locked
Non-Domain Computers and Devices Restricted Access RRS feed

  • Question

  • hello we have a windows 2k8 R2 server and so far with DHCP have implemented NAP successfully for all domain computers only. now i want to setup another scope that is an isolated subnet that all non-domain computers/devices automatically get an address from, then when then are manually approved/checked out by an admin they are allowed to connect to the main subnet/scope. the main reason i wan to do this is control the ipod/ipad/android devices and contractors that connect into our network and and have free access.

    Is this something that can be accomplished via NAP and if so how?

    thanks

    James

    Friday, April 13, 2012 5:24 PM

Answers

  • Hi James,

    Using only DHCP NAP you cannot provide a separate range of IP addresses to different groups of computers. You can do this using VLANs with 802.1X by providing different scopes to separate VLANs and moving computers between these VLANs based on a computer group condition, or a MAC based rule.

    DHCP NAP restricts computers to the same address range, but removes the default route and provides a classless (netmask 255.255.255.255) address so they cannot connect to other computers in the same address range. This can work for you with the Windows computers, but they must be running NAP agent in order to be correctly evaluated because the computer FQDN is included with the NAP packets. If a computer is non-domain joined or is not running Windows it won't send the FQDN in the DHCP request packet, so you can't use this to evaluate the device by name.

    Alternatively with DHCP in Windows 8 you can use policy based assignment and provide different address ranges based on device type or windows group.

    -Greg

    Saturday, April 14, 2012 5:16 AM

All replies

  • Hi James,

    Using only DHCP NAP you cannot provide a separate range of IP addresses to different groups of computers. You can do this using VLANs with 802.1X by providing different scopes to separate VLANs and moving computers between these VLANs based on a computer group condition, or a MAC based rule.

    DHCP NAP restricts computers to the same address range, but removes the default route and provides a classless (netmask 255.255.255.255) address so they cannot connect to other computers in the same address range. This can work for you with the Windows computers, but they must be running NAP agent in order to be correctly evaluated because the computer FQDN is included with the NAP packets. If a computer is non-domain joined or is not running Windows it won't send the FQDN in the DHCP request packet, so you can't use this to evaluate the device by name.

    Alternatively with DHCP in Windows 8 you can use policy based assignment and provide different address ranges based on device type or windows group.

    -Greg

    Saturday, April 14, 2012 5:16 AM
  • Greg, thanks i was afraid of that..

    Monday, April 16, 2012 4:14 PM
  • i have the same senario but i just want that only the domain computers to get IPs from dhcp

    i have installed nap server on my dhcp server which is windows 2008 and i want to configur the nap to check if the device is in our domain or not

    and i have 4 access points that already connected to my switch using radius authintication for wireless access

    how can i do that ?


    Best Regards

    Tuesday, July 10, 2012 7:01 AM
  • Hi,

    Run the wizard for NAP with DHCP enforcement to create policies. If you don't care about the health (firewall status, etc.) of computers then simply remove the health policy condition from the network policy and replace it with the windows group condition that computers must be a member of the domain computers security group.

    When you run the wizard, choose that non NAP-capable computers are denied access (don't choose to grant them restricted access) if you don't want them to get an IP address at all.

    Typically most of the non domain computers won't have NAP agent started and/or the DHCP enforcement client active. This will cause them to be evaluated as non NAP capable. Even if a computer is joined to the domain and it isn't running NAP agent it will be non NAP capable and denied access.

    However, be careful here because when a computer first boots up the NAP agent service might not be started before a DHCP request is sent. This means even though the computer is OK it might have trouble connecting. The "restricted access" setting is actually more friendly for this type of situation.

    You will also have a noncompliant policy. If you don't care about computer health you can delete this policy or just change it to deny access. By default this is set to restricted access (using a 255.255.255.255 netmask and no default route).

    -Greg

    Tuesday, July 10, 2012 7:50 AM
  • thanks allot for your post , however i have wireless access points that users uses to get access to my network and if i run unto the wizard then the network access points will not work , i have added them to the NAP server as a radius clients , what do you recommend me to do in such case ?


    • Edited by abusa3da Friday, August 17, 2012 7:14 AM
    Friday, August 17, 2012 7:09 AM
  • i have applied the same configuration as the wizard and have the option as denied the non eligible NAP clients , but still all clients can get the IP when they connect their machine even some of the machine i have eliminated form the workgroupe that is allowed

    so with or without the NAP server applied on the dhcp scope is not working

    Monday, October 1, 2012 1:22 PM
  • Hi,

    Let me see if I understand your setup correctly. You have a switch and several wireless access points connected to the switch, and also a DHCP server connected to the switch, correct? Clients are wireless and they authenticate to the wireless access points, then receive and IP address from the DHCP server. You want clients to authenticate to the switch and based on the results they get an IP address if the computer is a domain computer but no IP address if the computer is not joined to a domain or a member of a different domain.

    Assuming this is the correct scenario, I think it might be necessary to use restricted access instead of denied access, so that computers that have restricted access can still authenticate to the wireless access points. Have you tried configuring non-domain computers to be granted restricted access and then adding the wireless access points into a remediation servers group?

