locked
DHCP NAP Windows 7 Client SCCM 2012 SP1 Windows 2012 RRS feed

  • Question

  • We have the following config:

    • Windows 2012 DHCP with NPS and HRA services installed (192.168.5.11)
    • Windows 2008 R2 with SCCM 2012 SP1 - no NAP settings (192.168.5.125)
    • Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)

    We have configured the following policies on the NPS Server:

    • Connection Request: DHCP: Called Station ID: 192.168.8.0
    • Network Policies with appropriate MS-Service Class for DHCP scope, with compliant and non-compliant Health Polices (very simple, the only thing that isn't being checked is Win Updates)

    The DHCP is happy to dish out IP addresses to compliant machines no problem at all. When a machine goes non-compliant it registers the non-compliant machine with event ID 6276 - Network Policy Server quarantined a user.

    It then proceeds to send the limited access DHCP options which the client then happily ignores.

    I've run WireShark on the clients to capture the DHCP response and I can see the different options being returned to the client, specifically option 121 with the classless static routes.

    When I run napstat it says full network access - no issues raised.

    Output from netsh nap client show config


    NAP client configuration: 
    ---------------------------------------------------- 

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 

    Hash algorithm = sha1RSA (1.3.14.3.2.29) 

    Enforcement clients: 
    ---------------------------------------------------- 
    Name            = DHCP Quarantine Enforcement Client 
    ID              = 79617 
    Admin           = Disabled 

    Name            = IPsec Relying Party 
    ID              = 79619 
    Admin           = Disabled 

    Name            = RD Gateway Quarantine Enforcement Client 
    ID              = 79621 
    Admin           = Disabled 

    Name            = Microsoft Forefront UAG Quarantine Enforcement Client 
    ID              = 79622 
    Admin           = Enabled 

    Name            = EAP Quarantine Enforcement Client 
    ID              = 79623 
    Admin           = Disabled 

    Client tracing: 
    ---------------------------------------------------- 
    State = Disabled 
    Level = Disabled 

    Ok.

    Output from netsh nap client show state:

    Client state: 
    ---------------------------------------------------- 
    Name                   = Network Access Protection Client 
    Description            = Microsoft Network Access Protection Client 
    Protocol version       = 1.0 
    Status                 = Enabled 
    Restriction state      = Not restricted 
    Troubleshooting URL    =  
    Restriction start time =  
    Extended state         =  
    GroupPolicy            = Configured 

    Enforcement client state: 
    ---------------------------------------------------- 
    Id                     = 79617 
    Name                   = DHCP Quarantine Enforcement Client 
    Description            = Provides DHCP based enforcement for NAP 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = Yes 

    Id                     = 79619 
    Name                   = IPsec Relying Party 
    Description            = Provides IPsec based enforcement for Network Access Protection 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 

    Id                     = 79621 
    Name                   = RD Gateway Quarantine Enforcement Client 
    Description            = Provides RD Gateway enforcement for NAP 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 

    Id                     = 79622 
    Name                   = Microsoft Forefront UAG Quarantine Enforcement Client 
    Description            = Reports client health status. 
    Version                = 4.0.2095.10000 
    Vendor name            = Microsoft Corporation 
    Registration date      = 11/01/2013 09:04:05 
    Initialized            = No 

    Id                     = 79623 
    Name                   = EAP Quarantine Enforcement Client 
    Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies. 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 

    System health agent (SHA) state: 
    ---------------------------------------------------- 
    Id                     = 7467776 
    Name                   = ESET SHA 
    Description            = ESET System Health Agent (SHA) checks compliance of ESET products policy defined by system administrator. 
    Version                = 5.0.2126.0  
    Vendor name            = ESET 
    Registration date      = 23/08/2012 16:12:42 
    Initialized            = No 
    Failure category       = None 
    Remediation state      = Success 
    Remediation percentage = 0 
    Fixup Message          = (0) -  

    Id                     = 79744 
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent monitors security settings on your computer.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      =  
    Initialized            = Yes 
    Failure category       = None 
    Remediation state      = Success 
    Remediation percentage = 0 
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
     
    Compliance results     = 
    Remediation results    = 

    Id                     = 79745 
    Name                   = Configuration Manager 2012 System Health Agent 
    Description            = Configuration Manager 2012 System Health Agent facilitates enforcement of software update compliance using Network Access Protection. 
    Version                = 2012 
    Vendor name            = Microsoft Corporation 
    Registration date      = 23/01/2013 17:54:04 
    Initialized            = No 
    Failure category       = None 
    Remediation state      = Success 
    Remediation percentage = 0 
    Fixup Message          = (0) -  

    Ok.

