This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

DHCP NAP Windows 7 Client SCCM 2012 SP1 Windows 2012

Question
0

Sign in to vote
We have the following config:

Windows 2012 DHCP with NPS and HRA services installed (192.168.5.11)
Windows 2008 R2 with SCCM 2012 SP1 - no NAP settings (192.168.5.125)
Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)

We have configured the following policies on the NPS Server:

Connection Request: DHCP: Called Station ID: 192.168.8.0
Network Policies with appropriate MS-Service Class for DHCP scope, with compliant and non-compliant Health Polices (very simple, the only thing that isn't being checked is Win Updates)

The DHCP is happy to dish out IP addresses to compliant machines no problem at all. When a machine goes non-compliant it registers the non-compliant machine with event ID 6276 - Network Policy Server quarantined a user.

It then proceeds to send the limited access DHCP options which the client then happily ignores.

I've run WireShark on the clients to capture the DHCP response and I can see the different options being returned to the client, specifically option 121 with the classless static routes.

When I run napstat it says full network access - no issues raised.

Output from netsh nap client show config

NAP client configuration:
----------------------------------------------------

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

Hash algorithm = sha1RSA (1.3.14.3.2.29)

Enforcement clients:
----------------------------------------------------
Name = DHCP Quarantine Enforcement Client
ID = 79617
Admin = Disabled

Name = IPsec Relying Party
ID = 79619
Admin = Disabled

Name = RD Gateway Quarantine Enforcement Client
ID = 79621
Admin = Disabled

Name = Microsoft Forefront UAG Quarantine Enforcement Client
ID = 79622
Admin = Enabled

Name = EAP Quarantine Enforcement Client
ID = 79623
Admin = Disabled

Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled

Ok.

Output from netsh nap client show state:
Client state:
----------------------------------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
GroupPolicy = Configured

Enforcement client state:
----------------------------------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes

Id = 79619
Name = IPsec Relying Party
Description = Provides IPsec based enforcement for Network Access Protection
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No

Id = 79621
Name = RD Gateway Quarantine Enforcement Client
Description = Provides RD Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No

Id = 79622
Name = Microsoft Forefront UAG Quarantine Enforcement Client
Description = Reports client health status.
Version = 4.0.2095.10000
Vendor name = Microsoft Corporation
Registration date = 11/01/2013 09:04:05
Initialized = No

Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No

System health agent (SHA) state:
----------------------------------------------------
Id = 7467776
Name = ESET SHA
Description = ESET System Health Agent (SHA) checks compliance of ESET products policy defined by system administrator.
Version = 5.0.2126.0
Vendor name = ESET
Registration date = 23/08/2012 16:12:42
Initialized = No
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (0) -

Id = 79744
Name = Windows Security Health Agent

Description = The Windows Security Health Agent monitors security settings on your computer.

Version = 1.0

Vendor name = Microsoft Corporation

Registration date =
Initialized = Yes
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.

Compliance results =
Remediation results =

Id = 79745
Name = Configuration Manager 2012 System Health Agent
Description = Configuration Manager 2012 System Health Agent facilitates enforcement of software update compliance using Network Access Protection.
Version = 2012
Vendor name = Microsoft Corporation
Registration date = 23/01/2013 17:54:04
Initialized = No
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (0) -

Ok.

Output from netsh nap client show grouppolicy:

NAP client configuration (group policy):
----------------------------------------------------

NAP client configuration:
----------------------------------------------------

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

Hash algorithm = sha1RSA (1.3.14.3.2.29)

Enforcement clients:
----------------------------------------------------
Name = DHCP Quarantine Enforcement Client
ID = 79617
Admin = Enabled

Name = IPsec Relying Party
ID = 79619
Admin = Disabled

Name = RD Gateway Quarantine Enforcement Client
ID = 79621
Admin = Disabled

Name = Microsoft Forefront UAG Quarantine Enforcement Client
ID = 79622
Admin = Disabled