    -Greg

    Monday, October 1, 2012 7:12 PM
  • the setup
    is exactly the same ads you understood but i wanted to have the machines to be
    conditions on group like the machine the on x groupe wanted them to have IP
    only <o:p></o:p>

    i have
    applied the setup wizard and deleted the health check as my constrains should
    be on a computer group but even through the computers that are connected to the
    switch still getting IP even i removed them from the group that i have my
    constraints on <o:p></o:p>


    Tuesday, October 2, 2012 8:22 AM
  • Hi,

    Please check the event logs under Custom Views\Server Roles\Network Policy and Access Services. Verify that the clients are matching the correct policies that you created.

    If the policy has a condition to be in a computer group, and the settings are to apply restricted access, but the computer is getting a full access IP address (the netmask is not 255.255.255.255) then the client is probably not matching this policy.

    -Greg

    Tuesday, October 2, 2012 3:53 PM
  • i have checked and i was amazed that the client didnt match the policy as i wanted but even thuogh it got an IP :(

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:

    Security ID: S-1-0-0

    Account Name: -

    Account Domain: -

    Fully Qualified Account Name: -

    Client Machine:

    Security ID: S-1-0-0

    Account Name: VGA7

    Fully Qualified Account Name: -

    OS-Version: -

    Called Station Identifier: 172.16.145.0

    Calling Station Identifier: 5C260A7F3ABF

    Wednesday, October 3, 2012 7:16 AM
  • and one more thing my policy should be applied not to give IP to clients who doesnt match the policy

    Wednesday, October 3, 2012 7:21 AM
  • Hi,

    I can't tell much from the policy that you posted above since I don't know the reason the computer was denied. This is shown down further in the event text.

    Are you saying that the client matched but policy, but was denied, or that it didn't match the correct policy? Matching a policy just means that the client met the conditions of the policy (i.e. computer group). We need to see the reason to know why it was denied. I don't know why it would still get an IP address.

    You should issue a netsh nap client show state on the client computer to see if everything is OK there. Also check ipconfig/all to see that it is getting an IP address from the correct DHCP server.

    -Greg

    Wednesday, October 3, 2012 3:41 PM
  • well , the policy condition is based on workgroup and even the cpmuter is not in the workgroup as well as on the even view logs shoows it was denied access but it still having IP and getting the IP from the DHCP that has the NAP configured on

    Thursday, October 4, 2012 7:53 AM

  • Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    = 
    Restriction start time = 
    Extended state         = 
    GroupPolicy            = Not Configured

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79619
    Name                   = IPsec Relying Party
    Description            = Provides IPsec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79621
    Name                   = RD Gateway Quarantine Enforcement Client
    Description            = Provides RD Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent monitors security settings on your computer.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      = 
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
     
    Compliance results     =
    Remediation results    =

    Id                     = 79745
    Name                   = Configuration Manager 2012 System Health Agent
    Description            = Configuration Manager 2012 System Health Agent facilitates enforcement of software update compliance using Network Access Protection.
    Version                = 2012
    Vendor name            = Microsoft Corporation
    Registration date      = 10/09/2012 11:08:34
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 100
    Fixup Message          = (90507) - Configuration Manager 2012 NAP Client Agent is not enabled, Client will be deemed compliant.
    Compliance results     =
    Remediation results    = (0x00000000) - (null)


    Id                     = 88048
    Name                   = Intel(R) AMT SHA
    Description            = Intel(R) AMT SHA Application
    Version                = VER_PRODUCTVERSION_STR
    Vendor name            = Intel(R)
    Registration date      = 22/09/2011 18:25:44
    Initialized            = No
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (0) - 

    Ok.

     

    Thursday, October 4, 2012 11:16 AM
  • Hi,

    None of the enforcement clients on the client computer are initialized. Even though you don't have a health condition, you must still have at least one enforcement client working on the client or NAP will have no way to communicate with the DHCP server. From your output:

    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    The DHCP enforcement client isn't turned on.

    Communication is: NAP agent<-->DHCP enforcement client<-->DHCP server<-->NPS

    I still don't know why the computer was denied access or why it ended up getting an IP address anyway. I would guess maybe that the reason in the event is that the computer was non NAP-capable because the enforcement client is not turned on.

    -Greg

    Thursday, October 4, 2012 9:41 PM
  • thats correct since i didnt tyurn on the autonetwork detection on services as well as i didnt enable the dhcp client enforcment on the client ,so if  acomputer that is non capable will it get an IP from dhcp ?
    Friday, October 5, 2012 7:12 AM
  • Hi,

    If you don't turn on NAP on the client, then the DHCP server is just a typical DHCP server and can't do things like grant restricted access and provide a remediation server group. The policy wizard can create a policy called non NAP-capable that adds a condition of non NAP-capable and typically you will deny access for these computers. The wizard asks you what you want to do with them.

    The client FQDN is also carried in the NAP packet, so the DHCP server uses this to determine whether or not the client meets a domain group condition.

    It isn't necessary that you have a health state condition (compliant or noncompliant) to use NAP but you do have to turn on NAP agent and use the DHCP enforcement client to do most things.

    -Greg



    Friday, October 5, 2012 3:22 PM