locked
VPN client compliance reevaluated but not applied RRS feed

  • Question

  • Hi,

    I have a VPN lab set up to work as explained in the doc.
    All is working as expected, and when the client changes
    its health state from compliant to non compliant, a popup
    appears to alert me the client is no longer compliant and
    has a limited access to the network. However, the VPN
    connection remains, the address is the same as before
    even if I configure the policy server to assign a different
    address to non compliant clients. (ie. via nps settings).

    The reverse doesnot work, too: when I connect a non
    compliant client to the VPN, I got the restricted address
    as configured in NPS, but when the client becomes compliant,
    the address remains the restricted one.

    I am doing my test with the Windows SH{A,V}, as well
    as the one I am developping for our product.

    Should I expect such a behaviour, ie. the RAS QEC not
    updating client configuration after the first connection to
    the VPN server?

    I tested the DHCP enforcement lab and the client address
    is updated.

    Thanks for helping,

    Wednesday, March 5, 2008 1:55 PM

Answers

  • Hi,

     

    When a client becomes noncompliant, the VPN connection is not supposed to be terminated and the IP address will remain unchanged, so this is behaving as expected. For VPN enforcement, packet filters are applied to the connection such that access is only allowed to IP addresses that you specify as remediation servers, or addresses that are otherwise allowed on the settings tab of noncompliant network policy using IP Filters.

     

    Are you combining DHCP enforcement with VPN enforcement? If so, please note that your client can only match one connection request policy and one network policy. If you have both DHCP and VPN policies, the client will match either the DHCP or the VPN policy, depending on their processing order.

     

    Please provide details on what you mean by "the address remains the restricted one."

     

    Thanks,

    -Greg

    Wednesday, March 5, 2008 5:54 PM
  • Hi,

    Thanks for your reply.
    Application of ip filters work well actually, and it solves
    the issues regarding client remediation.

    I am not combining dhcp and vpn enforcement, testing
    them separatly, and the VPN server doesnot use DHCP
    relay agent mode.
    The restricted address is the one I have set in the NPS
    settings for a client matching the NON Compliant policy.

    BTW, all is working as expected, and I will use ip filters
    to implement non client access restrictions.

    Thanks for your answer,

    Thursday, March 6, 2008 7:53 AM

All replies

  • Hi,

     

    When a client becomes noncompliant, the VPN connection is not supposed to be terminated and the IP address will remain unchanged, so this is behaving as expected. For VPN enforcement, packet filters are applied to the connection such that access is only allowed to IP addresses that you specify as remediation servers, or addresses that are otherwise allowed on the settings tab of noncompliant network policy using IP Filters.

     

    Are you combining DHCP enforcement with VPN enforcement? If so, please note that your client can only match one connection request policy and one network policy. If you have both DHCP and VPN policies, the client will match either the DHCP or the VPN policy, depending on their processing order.

     

    Please provide details on what you mean by "the address remains the restricted one."

     

    Thanks,

    -Greg

    Wednesday, March 5, 2008 5:54 PM
  • Hi,

    Thanks for your reply.
    Application of ip filters work well actually, and it solves
    the issues regarding client remediation.

    I am not combining dhcp and vpn enforcement, testing
    them separatly, and the VPN server doesnot use DHCP
    relay agent mode.
    The restricted address is the one I have set in the NPS
    settings for a client matching the NON Compliant policy.

    BTW, all is working as expected, and I will use ip filters
    to implement non client access restrictions.

    Thanks for your answer,

    Thursday, March 6, 2008 7:53 AM
  • I speak a bit too fast, and application of the ip filtering
    doesnot work; That's if the client becomes non compliant
    after it has connected to the VPN as a compliant client,
    settings mentioned in network policies are not applied
    (but the client matches this policy, as seen in eventvwr).

    Any suggestion?
    Thursday, March 6, 2008 8:49 AM
  • Hi,

     

    This can happen if the RADIUS client is not marked as "NAP-capable." In this case, health is evaluated the first time the client connects, but not ongoing. The RADIUS client in NPS must be NAP-capable to dynamically apply IP Filters as health changes during the session. Remediation server groups will also not be used if the RADIUS client is not "NAP-capable."

     

    -Greg

    Thursday, March 6, 2008 5:41 PM