locked
Non-compliant clients assigned IP by NAP-enabled DHCP as if NPS was unavaiable RRS feed

  • Question

  • I have a DHCP+NPS setup on one 2008R2 SP1 server and a set of policies mandating the grant/deny of IPs from the DHCP.

    I have identified a proper set of policies and I have clients evaluated as they should, by enabling the NPS log I can see all RADIUS requests being evaluated properly by the NPS.

    However, what happens sometimes randomly (40% of the times) is that the DHCP seems not to receive the (proper) RADIUS reply from the NPSI can see logged, and assumes the NPS is unreachable, thus DHCP acts according to the DHCP NAP fragility settings (restrict access/drop packet).

    Has anyone faced this issue before? I could not find any similar issue reported.

    I'd appreciate any advice.

    Luigi

    Thursday, April 19, 2012 8:57 PM

All replies

  • Hi Luigi,

    Thanks for posting here.

    > However, what happens sometimes randomly (40% of the times) is that the DHCP seems not to receive the (proper) RADIUS reply from the NPSI can see logged, and assumes the NPS is unreachable, thus DHCP acts according to the DHCP NAP fragility settings (restrict access/drop packet).

    So could we verify any connectivity issue on both sides (DHCP server and RADIUS/NPS server) form event log? Can we first try to test the connectivity between these two servers by ping hostname and IP address and see how is going ?

    Try to recheck all these NAP DHCP enforcement settings with following the items in check list :

    Checklist: Implementing a DHCP Enforcement Design

    http://technet.microsoft.com/en-us/library/dd314186(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Monday, April 23, 2012 1:37 AM
  • Hi Tiger,

    the issue here is that this happens with DHCP and NPS running on the same server, hence we can rule out connectivity issues.

    NPS service is up and running, and from the log I can see that it always provides the proper response to the RADIUS query from DHCP, but sometimes DHCP reacts as if the reply does not get through.

    Tks for any reply.

    Luigi

    Monday, April 23, 2012 7:51 AM
  • Hi Luigi,

    Thanks for update.

    So could you show us these events that we captured form this host here ? please include the event ID and descriptions which helpful for us to narrow down the root cause more effectually .

    Tools for Troubleshooting NAP

    http://technet.microsoft.com/en-us/library/dd348461(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, April 24, 2012 8:03 AM
  • Hi,

    The issue you describe sounds suspiciously like you have not configured the 003 router option in the default NAP class. If this is not configured, then noncompliant clients will find NPS is unreachable if they are on a different subnet. Can you please check this?

    See this topic for more information.

    I hope this helps,

    -Greg

    Sunday, May 13, 2012 4:57 PM
  • Hi Greg,

    tks for your response.

    the issue here is lying within the DHCP-NPS conversation, way before the client gets the IP even if not compliant. The DHCP acts as if the NPS is not responding given that it observes what is set in the NAP settings "DHCP server behaviour when NPS is unreachable".

    The NPS is actually running on the same machine and the NPS log confirm the DHCP query is received and taken care by the NPS, but DHCP seems not to receive the NPS reply.

    Luigi


    Monday, May 14, 2012 7:02 AM