locked
use nap to enable dhcp only to listed pcs RRS feed

  • Question

  • HI,

    how can i configure NAP to allow dhcp to only users/computer groups that i create?is it possible?in other words, i want to prevent users from getting ip address who does not form part of my AD domain.

    thanks

    Thursday, October 20, 2011 5:34 PM

Answers

  • Hi,

    You just need to add a condition to the compliant computer policy on NPS that requires domain computers. You cannot filter based off users - only a computer condition is possible with DHCP enforcement. If you want to deny an IP address completely to non-domain computers, then configure your noncompliant policy to deny access (rather than allow restricted access). Also configure the non NAP-capable computer policy to deny access.

    Allow full access = computer will get a normal IP address and subnet mask.

    Allow restricted access = computer will get an IP address with a 32-bit subnet mask and static routes to the DHCP server and remediation servers if these are configured.

    Deny access = computer will get an APIPA address (169.x.x.x) if configured to use APIPA.

    -Greg


    Friday, October 21, 2011 6:00 AM
  • Hi,

    By default, computers that can't get a DHCP address will get a 169.x.x.x address. You can disable that on the client side. If you disable it, they will get a 0.0.0.0 address.

    You do not need a health policy condition (requirement) in the network policy if you don't wish to configure one. Just add the domain computer condition. Client computers will need to be running the NAP agent and the DHCP enforcement client for this to work however since the FQDN is carried in the statement of health (the NAP packet).

    -Greg

    Friday, October 21, 2011 1:31 PM

All replies

  • Hi,

    You just need to add a condition to the compliant computer policy on NPS that requires domain computers. You cannot filter based off users - only a computer condition is possible with DHCP enforcement. If you want to deny an IP address completely to non-domain computers, then configure your noncompliant policy to deny access (rather than allow restricted access). Also configure the non NAP-capable computer policy to deny access.

    Allow full access = computer will get a normal IP address and subnet mask.

    Allow restricted access = computer will get an IP address with a 32-bit subnet mask and static routes to the DHCP server and remediation servers if these are configured.

    Deny access = computer will get an APIPA address (169.x.x.x) if configured to use APIPA.

    -Greg


    Friday, October 21, 2011 6:00 AM
  • hi,thanks for your reply. i will configure deny ip addresses to non-domain computers. but, can i do that, even if i dont configure health policies? when i configure deny access, the computers will receive an ip address 169.xxx by default?or i need to configure that also? or i need to configure APIPA?

    thanks

    Friday, October 21, 2011 10:31 AM
  • Hi,

    By default, computers that can't get a DHCP address will get a 169.x.x.x address. You can disable that on the client side. If you disable it, they will get a 0.0.0.0 address.

    You do not need a health policy condition (requirement) in the network policy if you don't wish to configure one. Just add the domain computer condition. Client computers will need to be running the NAP agent and the DHCP enforcement client for this to work however since the FQDN is carried in the statement of health (the NAP packet).

    -Greg

    Friday, October 21, 2011 1:31 PM