locked
NAP/DHCP testing RRS feed

  • Question

  • We have Windows NAP setup as per the June 2006 Microsoft document "Setting Up Dynamic Host Configuration Protocol Enforcement for Network Access Protection in a Test Lab". I have the systems configured as per that document, except without ActiveDirectory.

    We are using the Longhorn CTP (build 5600) and Vista RC2 (build 5744).

    It works generally but I've noticed the following issues.

    1. NAP agent off by default

    The Vista NAP agent is off by default, and turning it on requires two or three very complex steps for the user. Can this be simplified or automated? Although it may be possible to set this automatically for domain users, it won't be possible for guest users connecting to the network who don't belong to the domain. I'm concerned that this will be a deployment issue.

    2.NAP agent not prompting user

    I've seen the Microsoft demo where the NAP agent prompts the user about NAP status onscreen.

    If I switch off the firewall and AV and force NAP to fail, the Vista NAP agent never prompts the user to do anything. Likewise, if the NAP check passes, nothing is displayed to the user. Is this expected behavior?

    3. Reliability

    The Vista PC sometimes sends a number of DHCP requests without the NAP payload. I'm not sure if this is part of the design or some sort of timing issue with the NAP agent/Vista security center not starting quickly enough.

    4. DHCP server not reflecting NAP status

    This is a minor issue on Longhorn. In the DHCP Server, the Address Leases always show
    "Off" in the Network Access Protection column for all leases, even if a machine connected successfully and Network Policy Server logs an event showing full access was granted.


    Thanks
    Monday, October 23, 2006 11:11 PM

Answers

  • Greetings!

    1. Deploy the service as "auto" within Group Policy, which requires an AD and machine membership in the domain. You could also write a very simple command line script which needs to be run once to set it to auto. Example: "reg add HKLM\SYSTEM\CurrentControlSet\Services\napagent /v Start /t REG_DWORD /d 2 /f"
    2. This sounds like you have auto-remediation enabled on the back-end (NPS) policy, and the firewall is getting flipped back to ON so fast the user isn't even notified OR you have a configuration problem and the client is never told to go in to "quarantine".
      • What does the event log say on the NPS server?
      • Does it show requests coming in from DHCP on behalf of your Vista client?
      • Does it show that it is "quarantining" the machine?
      • On the client, do you see the firewall auto-fix-itself?
      • What about if you disable auto-remediation on the server-side?
    3. Is this only on boot-up? If so, it is as intended. NAPAgent, as well as the Security Center service (which is needed by the Windows Security Health Agent", start AFTER the DHCP client service. DHCP starts very early in the boot cycle.
    4. Can you file this bug through the Beta program? I would love this feedback to make it to the DHCP Server team, which will happen when you file the bug.

    Have you seen my recent webcast on configuring end-to-end NAP with DHCP? I also briefly discuss NAP + IPsec. Check it out:

     

    Jeff Sigman [MSFT]
    NAP Release Manager
    Jeff.Sigman@online.microsoft.com *
    http://blogs.technet.com/nap
     
    * Remove the "online" to actually email me.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, October 24, 2006 3:51 PM