locked
NAP with DHCP Enforcement - client didn't Authenticate RRS feed

  • Question

  • I have a DHCP server that fowards the connections to the NPS server. In NPS server I have 3  defaults networks rules for DHCP:

    DHCP State OK
    DHCP State Non OK
    DHCP NAP Non capable

    In the two first rules I have 3 conditions:
    - NAP complient/or non complient
    - DHCP Scope (Scope Test)
    - Machine group: Test

    In on of the machines in the test group i can connect to the LAN.

    In event viewer I get the following error:

    Nome do Log:   Security
    Fonte:         Microsoft-Windows-Security-Auditing
    Data:          17/08/2010 16:51:16
    Identificação do Evento:6273
    Categoria da Tarefa:Servidor de Diretiva de Rede
    Nível:         Informações
    Palavras-chave:Falha de Auditoria
    Usuário:       N/D
    Computador:    LAB-NAP.mylab.com
    Descrição:
    O Servidor de Diretiva de Rede negou acesso a um usuário.

    Entre em contato com o administrador do Servidor de Diretiva de Rede para obter mais informações.

    Usuário:
     ID de Segurança:   NULL SID
     Nome da Conta:   -
     Domínio da Conta:   -
     Nome de Conta Totalmente Qualificado: -

    Máquina Cliente:
     ID de Segurança:   MYLAB\NB-TEST$
     Nome da Conta:   nb-test.mylab.com
     Nome da Conta Totalmente Qualificado: MYLAB\NB-TEST$
     Versão do SO:   6.1.7600 0.0 x64 Estação de Trabalho
     Identificação de Estação Chamada:  10.3.0.0
     Identificação de Estação Chamadora:  001D095C6556

    NAS:
     Endereço NAS IPv4:  10.1.0.203
     Endereço NAS IPv6:  -
     Identificador NAS:   LAB-AD01
     Tipo da Porta NAS:   Ethernet
     Porta NAS:   -

    Cliente RADIUS:
     Nome Amigável do Cliente:  DHCP
     Endereço IP do Cliente:   10.1.0.203

    Detalhes da Autenticação:
     Nome Diretiva de Proxy:  NAP DHCP
     Nome de Diretiva de Rede:  -
     Provedor de Autenticação:  Windows
     Servidor de Autenticação:  LAB-NAP.mylab.com
     Tipo de Autenticação:  Não Autenticado
     Tipo de EAP:   -
     Identificador da Sessão da Conta:  32393133323536343231
     Código de Razão:   48
     Razão:    Tentativa de conexão não correspondente a uma diretiva de rede.

    XML de Evento:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
        <EventID>6273</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2010-08-17T19:51:16.870Z" />
        <EventRecordID>5367</EventRecordID>
        <Correlation />
        <Execution ProcessID="628" ThreadID="3732" />
        <Channel>Security</Channel>
        <Computer>LAB-NAP.mylab.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="FullyQualifiedSubjectUserName">-</Data>
        <Data Name="SubjectMachineSID">S-1-5-21-1078081533-1004336348-839522115-10723</Data>
        <Data Name="SubjectMachineName">nb-test.mylab.com</Data>
        <Data Name="FullyQualifiedSubjectMachineName">MYLAB\NB-TEST$</Data>
        <Data Name="MachineInventory">6.1.7600 0.0 x64 Estação de Trabalho </Data>
        <Data Name="CalledStationID">10.3.0.0</Data>
        <Data Name="CallingStationID">001D095C6556</Data>
        <Data Name="NASIPv4Address">10.1.0.203</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">LAB-AD01</Data>
        <Data Name="NASPortType">Ethernet </Data>
        <Data Name="NASPort">-</Data>
        <Data Name="ClientName">DHCP</Data>
        <Data Name="ClientIPAddress">10.1.0.203</Data>
        <Data Name="ProxyPolicyName">NAP DHCP</Data>
        <Data Name="NetworkPolicyName">-</Data>
        <Data Name="AuthenticationProvider">Windows </Data>
        <Data Name="AuthenticationServer">LAB-NAP.mylab.com</Data>
        <Data Name="AuthenticationType">Não Autenticado </Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">32393133323536343231</Data>
        <Data Name="ReasonCode">48</Data>
        <Data Name="Reason">Tentativa de conexão não correspondente a uma diretiva de rede. </Data>
      </EventData>
    </Event>

     

    Tuesday, August 17, 2010 8:12 PM

Answers

  • Hi,

    See http://technet.microsoft.com/en-us/library/dd348513(WS.10).aspx and make sure that you have configured a profile name. You can also try removing the second condition (DHCP Scope (Scope Test)).