Name = EAP Quarantine Enforcement Client
ID = 79623
Admin = Disabled

Client tracing:
----------------------------------------------------
State = Enabled
Level = Advanced

Trusted server group configuration:
----------------------------------------------------
Group = HRA Servers
Require Https = Enabled
URL = https://<FQDN>/domainhra/hcsrvext.dll
Processing order = 1
Group = HRA Servers
Require Https = Enabled
URL = https://<FQDN>/nondomainhra/hcsrvext.dll
Processing order = 2

User interface settings:
----------------------------------------------------
Title = Network Access Protection
Description = Your machine does not meet the security requirements defined by the company. If your machine does remediate automatically please contact IT
Image =

Ok.

I've tried running: netsh nap client set enforcement ID = 79617 ADMIN = "ENABLE" and restarting the NAP agent on client machines - same thing.

Any ideas what is going wrong?
Wednesday, March 6, 2013 2:28 PM

All replies

0

Sign in to vote

Hi,

Thank you for your question.

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.

Best Regards,

Aiden

If you have any feedback on our support, please click here
Aiden Cao
TechNet Community Support

Friday, March 8, 2013 1:55 AM
0

Sign in to vote

Hi,

A couple things to keep in mind are: netsh nap client set enforcement ID is a command that configures the local policy, not group policy. Netsh nap client show config also shows local policy, not group policy settings. Netsh nap client show group shows the GP settings which appear to be correct because the DHCP enforcement client is enabled and the output from netsh nap client show state says that the DHCP enforcement client is initialized. So, there doesn't appear to be a problem here.

Also: MS Service Class can be removed from both the DHCP scope and the network policy. Use the default NAP class in the DHCP scope instead, and the MS Service Class condition can be entirely removed. The only reason to use this is if you have more than one NAP-enabled scope on the same subnet.

Also I'm not sure why you have HRA installed as this is not needed for DHCP enforcement.

The output of IPconfig would be helpful here. Can you provide this?

What do you mean by "Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)"?

I noticed that you have the DHCP server on the 192.168.5.x subnet but you mention the 192.168.8.x subnet. Does this mean that the DHCP server and clients are on a different subnet? If so, then you must configure the 003 Router option in the default NAP class. See http://technet.microsoft.com/en-us/library/dd363563(v=ws.10).aspx.

I believe that in Server 2012 this option (the default NAP class) is configured differently. You must configure it using policy based assignment (PBA) which is a new feature in Server 2012. I will have to test this myself to provide specific instructions on how to configure it as I haven't done this yet in Server 2012.

Can you confirm that the DHCP server and client computers are on a different subnet? If so, this is likely to be the problem.

Thanks,

-Greg

Tuesday, March 12, 2013 5:28 AM
1

Sign in to vote
Hi,

Please try configuring a policy on your scope as follows. The next page will have a range to apply the policy where you should choose the entire range. When you get to the next page "Configure settings for the policy" select 003 Router and input the IP address of your router.

This should accomplish the same thing as the old way, which was configured like this:

-Greg
- Edited by Greg LindsayMicrosoft employee Tuesday, March 12, 2013 10:42 PM
Tuesday, March 12, 2013 10:37 PM
0

Sign in to vote

Hi

Thanks for coming back to me and apologies for not coming back sooner - been on training all week.

Just to confirm a couple of things:

DHCP/NPS Server IP: 192.168.5.11

Client IP subnet: 192.168.8.0/24

The MS-Service-Class is in there as I will be adding another NAP'd subnet shortly. When I look at the NPS event logs it can see the service class and the associated policies are all being processed correctly.

Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)

This means all the Windows 7 clients get their IPs from DHCP (no static assignments but there are reservations) AND they are also SCCM 2012 SP1 clients

The image below shows the current scope options for the DHCP scope:

The DHCP database was imported from the original Windows 2008 R2 SP1 server, this is what is created from the import.

