locked
DHCP Enforcement assign address fails RRS feed

  • Question

  • We are testing DHCP NAP in the lab.

    We set WSHV just to check if the Windows Firewall is turned on.

    Also we create a DHCP Policy to configure non-compliance client to get a specified DNS name(015) and DNS server option.

    The parameters of policy are as below:

    Conditions:User Class

    Operator:Equals

    Value:Default Network Access Protection Class

    Everything is ok so client will get the dns name and dns server option which we specified in the policy if the windows firewall is turned off.

    But as long as we add an ip range to the policy,non-compliance client could get neither IP nor DHCP Options from DHCP server.

    Client will configure itself to use APIPA.

    We got the EVENT:50015 Nack is received on interface %interface_indexnumber% from client event log.

    What's the case?



    • Edited by Nodium Monday, May 20, 2013 5:45 AM
    Monday, May 20, 2013 4:48 AM

All replies

  • Hi Nodium,


    Based on my research, we cannot use DHCP Enforcement to assign IP address from a dedicated subnet for noncompliant clients. Instead, we might try 802.1x Enforcement, with 802.1x Enforcement, we can isolate clients onto different vLANs depending on health state.


    Choose an Enforcement Method

    http://technet.microsoft.com/en-us/library/dd125350(v=ws.10).aspx


    Combining NAP enforcement methods

    http://blogs.technet.com/b/nap/archive/2008/07/31/combining-nap-enforcement-methods.aspx


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    Tuesday, May 21, 2013 6:12 AM
  • Hi Wu,

    Thanks for your reply.

    Why this scenario is not supported?

    I think it is just something new in Windows Server 2012 DHCP Role:Configure DHCP Using Policy-based Assignment

    Additional:the ip range we assign to the non-compliant clients is inside same DHCP scope,not a dedicated subnet/vlan.

    For example:

    DHCP Scope:10.0.0.0/24

    Compliant clients:10.0.0.1-10.0.0.200

    Non-compliant clients:10.0.0.201-10.0.0.250(it was the ip range we added to the DHCP policy).

    We want to sort the clients by compliant status.



    • Edited by Nodium Friday, May 24, 2013 2:27 AM
    Wednesday, May 22, 2013 12:52 PM