    Thanks,

    -Greg

    • Marked as answer by Eduardo M Leal Thursday, August 19, 2010 5:21 PM
    Wednesday, August 18, 2010 1:25 AM
  • Hi,

    The first thing to do is remove all conditions except time of day and make sure that you match a policy.

    Then, replace this with NAP compliant or NAP noncompliant conditions and see if it still matches.

    Then, add the MAC address and see if it still matches.

    I don't think the reservation should affect things as long as it is within the correct NAP-enabled scope.

    The error message is expected when you do not match any policies. So, we need to figure out which condition is causing the client not to match the policy.

    -Greg

    • Marked as answer by Eduardo M Leal Thursday, August 19, 2010 5:21 PM
    Wednesday, August 18, 2010 6:53 AM

All replies

  • Hi,

    See http://technet.microsoft.com/en-us/library/dd348513(WS.10).aspx and make sure that you have configured a profile name. You can also try removing the second condition (DHCP Scope (Scope Test)).

    Thanks,

    -Greg

    • Marked as answer by Eduardo M Leal Thursday, August 19, 2010 5:21 PM
    Wednesday, August 18, 2010 1:25 AM
  • Hi Greg,

    Thanks for your reply,

    I left the profile name field in DHCP server with the Default option enable, but i have created a test rule with the following conditions:

    - Nap comp/ incomp
    - Id of the machine (MAC address)

    And i still get the error message in event viewer. Other information that might be relevant is that anothers machines can authenticate in NPS server.

    The fact that i really don't understand is that generally this error happens when the machine doesn't match any network rule in NPS server.

    Another fact that maybe be important is that this machine has a DHCP reservation.

    This can be a problem ?

    Obs: The machine runs win 7 and my NPS and DHCP server are Windows 2008 (Non R2)

    Obs²: My DHCP server fowards all "connections" to my NPS server.

    • Edited by Eduardo M Leal Wednesday, August 18, 2010 4:12 AM Bad English
    Wednesday, August 18, 2010 4:09 AM
  • Hi,

    The first thing to do is remove all conditions except time of day and make sure that you match a policy.

    Then, replace this with NAP compliant or NAP noncompliant conditions and see if it still matches.

    Then, add the MAC address and see if it still matches.

    I don't think the reservation should affect things as long as it is within the correct NAP-enabled scope.

    The error message is expected when you do not match any policies. So, we need to figure out which condition is causing the client not to match the policy.

    -Greg

    • Marked as answer by Eduardo M Leal Thursday, August 19, 2010 5:21 PM
    Wednesday, August 18, 2010 6:53 AM
  • Today, i get in the office to make some tests but my NPS server didn't log anything after 21:00 hs of yesterday.

    I have tried reboot the nps service and later the server but i get no results.

    In this case, what the better method to troobleshooting erros ?

    Obs: Is there a way to garantee that my DHCP server is communicating with my NPS Server ?

    Thanks

    Best Regards,

    Wednesday, August 18, 2010 4:11 PM
  • I have rebooted the DHCP server and the communication was estabelished but after 2 - 5 minutes the communication stops again.

    Microsoft-Windows-DHCP-Server
          [ Guid] {6D64F02C-A125-4DAC-9A01-F0555B41CA84}
          [ EventSourceName] DhcpServer
       
    - EventID 1070
          [ Qualifiers] 0
       
      Version 0
       
      Level 2

    Iashlpr initialization failed: 16389, so DHCP server cannot talk to NPS server. It could be that IAS service is not started.

    Wednesday, August 18, 2010 7:21 PM
  • Hi Eduardo,

    I think you are talking about the connection from the proxy to the main NPS, correct? This is likely to be a network problem of some kind. Have you been able to troubleshoot this?

    -Greg

    Thursday, August 19, 2010 5:51 PM
  • Hi Greg,

    Thanks for your reply,

    A few hours ago I found a "solution" to this problem.

    My DHCP server is also my AD server, so my security log is very large. In the properties pane of the security log i saw that my log was enable to replace old logs. So the log keep the size and when my DHCP server reboot (because my backup) it wasn't restoring the comunication with the role NPS.

    So i ran a test and clear all security logs and reboot the dhcp services and the services works fine. If i don't clear the security log my dhcp server show the error that i've sent to you when the first log is saved on the server.

    I guess that in my case, i need to use a SQL server to improve my log services.

    Anyway, it is working now, but this makes any sense to you ?

    thanks for your support.

    []s

    Thursday, August 19, 2010 7:45 PM