locked
Is wireless NIC working on DHCP Enforcement NAP Client? RRS feed

  • Question

  • Hi all

    There is my environment:

    DHCP Server: Windows 2010(NAP on)

    NAP Server: Windows2010

    DHCP NAP Enforcement Client: Windows 7(a note PC with both lan NIC and wireless NIC)

    Wireless AP(no routing)

    Now.

    It works well when I use the client lan NIC for requesting a IP.

    But it does not work when I use the client wireless NIC for requesting a IP through the AP.

    From my examintaion the SoH info(option 43) was not sent in dhcp request packet from wireless NIC that was different from lan NIC(SoH info in dhcp request packet)

    My question:

    Is there any way to make a wireless NIC working on DHCP NAP Enforcement Client. I think it's necessary for the client which only has wireless NIC such as Surface.


    • Edited by David 吕 Wednesday, December 4, 2013 3:54 AM
    Wednesday, December 4, 2013 3:49 AM

Answers

  • Hi David,

    You might try enabling authentication for the wireless connection. I have this on my interface, and so far this seems to be the only difference. I am using WPA but you could choose something else if you wish.

    -Greg

    • Marked as answer by Susie Long Friday, December 13, 2013 1:18 AM
    Wednesday, December 11, 2013 6:54 PM
  • Hi Greg

    It succeeded when I enabled the authentication option on AP.

    The client could send option43 and got a no-restricted IP. (I confirmed on XP(SP3) & Windows RT)

    I am very happy. It puzzled me nearly one year.

    Thank you.

    /David

    • Marked as answer by Susie Long Friday, December 13, 2013 1:17 AM
    Thursday, December 12, 2013 7:56 AM

All replies

  • Link 1

    Link 2

    Link 3

    Hope All link help you 


    DushYant'

    • Proposed as answer by DushYant P Wednesday, December 4, 2013 4:14 AM
    Wednesday, December 4, 2013 4:05 AM
  • Thank you for your reply.

    I have read the links but It just tells how to configure DHCP NAP or 802.1x NAP.

    There is no explanation about wireless DHCP NAP Enforcement Client. 

    I want to know how a wireless NIC get a normal IP from DHCP NAP server

    David

    Wednesday, December 4, 2013 6:40 AM
  • Hi,

    Have you recieved any related error message in event log?

    In addition, I recommend you make sure the configuration for RADIUS in switch is correct.

    Best regards,

    Susie

    Thursday, December 5, 2013 6:46 AM
  • Hi,

    Thank you for your reply.

    I didn't use any switch it just a simple testing environment like the following figures.

    The Figure 1 works well but the Figure 2 is not. So I think the problem is in client(both xp and win7). 

    And I can't find any DHCP NAP example in using links Figure2 in web.

    So I doubt if it is possible that the wireless nic working on DHCP NAP.

    David

    Thursday, December 5, 2013 8:40 AM
  • Hi,

    The first thing to confirm is that the client is getting an IP address from the NPS/DHCP server and not the AP.

    Second, make sure the scope on the DHCP server that is used by the wireless AP is NAP enabled. Most people use a different scope for wired and wireless connections.

    Thanks,

    -Greg

    Thursday, December 5, 2013 4:59 PM
  • Hi,

    Thank you for your reply.

    I am sure the client is getting an IP address from the NPS/DHCP and the scope on the DHCP is NAP enabled.

    I use the same scope for both wired and wireless connections but I think it's not a problem.

    I checked and compared the DHCP REQUEST packet from both LAN NIC and wireless NIC there are almost same, but there is not option43(SoH Info) in DHCP REQUEST packet from wireless NIC. I think that is the reason why wireless NIC can't pass the NAP quarantine.

    I don't know why there is a difference in DHCP REQUEST packet between LAN NIC and wireless NIC from the same DHCP NAP enforcement client. And I am not sure the DHCP NAP quarantine working on wireless NICs(I have tried xp win7 winRT).

    Have you used DHCP NAP on a wireless Windows Device before?

    David

    Friday, December 6, 2013 2:58 AM
  • Hi David,

    Thanks for checking this -there is no difference between wired and wireless for DHCP NAP. As long as the request arrives at the DHCP/NPS server and matches the correct policy, it will issue an IP address - assuming the policy is set to grant access. There is a possibility that the wireless AP is stripping the SoH from the DHCP request, but I sort of doubt it.

    When you say wireless isn't working, do you mean the client gets no IP address at all, or does it get a restricted IP address?

    NPS will record an event in Event Viewer every time a client request arrives. Can you check this? We want to see which network policy is being matched. If it is the non-NAP capable policy, this would confirm your suspicion that the wireless interface isn't sending an SoH.

    Look in Event Viewer at Custom Views\Server Roles\Network Policy and Access Services.

    There is also a client log that will have NAP events, but on XP SP3 this in the System log instead of a custom services log.

    Thanks,

    -Greg

    Friday, December 6, 2013 4:23 AM
  • Hi Greg,

    Thanks for reply.

    >>There is a possibility that the wireless AP is stripping the SoH from the DHCP request,

    I got the DHCP REQUEST packet(no SoH) by WireShark installed on the client, so the SoH was not stripped by AP. 

    >>When you say wireless isn't working, do you mean the client gets no IP address at all, or does it get a restricted IP address?

    The client wireless NIC always got a restricted IP address.