IP CONFIG PRE DISABLING OF ANTI-VIRUS:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : LO-WK363
   Primary Dns Suffix . . . . . . . : <DOMAIN>.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : <DOMAIN>.org
   System Quarantine State . . . . . : Not Restricted

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix . : <DOMAIN>.org
   Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
   Physical Address. . . . . . . . . : 00-19-99-7C-CA-D9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.8.87(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 07 March 2013 18:30:37
   Lease Expires . . . . . . . . . . : 20 March 2013 16:33:26
   Default Gateway . . . . . . . . . : 192.168.8.254
   DHCP Server . . . . . . . . . . . : 192.168.5.11
   DNS Servers . . . . . . . . . . . : 192.168.5.1
                                       192.168.5.2
                                       192.168.5.3
                                       192.168.5.4
   Quarantine State. . . . . . . . . : Not Restricted

   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.investmentuk.org:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : <DOMAIN>.org
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

IP CONFIG AFTER DISABLING OF ANTI-VIRUS:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : LO-WK363
   Primary Dns Suffix . . . . . . . : <DOMAIN>.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : <DOMAIN>.org
   System Quarantine State . . . . . : Not Restricted

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix . : <DOMAIN>.org
   Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
   Physical Address. . . . . . . . . : 00-19-99-7C-CA-D9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.8.87(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 07 March 2013 18:30:37
   Lease Expires . . . . . . . . . . : 22 March 2013 17:49:15
   Default Gateway . . . . . . . . . : 192.168.8.254
   DHCP Server . . . . . . . . . . . : 192.168.5.11
   DNS Servers . . . . . . . . . . . : 192.168.5.1
                                       192.168.5.2
                                       192.168.5.3
                                       192.168.5.4
   Quarantine State. . . . . . . . . : Not Restricted

   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.<DOMAIN>.org:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : <DOMAIN>.org
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

THIS IS WHAT WAS CAPTURED WITH WIRESHARK:

Thursday, March 14, 2013 5:55 PM
0

Sign in to vote
Hi,

Is this a hardened client by any chance? I see it is indeed getting the CSRs.

It is probably worth looking at the client logs also. What events do you see during on the client under Applications and Services Logs\Microsoft\Windows\Dhcp-Nap-Enforcement-Client and also Applications and Services Logs\Microsoft\Windows\Network Access Protection?

-Greg
- Edited by Greg LindsayMicrosoft employee Monday, March 18, 2013 6:30 AM
Monday, March 18, 2013 6:30 AM
0

Sign in to vote

It's not very hardened but it depends what you mean?

Looking at the logs I can see the following errors:

NAP - Operational Log:

EVENT ID 30: The System Health Agent 79745 has returned an error code 1.

(this is the SCCM NAP SHA - but in SCCM NAP is not enabled)

Dhcp-Nap-Enforcement-Client Log (Microsoft-Windows-DHCPNap/Operational)

EVENT ID 52004: An error occurred in processing the SOH Response. Error code is 0x800706C6

I've searched for the above errors and there's no real information available...

Ideas are welcome!

Monday, March 18, 2013 11:57 AM
0

Sign in to vote

Hi,

To such issue, it is not an efficient way to work in this community since we may need more resources, for example memory (application) dump or ETL trace, which is not appropriate to handle in community. I’d like to suggest that you submit a service request to MS Professional tech support service so that a dedicated Support Professional can further assist with this request.
Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Wednesday, April 3, 2013 10:07 AM
0

Sign in to vote

So after several weeks of assistance from MS we have an answer.

It turns out WatchGuard firewall DHCP relay is rubbish.

The relay agent on the firewall was causing the reply from server to the client to be changed in some way that Windows was rather unhappy about. So I've multi homed the DHCP server to get round the problem - not ideal but problem solved until we can change our core switches. Stupid WatchGuard.

Wednesday, June 5, 2013 9:26 AM