locked
DHCP client enforcement not working RRS feed

  • Question

  • Hi,

    I have been struggling with this for a few days and need your help. I configured DHCP enforcement according to the step-by-step guide available from microsoft. I am doing everything exactly it says in the tutorial, but whenever i apply NAP to the Scope or on the server client loses connection and  is not able to obtain an IP address, neither restricted not full.

    Going through all the troubleshooting steps this is what i got:

    Netsh nap client show state - enabled (Group policy -configured, Initialized - yes  )

    netsh nap client show group - it shows as applied. (enforcement client enabled)

    Netsh nap client show configuration -(enforcement client is Disabled!!!!) 

    Also i noticed  DHCP quarantine client enforcement feature on the client (NAPCLCFG.MSC) would control configuration state, as far i understand this feature is supposed to be managed by Group Policy but its not.  

    Nothing was working unless i enabled  enforcement client via the "Netsh nap client set enforcement ID = 79617 ADMIN = "ENABLED" " command. after that client started doing everything the way it was supposed to: If i disabled Firewall, it was placed in the restricted network, remediation would enable firewall automatically and after that ipconfig/renew would obtain ip address with full access.  

    I would really appreciate someone pointing me what i did wrong

    thanks

     

    Monday, April 1, 2013 6:58 PM

Answers

  • Hi,

    Please look on the DHCP server in Event Viewer under Custom Views\Server Roles\Network Policy and Access Services and see what policy is being matched on the server.

    I'll see if I can update the step by step guide. I no longer own this, but I did write the original guide so I might have a copy of it that can be used to fix this one.

    -Greg


    Tuesday, April 2, 2013 4:07 PM

All replies

  • Hi,

    Thank you for the post.

    Please be aware of the following two scenario:

    1. DHCP NAP is enabled on the client and Disabled on the DHCP server: In this scenario, the DHCP server can lease the IP address.

    2. DHCP NAP is disabled on the client and enabled on the DHCP server: In this scenario, the DHCP server will not lease the IP address.

    Regards,


    Nick Gu - MSFT

    Tuesday, April 2, 2013 3:57 AM
  • Hi,

    Netsh nap client show group will display the domain Group Policy settings. These settings must be configured in Group Policy Editor in a GPO that is applied to the client, such as the default domain policy. You can also use a different GPO but it must apply to the client.

    Netsh nap client show configuration will display the local Group Policy settings. These can be configured using netsh nap client set enforcement ID, or they can be configured with the nap client console, napclcfg.msc. Both of these only affect local settings, not domain Group Policy.

    If domain Group Policy settings exist, all the settings in local Group Policy are ignored. It doesn't matter if the DHCP enforcement client is disabled in local Group Policy as long as it is enabled in domain Group Policy.

    You appear to have the NAP client settings configured correctly since netsh nap client show state displays that the DHCP enforcement client is initialized. Therefore, the problem is with your server settings.

    Is the DHCP server on the same subnet as the client computer? If it is not and you haven't configured the 003 Router option in the default NAP class then the client will be unable to contact the DHCP server if it becomes noncompliant.

    What OS is the client and server running? If the server is running Server 2012 and you need to configure the default NAP class, this is done differently than it was in 2008 or 2008 R2.

    -Greg

    Tuesday, April 2, 2013 6:52 AM
  • Thanks Nick and Greg,

    I think Nick is implying to the scenario when there's no group policy configured on the domain, however i have one. 

    Greg, i sure did not configure router option for the NAP class, because it did not say so in the guide, it only mentions  006 and 015 options for the NAP class. DHCP is on the same subnet and  it is serving ip addresses (both, restricted and full) when i enable local dhcp enforcement client. Do i still need to configure 003 option for the NAP class?

    I will give it a try anyways and will post results later. BTW, server OS is 2008R2 with client runnging win7, from the first i tried it on the server 2012, but then i switched to the 2008R2 due to the difference you mentioned above.  Could you explain how is it done (classes) in 2012 ?

    thanks

    Tuesday, April 2, 2013 3:20 PM
  • Hi,

    You don't need the 003 router option if the DHCP server is on the same subnet.

    I re-read your original post and it doesn't make sense. If the DHCP enforcement client is initialized already (netsh nap client show state) then it would not make any difference if you configured it locally with netsh nap client set enforcement id.

    Can you verify that the problem occurs when netsh nap client show state shows that the DHCP enforcement client is enabled?

    Also, do you see there are no graphics in the DHCP NAP step by step guide? I just downloaded it again and it appears the graphics (screen shots) are missing.

    Thanks,

    -Greg

    Tuesday, April 2, 2013 3:41 PM
  • I agree absolutely that it does not make sense, since group policy should be taking over the local policy, but it seems that it's not. here are the steps i've been taking:

    1. configure the group policy (security, nap service, enforcement client) + set filtering for the security group created earlier with the target computer inside and assign the policy to the domain

    2. configure the NPS: configure NAP for the DHCP and disable all the settings in the health policy except the firewall. create remediation group, network policy etc,

    3. apply NAP on the server or on the scope.

    i would do gpudpate /force several times on both server and the client to make sure all the settings were applied. but again it would not work, until i enabled dhcp quarantine from the clients local settings i.e napclcfg.msc.  

    Yes, there are no graphics in the guide, just some combination of symbols which is  supposed to be linking to graphs.

    P.S and i run gpresult /scope computer to make sure that NAP group policy is applied on the client (to make sure that gp is working and applying) 
    • Edited by Luksharp Tuesday, April 2, 2013 4:04 PM
    Tuesday, April 2, 2013 4:01 PM
  • Hi,

    Please look on the DHCP server in Event Viewer under Custom Views\Server Roles\Network Policy and Access Services and see what policy is being matched on the server.

    I'll see if I can update the step by step guide. I no longer own this, but I did write the original guide so I might have a copy of it that can be used to fix this one.

    -Greg


    Tuesday, April 2, 2013 4:07 PM