    Here is the log from Event Viewer

    Thanks,

    /David

    Friday, December 6, 2013 6:19 AM
  • Hi David,

    I see that the wireless client is matching a different policy. I can't read the text here. What are the conditions in the policy that is matched by the wireless client? Is this the non NAP-capable policy?

    If you disable and then enable the wireless adapter, do you match a different policy and get a full access IP address?

    Usually if a client is not sending the SoH it is because the NAP agent and/or the enforcement client has not finished starting before the client sends a DHCP request.

    I have not seen a case where a client is compliant on one interface and non-NAP capable on another interface.

    -Greg

    Friday, December 6, 2013 7:57 PM
  • Hi Greg

    >I see that the wireless client is matching a different policy. I can't read the text here. What are the conditions in the policy that is matched by the >wireless client? Is this the non NAP-capable policy?

    Yes it means no NAP-capable policy.

    >If you disable and then enable the wireless adapter, do you match a different policy and get a full access IP address?

    When I disable and enable the wireless adapter, it matched the same policy (no NAP-capable policy) and get a restricted IP address.

    >I have not seen a case where a client is compliant on one interface and non-NAP capable on another interface.

    I also think it's unnormal, but I tried on Windows XP(SP3) Windows 7 as well as surface(no LAN port). They are matched the no NAP-capable policy  by wireless NIC but be matched NAP DHCP standard policy by LAN.

    /David

    Monday, December 9, 2013 2:41 AM
  • Hi,

    Did you select the RADIUS client is NAP-capable check box when you created the RADIUS client? You can modify the RADIUS client configuration from the RADIUS Clients node of the Network Policy Server snap-in.

    In addition, if the NAP Agent service is not started or Quarantine checks are not enabled on the client or server, a NAP-Capable Computer will be Evaluated as Non-NAP-Capable. For full enforcement mode, limited access is granted for noncompliant computers.

    Best regards,

    Wednesday, December 11, 2013 2:32 AM
  • Hi Susie,

    The RADIUS client is NAP-capable setting does not apply to wired or wireless access points. This setting only applies to Microsoft devices.

    There is a client-side setting on the wireless interface that enables and disables NAP checks, but this is for 802.1X authentication and should not affect the DHCP packet.

    The NAP agent and DHCP enforcement client appear to be running because the wired interface is being evaluated as compliant - this is what David indicates.

    Other people have configured NAP for wireless devices, so it is not a bug in NAP. The only thing I can think of that seems to be common here is the wireless AP.

    David: what type of wireless AP is this, and what kind of authentication is it using?

    Thanks,

    -Greg

    Wednesday, December 11, 2013 3:10 AM
  • Hi Greg

    My AP is PCI:BLW-54CW3 working without any authentication(likes a wireless hub using for test). 

    And my wireless devices get a no-restricted IP address when the DHCP scope property was configed no-NAP.

    Thanks

    /David

    Wednesday, December 11, 2013 3:51 AM
  • Hi David,

    I checked a wireless connection myself at home. This is a computer that has only a wireless connection.

    The wireless AP is 192.168.1.1. The computer's wireless interface is 192.168.1.9.

    Below is a screen capture of from network monitor.  I enabled the DHCP enforcement client, then issued this command from an elevated command prompt:

    net stop napagent && net start napagent

    This will restart the NAP agent which automatically sends a new SoH. As you can see, option 43 is present here on the wireless interface in the DHCP request.

    The full netmon screen is also shown below.

    Wednesday, December 11, 2013 7:05 AM
  • If you can't see the full netmon screen, save the image locally and then open it.

    You should check again on your computer to verify that option 43 is not present. I think it might be present and perhaps the wireless AP is filtering it out before it gets to NPS.

    -Greg


    Wednesday, December 11, 2013 7:10 AM
  • Hi Greg

    Thanks. Your data is very useful for me.

    I checked the DHCP request packet again by Microsoft Network Monitor 3.4 which is installed in client(XP SP3 think-pad x200).

    But in result there is no option 43, did I do a wrong way?

    I runed "net stop napagent && net start napagent" serveral times but it did no work.

    Would you mind telling your client OS version and you AP model?

    Thanks

    /David


    • Edited by David 吕 Wednesday, December 11, 2013 10:38 AM
    Wednesday, December 11, 2013 10:33 AM
  • Hi David,

    It looks like you have done this correctly. I'm not sure why the DHCP vendor specific information is not included on your wireless interface.

    The OS on this client is Win 8.0. My AP is a Netgear Nighthawk, but this probably has no effect since I do not even have an NPS server here at home. I was just showing that indeed the SoH is present on the wireless interface.

    Thanks,

    -Greg

    Wednesday, December 11, 2013 5:30 PM
  • Hi David,

    You might try enabling authentication for the wireless connection. I have this on my interface, and so far this seems to be the only difference. I am using WPA but you could choose something else if you wish.

    -Greg

    • Marked as answer by Susie Long Friday, December 13, 2013 1:18 AM
    Wednesday, December 11, 2013 6:54 PM
  • Hi Greg

    It succeeded when I enabled the authentication option on AP.

    The client could send option43 and got a no-restricted IP. (I confirmed on XP(SP3) & Windows RT)

    I am very happy. It puzzled me nearly one year.

    Thank you.

    /David

    • Marked as answer by Susie Long Friday, December 13, 2013 1:17 AM
    Thursday, December 12, 2013 7:56 AM
  • Hi David,

    That's great, and interesting to know. Congratulations on getting this working!

    -Greg

    Thursday, December 12, 2013 8:04 AM