locked
NAP DHCP Problem RRS feed

  • Question

  •  

    I'm having a problem getting NAP DHCP enforcement to work with the final build of Vista.  I had DHCP NAP working for previous builds.

    I was using an older build of Longhorn but recently upgraded to build (6001.16406).  The behavior I'm getting is that the DHCP server is not returning an ACK when the client (Vista client) is non-compliant.  If the machine is compliant then it gets an IP address correctly.  All I'm using to verify compliance is Auto Updates turned on.  I double checked my configuration of my non-compliant policy and it looks fine.

     

    The client event log message is:

     

    Log Name:      System
    Source:        Microsoft-Windows-Dhcp-Client
    Date:          1/10/2007 11:04:58 AM
    Event ID:      1001
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      napuser-PC.naplab.endforce.org
    Description:
    Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00123F7421B9.  The following error occurred: 
    The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Dhcp-Client" Guid="{15A7A4F8-0072-4EAB-ABAD-F98A4D666AED}" EventSourceName="Dhcp" />
        <EventID Qualifiers="0">1001</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2007-01-10T16:04:58.000Z" />
        <EventRecordID>560</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>napuser-PC.naplab.endforce.org</Computer>
        <Security />
      </System>
      <EventData>
        <Data>00123F7421B9</Data>
        <Data>%%121</Data>
      </EventData>
    </Event>

     

    Thanks!

    --Daryl

    ddonley@endforce.com

    Wednesday, January 10, 2007 6:10 PM

Answers

  • Thanks for sending us the files.

     

    In the NPS configuration I will suggest few changes in the NPS policies can you incorporate and tell me the findings.

     In policy “non-compliantDED”

    ·         In Overview Tab

    o   Available Source: DHCPServer

    o   PolicyType: Grant Access

    ·         In Settings Tab

    o   Network Access Protection -> NAP Enforcement -> Check Mark the Computer Updates [If auto-remediation is needed]

    In policy “compliant-Full-Access”

    ·         In Overview Tab

    o   Available Source: DHCPServer

     

    Thursday, January 11, 2007 4:18 PM

All replies

  •  

    I'm getting this in the NPS server event log. 

     

    Log Name:      System
    Source:        NPS
    Date:          1/10/2007 12:02:23 PM
    Event ID:      2
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      nps1.naplab.endforce.org
    Description:
    User <not present> was denied access.
     Fully-Qualified-User-Name = <undetermined>
     Machine-Name = napuser-PC.naplab.endforce.org
     OS-Version = 6.0.6000 0.0 x86 Workstation
     NAS-IP-Address = 192.168.1.2
     NAS-IPv6-Address = <not present>
     NAS-Identifier = NPS1
     Called-Station-Identifier = 192.168.1.0
     Calling-Station-Identifier = 00123F7421B9
     Client-Friendly-Name = <not present>
     Client-IP-Address = <not present>
     Client-IPv6-Address = <not present>
     NAS-Port-Type = Ethernet
     NAS-Port = <not present>
     Proxy-Policy-Name = Use Windows authentication for all users
     Policy-Name = non-compliantDED
     Authentication-Provider = Windows
     Authentication-Server = nps1.naplab.endforce.org
     Authentication-Type = Unauthenticated
     EAP-Type = <undetermined>
     Account-Session-Identifier=383237393034383237
     Reason-Code = 65
     Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="NPS" />
        <EventID Qualifiers="32768">2</EventID>
        <Level>3</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2007-01-10T20:02:23.000Z" />
        <EventRecordID>8425</EventRecordID>
        <Channel>System</Channel>
        <Computer>nps1.naplab.endforce.org</Computer>
        <Security />
      </System>
      <EventData>
        <Data>%%2147483686</Data>
        <Data>%%2147483685</Data>
        <Data>napuser-PC.naplab.endforce.org</Data>
        <Data>6.0.6000 0.0 x86 Workstation</Data>
        <Data>192.168.1.2</Data>
        <Data>%%2147483686</Data>
        <Data>NPS1</Data>
        <Data>192.168.1.0</Data>
        <Data>00123F7421B9</Data>
        <Data>%%2147483686</Data>
        <Data>%%2147483686</Data>
        <Data>%%2147483686</Data>
        <Data>Ethernet</Data>
        <Data>%%2147483686</Data>
        <Data>Use Windows authentication for all users</Data>
        <Data>non-compliantDED</Data>
        <Data>%%2147483688</Data>
        <Data>nps1.naplab.endforce.org</Data>
        <Data>Unauthenticated</Data>
        <Data>%%2147483685</Data>
        <Data>383237393034383237</Data>
        <Data>65</Data>
        <Data>%%3221229633</Data>
        <Binary>00000000</Binary>
      </EventData>
    </Event>
     
    It looks like a RAP permissions issue but I still get this after giving both the user and the machine RAP permissions.
     
    -- Daryl
    ddonley@endforce.com
    Wednesday, January 10, 2007 9:21 PM
  • I assume you meant the DHCP Server was upgrade, not the client right and not both right?

    Can you send the relevant event or dhcp server logs from the DHCP Server side so we can see why the DHCP Server isn't responding?

    Wednesday, January 10, 2007 10:33 PM
  • Can you send your ias.xml file?
    Wednesday, January 10, 2007 10:34 PM
  • Most likely this is configuration mistake. Try to ping the DHCPServer when the machine is in Quarantine. If it couldn't then the Gateway for Default NAP user class is not configured properly. Assign DHCP Server IPaddress as Default gateway [003 Router] to the Default NAP User class.

    You can send us the DHCPServer configuration [NETSH DHCP SERVER DUMP] , %WINDIR%\System32\IAS.xml and Event Logs of server [Windows->System]to ftdhcp@microsoft.com.

    Thanks

    Thursday, January 11, 2007 4:03 AM
  •  

    I sent you the information.

    Let me know if you need any more data.

    Thanks!

    ddonley (ddonley@endforce.com)

    Thursday, January 11, 2007 3:07 PM
  • Thanks for sending us the files.

     

    In the NPS configuration I will suggest few changes in the NPS policies can you incorporate and tell me the findings.

     In policy “non-compliantDED”

    ·         In Overview Tab

    o   Available Source: DHCPServer

    o   PolicyType: Grant Access

    ·         In Settings Tab

    o   Network Access Protection -> NAP Enforcement -> Check Mark the Computer Updates [If auto-remediation is needed]

    In policy “compliant-Full-Access”

    ·         In Overview Tab

    o   Available Source: DHCPServer

     

    Thursday, January 11, 2007 4:18 PM
  • Just to update this thread and inform the reader that the above changes have solved the problem. Thanks all for deploying & support us.
    Friday, January 12, 2007 5:16 AM
  • Hello,

     

    I have the same error on Windows XP-Pro with SP2 and all updates on a Sony laptop SZ381P. There is not any NAP configuration in the environment and the DHCP, DNS, Domain controller (all in one) is a windows 2003 R2.

     

     

     

    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0013A98AE888.  The following error occurred:
    The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

     

    Any Idea or advise would gratly appriciated.

     

    Oscar

    Thursday, August 16, 2007 2:36 AM
  •  

    HI,

     Thanks for reporting your issue. Can you send us the netmon captures of DHCP packets from client and the from at the same time ?

    Capture the netmon traces when doing ipconfig /release & ipconfig /renew

     

    Thanks

    Thursday, August 16, 2007 5:16 AM