locked
NAP DHCP Enforcement with CISCO 4400 RRS feed

  • Question

  • Hi,

    I am sorry, because my english is not so good, I  am learning yet.

    Computers connected by Wireless has being blocked by NAP, the problem is: it doesn´t is blocked in all laptops, but has been happening in 60% from my mobile computers, because that, I don´t know if is related to some wrong configuration. When I turn-on the laptop with cable network disconnected and using only wireless adapter, the access a network is limited because NAP cuts the access ("NAP DHCP Non NAP-Capable"). To return the full access, I just have disabled and enabled the wireless adapter, and the connection become full again. This issue too happens when I connect in my domain with my local network adapter enabled together wireless adapter enabled and after that I disconnect the network cable from local adapter.


    I don´t use any VLAN´s, or any configuration related to NAC Cisco.

    Until now, we haven’t  discovered a root cause for this problem, I think that would be related to:
    a) NAP agent has not yet started when the client first requests a DHCP address. In this case, the service may be starting later but the client is unable to acquire a new (unrestricted) IP address because my DHCP server is on a different subnet
    b) The DHCP enforcement client is not initialized when the client first requests a DHCP address. Again, the same problem might be happening as described in #1. The enforcement client might initialize late and then the client cannot renew its IP address because it is restricted.


    Actions until now.

    I have installed the CISCO EAP-FAST on my laptops. After I have installed on 10 laptops, 4 laptops has had completely solved the problem, 3 solved in first time, but it continue showing problems in sometimes, and 3 doesn´t had any success.

    Someone have problems using NAP and CISCO?


    MCP, MCDST, MCTS(Forefront, Windows7, Windows2008), MCSA, MCSE, MCT, ITIL, Vencedor do Winthe7.com.br 2009, Quarto lugar Copa de Talentos Microsoft 2010
    Thursday, February 24, 2011 7:07 PM

All replies

  • When I turn-on the laptop with cable network disconnected and using only wireless adapter, the access a network is limited because NAP cuts the access ("NAP DHCP Non NAP-Capable"). To return the full access, I just have disabled and enabled the wireless adapter, and the connection become full again.

    Hi Adriano,

     

    Thanks for posting here.

     

    What’s the OS running on these clients ?

    Could you verify the authentication settings on wireless adapter and compare with wire adapter’s? Why did you install the CISCO EAP-FAST on laptop ?

    Have you also deployed 802.1x authentication on cisco device ?

    And could you also check the NAP server and client event in Event viewer and post here for further investigation?

     

    NAP-Capable Computers Are Evaluated as Non-NAP-Capable

    http://technet.microsoft.com/en-us/library/dd348450(WS.10).aspx

     

    DHCP NAP Clients Do Not Obtain an IP Address

    http://technet.microsoft.com/en-us/library/dd348513(WS.10).aspx

     

    Wireless EAP Enforcement Client Is Not Enabled

    http://technet.microsoft.com/en-us/library/dd348439(WS.10).aspx

     

    Quick Fixes for NAP

    http://technet.microsoft.com/en-us/library/dd348494(WS.10).aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 25, 2011 5:25 AM
  • Hi Adriano,

    If there is any update on this issue, please feel free to let us know.

    We are looking forward to your reply.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, February 28, 2011 11:55 AM
  •  

    Hi Tiger,

    In the first time, thank you very much for replie

    What’s the OS running on these clients ?

    Windows 7 32b/64b Enterprise

     

    Could you verify the authentication settings on wireless adapter and compare with wire adapter’s?

    Both are using EAP-MSCHAPv2

     

    Why did you install the CISCO EAP-FAST on laptop ?

    Cause a Cisco/Microsoft interoperability suggest it:

    http://www.google.com.br/url?sa=t&source=web&cd=1&ved=0CBcQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fsolutions%2Fcollateral%2Fns340%2Fns394%2Fns171%2Fns466%2Fns617%2Fnet_implementation_white_paper0900aecd8051fc24.pdf&ei=EMxrTeTTKcPPhAf7sbHvDg&usg=AFQjCNFnM8T8LJuN1QaPXYdE50vONftkRg

     

    Have you also deployed 802.1x authentication on cisco device ?

    Yes, there is an interoperable RADIUS auth feature on Cisco 4400 device. It works when NAP is disabled.

     

    And could you also check the NAP server and client event in Event viewer and post here for further investigation?

    I will take at leat two laptops that continues with this issue, I will use the Network Monitor or WireShark  to capture the packets when the its blocked and when its is enabled by nap and I will post here.

     

     


    MCP, MCDST, MCTS(Forefront, Windows7, Windows2008), MCSA, MCSE, MCT, ITIL, Vencedor do Winthe7.com.br 2009, Quarto lugar Copa de Talentos Microsoft 2010
    Tuesday, March 1, 2011 5:39 PM
  • Hi Adriano,

     

    Thanks for update.

     

    One method you may try to test is configure the WLAN Autoconfig service to start depends on NAP agent service so that wireless authentication does not start until after the NAP agent service.

     

    According to the description "NAP DHCP Non NAP-Capable", the client sometimes are recognized as non NAP-Capable. And we can make it works if disabling and then enabling the wireless adapter .It looks that Wireless EAP authentication occurs before the NAP Agent service is started. As a result, the client is recognized as non NAP-capable.

     

    To do so, You may use Services.msc snap-in or run the following command lines in the elevated Command window:

     

            sc config wlansvc depend= napagent.

     

    In addition, Please also refer to the following TechNet article to check it:

     

    NAP client computers are evaluated as non-NAP-capable

    http://technet.microsoft.com/en-us/library/dd348494(WS.10).aspx#napclientcomputersareevaluatedasnonnapcapable

     

    Meanwhile, seems you are using CISCO EAP-FAST for authentication, however not sure whether this software will also use WLAN Autoconfig service to do wireless authentication. If it is using its specific service, you may also configure this software of service to start depend on NAP agent service and test again.

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, March 4, 2011 6:08 AM
  • I was on vacation on this period, thanks a lot Tiger fou your update.

    I will test and I will post the result here.

     

     


    MCP, MCDST, MCTS(Forefront, Windows7, Windows2008), MCSA, MCSE, MCT, ITIL, Vencedor do Winthe7.com.br 2009, Quarto lugar Copa de Talentos Microsoft 2010
    Thursday, March 17, 2011 5:02 PM