specific health policy.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Monday, November 10, 2014 8:13 AM
    • Marked as answer by Garth JonesMVP Friday, February 5, 2016 5:19 PM
    Friday, November 7, 2014 4:19 PM
  • Thanks,

    Getting hold of those guys is easier said than done

    Would my method of prestaging them in AD not work?  at least that way, only known computers we trust can pxe boot.  It wouldn't be any extra work for us to do either as the vendor is supplying us with all the info

    Friday, November 7, 2014 4:22 PM
  • I doubt NAP would respect that because pre-staging is simply a record in AD connected to nothing. There is no way to associate the target system booted into WinPE to that record.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, November 7, 2014 4:24 PM
  • you can assign the mac to the computer record though using wdsutil

    I know sccm will work with pre-staged objects, but not sure about NPS allowing it through in the first instance

    http://www.windows-noob.com/forums/index.php?/topic/506-how-can-i-prestage-a-computer-for-wds/

    Friday, November 7, 2014 4:32 PM
  • THere's a big misunderstanding somewhere here.

    In order for your NPS scenario to work the computer has to at least boot into a remediation group.  It's simply impossible to get an IP _after_ it's validated belonging to domain computers.  THere's either a vlan or ACL rule in place when it's in remediation so it can at least find a DHCP server and domain controller.

    WIth this knowledge all you are really asking is "why can't PXE be in this remediation group"?

    Saturday, November 8, 2014 1:39 AM