locked
NAP 2008 R2 + DHCP: RRS feed

  • Question

  • Hello how are they going?

    I'm implementing a solution of NAP 2008 R2 + DHCP , with the following distribution of servers and services:

    • SRV01: ADDS + DHCP + CA
    • SRV02: NPS

    I have guided the following links:

    http://www.pedro-brandao.info/ManuaisRedes/WindowsServer2008R2/Sams_Windows_Server_2008_R2_Unleashed.pdf

    https://technet.microsoft.com/en-us/library/cc772356(v=ws.10).aspx

    https://www.microsoft.com/en-us/download/details.aspx?id=2409

    In short, i did the following:

    1. Create a OU in the ADDS with name Test
    2. In this OU I put the 02 client computers for testing (CLIENT01 and CLIENT02 both with Windows 7 Pro).
    3. I configured the NPS
    4. I created a System Health Validator
    5. I created a health policy for compliant and noncompliant clients.
    6. I created a network policy for compliant and compliant clients.
    7. First question: As the DHCP server is separated, I had to install and configure NPS role as a RADIUS proxy, is this correct?...When configuring the RADIUS client (proxy) in the field IP address the IP address of the DHCP server was placed, is that correct? or should be the IP address of the NPS server?
    8. I created and configured a GPO to configure client computers.
    9. I assigned the policy to the OU Test.
    10. I validated that the policy is applied to client computers.
    11. I configured the scope options for default user class (compliant clients) and default network access protection class (noncompliant clients). Second question: Is correct set 02 classes under the same scope? or you must create a separate VLAN for noncompliant computers?
    12. I configured the test DHCP scope (192.168.10.0) with NAP.

    Then I started testing the client computers and the result was as follows:

    1. Client01 (compliant client): Get IP address / Not notice that the client has met the requirements, although it is set to the GPO is displayed.
    2. Client02 (noncompliant client): Get APIPA / Not notice that the client has not met the requirements, although it is set to the GPO is displayed.

    Third question: It is assumed that noncompliant client should receive an IP address with mask 255.255.255.255, that does not have network access. then why APIPA receipt? or do I need some additional configuration?

    Fourth question: On the same server you can be configured NAP DHCP and 802.1x enforcement? Any rules that must be followed?

    Thanks very much!

    Best regards.

     

    • Edited by Fed Yunis Wednesday, November 11, 2015 4:52 AM
    Wednesday, November 11, 2015 3:50 AM

Answers

  • Hi Fed Yunis,

    >First question: As the DHCP server is separated, I had to install and configure NPS role as a RADIUS proxy, is this correct?...When configuring the RADIUS client (proxy) in the field IP address the IP address of the DHCP server was placed, is that correct? or should be the IP address of the NPS server?

    When DHCP role and NPS server doesn't on the same machine, we need to install NPS role on DHCP server too, works as NPS proxy. In NPS proxy, we add RADIUS clients use DHCP server's IP address, add RADIUS server in Remote RADIUS Server Group use Remote NPS server's IP address.

    >Second question: Is correct set 02 classes under the same scope? or you must create a separate VLAN for noncompliant computers?

    I configured the test DHCP scope (192.168.10.0) with NAP.

    As far as I know, scope option is configured on scope level. If compliant clients and noncompliant clients use the same scope, it seems that we could only use the same scope option. If you want the two class clients to be configured with different scope options, we need to use two scopes, then it seems that we need to separate them to different subnets for different scopes.

    >Third question: It is assumed that noncompliant client should receive an IP address with mask 255.255.255.255, that does not have network access. then why APIPA receipt? or do I need some additional configuration?

    APIPA is automatic private address. Clients will get APIPA address when they couldn't get IP configurations from DHCP server.

    >Fourth question: On the same server you can be configured NAP DHCP and 802.1x enforcement? Any rules that must be followed?

    As far as I'm concerned, it could.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, November 12, 2015 6:47 AM

All replies

  • Hi Fed Yunis,

    >First question: As the DHCP server is separated, I had to install and configure NPS role as a RADIUS proxy, is this correct?...When configuring the RADIUS client (proxy) in the field IP address the IP address of the DHCP server was placed, is that correct? or should be the IP address of the NPS server?

    When DHCP role and NPS server doesn't on the same machine, we need to install NPS role on DHCP server too, works as NPS proxy. In NPS proxy, we add RADIUS clients use DHCP server's IP address, add RADIUS server in Remote RADIUS Server Group use Remote NPS server's IP address.

    >Second question: Is correct set 02 classes under the same scope? or you must create a separate VLAN for noncompliant computers?

    I configured the test DHCP scope (192.168.10.0) with NAP.

    As far as I know, scope option is configured on scope level. If compliant clients and noncompliant clients use the same scope, it seems that we could only use the same scope option. If you want the two class clients to be configured with different scope options, we need to use two scopes, then it seems that we need to separate them to different subnets for different scopes.

    >Third question: It is assumed that noncompliant client should receive an IP address with mask 255.255.255.255, that does not have network access. then why APIPA receipt? or do I need some additional configuration?

    APIPA is automatic private address. Clients will get APIPA address when they couldn't get IP configurations from DHCP server.

    >Fourth question: On the same server you can be configured NAP DHCP and 802.1x enforcement? Any rules that must be followed?

    As far as I'm concerned, it could.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, November 12, 2015 6:47 AM
  • All clear now and the Radius proxy was successful.

    Thanks very much Anne He!

    Thursday, November 19, 2015 4:53 PM