locked
degraded functionality RRS feed

  • Question

  • Hi,

    I've a question about the availability of a NPS server.

    If there is no NPS server available for process the access request / SoH, what happens?
    Will the message be discarded and the computer is granted full acces, of restricted access? or does the client computer's level of network access stay the same it was before it sended the request/SoH?

    With NAP DHCP you can specify what the baviour of de DHCP server must be if there's no NPS server available. How about VPN, 802.1x and IPSEC?

    Thanks in advance

    Thursday, December 11, 2008 8:23 AM

Answers

  • Hi Roel,
      In IPSec the computer state will not change from the previous. If the computer is unhealthy, it will remain unhealthly. If it is healthy, it will remain healthy.

    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    • Proposed as answer by RamaSubbu SK Thursday, December 11, 2008 6:49 PM
    • Marked as answer by Roel_85 Monday, January 5, 2009 7:45 PM
    Thursday, December 11, 2008 6:49 PM
  • Hi,

    I believe that VPN and 802.1X behave the same - the client will remain in the previous state if connection to NPS is lost. However, keep in mind that if the client needs to re-authenticate then it would need to contact NPS and the connection would drop in this case. This might occur if the VPN session timed out or in the case of 802.1X there is often a re-authentication timer configured on the switch that forces periodic connections to NPS.

    -Greg
    • Marked as answer by Roel_85 Monday, January 5, 2009 7:45 PM
    Monday, January 5, 2009 6:58 PM

All replies

  • Hi Roel,
      In IPSec the computer state will not change from the previous. If the computer is unhealthy, it will remain unhealthly. If it is healthy, it will remain healthy.

    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    • Proposed as answer by RamaSubbu SK Thursday, December 11, 2008 6:49 PM
    • Marked as answer by Roel_85 Monday, January 5, 2009 7:45 PM
    Thursday, December 11, 2008 6:49 PM
  • So it's very important that NPS is redundant with NAP IPsec.

    How about VPN and 802.1x? does the client also stay in it's state untill a NPS is available?

    With DHCP you can choose what must occur (full access IP, restricted access, IP or APIPA) if there is no NPS available.
    Friday, December 12, 2008 10:25 AM
  • Hi,

    I believe that VPN and 802.1X behave the same - the client will remain in the previous state if connection to NPS is lost. However, keep in mind that if the client needs to re-authenticate then it would need to contact NPS and the connection would drop in this case. This might occur if the VPN session timed out or in the case of 802.1X there is often a re-authentication timer configured on the switch that forces periodic connections to NPS.

    -Greg
    • Marked as answer by Roel_85 Monday, January 5, 2009 7:45 PM
    Monday, January 5, 2009 6:58 PM
  • 802.1x...

    If you are authenticated to the switch, and then NPS goes down.  No issues.

    If you are using reauthentication and NPS was down, RADIUS fails, and then the switch would unauthorize you.  (fail-safe)

    However, in later versions of IOS, Cisco has relased a command "dot1x critical" and "dot1x critical vlan" so that if the RADIUS has failed, you can put them somewhere.

    Note that there is default timeouts associated with the RADIUS attempts, so if the radius fails, it will have to time out, if you have two radius boxes, it will try both of these, and then timeout.  DHCP only waits for I think it was 90s before it gives up and then retrys some 5 minutes later, so if both of your NPS boxes are down, and you use default timeouts on RADIUS, it would seem like the port doesn't authenticate and they would need to renew the IP.  We are going to be testing the RADIUS timeouts soon to get this working better, but someone else may have best practice radius timeouts and dead criteria they are using and can post.


    Derek
    Wednesday, January 7, 2009 11:54 PM