    Output from netsh nap client show grouppolicy:


    NAP client configuration (group policy): 
    ---------------------------------------------------- 

    NAP client configuration: 
    ---------------------------------------------------- 

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 

    Hash algorithm = sha1RSA (1.3.14.3.2.29) 

    Enforcement clients: 
    ---------------------------------------------------- 
    Name            = DHCP Quarantine Enforcement Client 
    ID              = 79617 
    Admin           = Enabled 

    Name            = IPsec Relying Party 
    ID              = 79619 
    Admin           = Disabled 

    Name            = RD Gateway Quarantine Enforcement Client 
    ID              = 79621 
    Admin           = Disabled 

    Name            = Microsoft Forefront UAG Quarantine Enforcement Client 
    ID              = 79622 
    Admin           = Disabled 

    Name            = EAP Quarantine Enforcement Client 
    ID              = 79623 
    Admin           = Disabled 

    Client tracing: 
    ---------------------------------------------------- 
    State = Enabled 
    Level = Advanced 

    Trusted server group configuration: 
    ---------------------------------------------------- 
    Group            = HRA Servers 
    Require Https    = Enabled 
    URL              = https://<FQDN>/domainhra/hcsrvext.dll 
    Processing order = 1 
    Group            = HRA Servers 
    Require Https    = Enabled 
    URL              = https://<FQDN>/nondomainhra/hcsrvext.dll 
    Processing order = 2 

    User interface settings: 
    ---------------------------------------------------- 
    Title       = Network Access Protection 
    Description = Your machine does not meet the security requirements defined by the company. If your machine does remediate automatically please contact IT 
    Image       =  

    Ok.

    I've tried running: netsh nap client set enforcement ID = 79617 ADMIN = "ENABLE" and restarting the NAP agent on client machines - same thing.

    Any ideas what is going wrong?

    Wednesday, March 6, 2013 2:28 PM

All replies

  • Hi,

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Friday, March 8, 2013 1:55 AM
  • Hi,

    A couple things to keep in mind are: netsh nap client set enforcement ID is a command that configures the local policy, not group policy. Netsh nap client show config also shows local policy, not group policy settings. Netsh nap client show group shows the GP settings which appear to be correct because the DHCP enforcement client is enabled and the output from netsh nap client show state says that the DHCP enforcement client is initialized. So, there doesn't appear to be a problem here.

    Also: MS Service Class can be removed from both the DHCP scope and the network policy. Use the default NAP class in the DHCP scope instead, and the MS Service Class condition can be entirely removed. The only reason to use this is if you have more than one NAP-enabled scope on the same subnet.

    Also I'm not sure why you have HRA installed as this is not needed for DHCP enforcement.

    The output of IPconfig would be helpful here. Can you provide this?

    What do you mean by "Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)"?

    I noticed that you have the DHCP server on  the 192.168.5.x subnet but you mention the 192.168.8.x subnet. Does this mean that the DHCP server and clients are on a different subnet? If so, then you must configure the 003 Router option in the default NAP class. See http://technet.microsoft.com/en-us/library/dd363563(v=ws.10).aspx.

    I believe that in Server 2012 this option (the default NAP class) is configured differently. You must configure it using policy based assignment (PBA) which is a new feature in Server 2012. I will have to test this myself to provide specific instructions on how to configure it as I haven't done this yet in Server 2012.

    Can you confirm that the DHCP server and client computers are on a different subnet? If so, this is likely to be the problem.

    Thanks,

    -Greg

    Tuesday, March 12, 2013 5:28 AM
  • Hi,

    Please try configuring a policy on your scope as follows. The next page will have a range to apply the policy where you should choose the entire range. When you get to the next page "Configure settings for the policy" select 003 Router and input the IP address of your router.

    This should accomplish the same thing as the old way, which was configured like this:

    -Greg



    Tuesday, March 12, 2013 10:37 PM
  • Hi

    Thanks for coming back to me and apologies for not coming back sooner - been on training all week.

    Just to confirm a couple of things:

    DHCP/NPS Server IP: 192.168.5.11

    Client IP subnet: 192.168.8.0/24

    The MS-Service-Class is in there as I will be adding another NAP'd subnet shortly. When I look at the NPS event logs it can see the service class and the associated policies are all being processed correctly.

    Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)

    This means all the Windows 7 clients get their IPs from DHCP (no static assignments but there are reservations) AND they are also SCCM 2012 SP1 clients

    The image below shows the current scope options for the DHCP scope:

    The DHCP database was imported from the original Windows 2008 R2 SP1 server, this is what is created from the import.

    IP CONFIG PRE DISABLING OF ANTI-VIRUS:


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : LO-WK363
       Primary Dns Suffix  . . . . . . . : <DOMAIN>.org
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : <DOMAIN>.org
       System Quarantine State . . . . . : Not Restricted


    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : <DOMAIN>.org
       Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
       Physical Address. . . . . . . . . : 00-19-99-7C-CA-D9
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.8.87(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : 07 March 2013 18:30:37
       Lease Expires . . . . . . . . . . : 20 March 2013 16:33:26
       Default Gateway . . . . . . . . . : 192.168.8.254
       DHCP Server . . . . . . . . . . . : 192.168.5.11
       DNS Servers . . . . . . . . . . . : 192.168.5.1
                                           192.168.5.2
                                           192.168.5.3
                                           192.168.5.4
       Quarantine State. . . . . . . . . : Not Restricted

       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.investmentuk.org:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : <DOMAIN>.org
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    IP CONFIG AFTER DISABLING OF ANTI-VIRUS:


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : LO-WK363
       Primary Dns Suffix  . . . . . . . : <DOMAIN>.org
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : <DOMAIN>.org
       System Quarantine State . . . . . : Not Restricted


    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : <DOMAIN>.org
       Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
       Physical Address. . . . . . . . . : 00-19-99-7C-CA-D9
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.8.87(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : 07 March 2013 18:30:37
       Lease Expires . . . . . . . . . . : 22 March 2013 17:49:15
       Default Gateway . . . . . . . . . : 192.168.8.254
       DHCP Server . . . . . . . . . . . : 192.168.5.11
       DNS Servers . . . . . . . . . . . : 192.168.5.1
                                           192.168.5.2
                                           192.168.5.3
                                           192.168.5.4
       Quarantine State. . . . . . . . . : Not Restricted

       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.<DOMAIN>.org:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : <DOMAIN>.org
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    THIS IS WHAT WAS CAPTURED WITH WIRESHARK:

    Thursday, March 14, 2013 5:55 PM
  • Hi,

    Is this a hardened client by any chance? I see it is indeed getting the CSRs.

    It is probably worth looking at the client logs also. What events do you see during on the client under Applications and Services Logs\Microsoft\Windows\Dhcp-Nap-Enforcement-Client and also Applications and Services Logs\Microsoft\Windows\Network Access Protection?

    -Greg


    Monday, March 18, 2013 6:30 AM
  • It's not very hardened but it depends what you mean?

    Looking at the logs I can see the following errors:

    NAP - Operational Log:

    EVENT ID 30: The System Health Agent 79745 has returned an error code 1.

    (this is the SCCM NAP SHA - but in SCCM NAP is not enabled)

    Dhcp-Nap-Enforcement-Client Log (Microsoft-Windows-DHCPNap/Operational)

    EVENT ID 52004: An error occurred in processing the SOH Response. Error code is 0x800706C6

    I've searched for the above errors and there's no real information available...

    Ideas are welcome!

    Monday, March 18, 2013 11:57 AM
  • Hi,

    To such  issue, it is not an efficient way to work in this community since we may need more resources, for example memory (application) dump or ETL trace, which is not appropriate to handle in community. I’d like to suggest that you submit a service request to MS Professional tech support service so that a dedicated Support Professional can further assist with this request.
    Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, April 3, 2013 10:07 AM
  • So after several weeks of assistance from MS we have an answer.

    It turns out WatchGuard firewall DHCP relay is rubbish.

    The relay agent on the firewall was causing the reply from server to the client to be changed in some way that Windows was rather unhappy about. So I've multi homed the DHCP server to get round the problem - not ideal but problem solved until we can change our core switches. Stupid WatchGuard.

    Wednesday, June 5, 2013 9:26 AM