locked
NAP DHCP not getting IP and "netsh nap client show group" shows no results RRS feed

  • Question

  • Hey guys, 

    I have just set up DHCP basen NPSand I get no IP address on my machine, which should be compliant (just firewall is being checked). I have on both enforcement client up. Logs on NPS shows that the connection request did not match any configures network policy, but I have configured 3 of them - compliant, non compliant and non-nap-compliant. It should serve all of cases. Authentication SType is Unathenticated, maybe this is the case?

    Thanks for any feedback

    Cheers

    Aggie

    Wednesday, August 27, 2014 3:48 PM

Answers

  • Hey guys,

    the case that we mentioned above is already resolved - TCP/IP configuration was not proper - now is and internet is granted.

    my question of concern is - I have chosen NAP to protect us from wave of unprotected computers connecting to our network. And I would like to be able to assign IP address and network connection to each computer that passes helath checks. But what if computer will have IP address manually assigned(not but DHCP)? As well is that possible to get different IP addresses to computers compliant and not compliant, like from different scopes?

    Cheers

    Aggie

    • Proposed as answer by Steven_Lee0510 Monday, September 8, 2014 6:39 AM
    • Marked as answer by Steven_Lee0510 Monday, September 8, 2014 6:43 AM
    Thursday, September 4, 2014 3:46 PM
  • Hi Aggie,

    If you assign a static IP address, this prevents DHCP NAP from working. You can still use NAP, but you would have to use a different NAP enforcement method.

    -Greg

    • Proposed as answer by Steven_Lee0510 Monday, September 8, 2014 6:38 AM
    • Marked as answer by Steven_Lee0510 Monday, September 8, 2014 6:43 AM
    Thursday, September 4, 2014 3:52 PM

All replies

  • Hi,

    Have you created proper policy in Network Policies? What's the type of these three policies?

    If these policies are health policies, please try to create a proper network policy with the condition of Health Policies in Network Policies.

    Besides, make sure that your NAS is NAP Capable.

    If issue persists, please post your policy configuration and NPS logs. It's useful for further troubleshooting.

    Here is a guide about configuring NAP, it may be helpful,

    Configuring NAP on the Network Policy Server (NPS)

    http://technet.microsoft.com/en-us/library/dd182017.aspx

    Best Regards.



    Steven Lee

    TechNet Community Support

    Thursday, August 28, 2014 5:38 AM
  • in Network policies I have as follows:

    DHCPv2 Compliant 

    DHCPv2 Noncompliant 

    DHCPv2 Non NAP-Capable

    and my NAS?

    I am testing it not based on NAS access, but on IP address it is given and logs from Event viewer.

    "

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:

                    Security ID:                                        NULL SID

                    Account Name:                                               -

                    Account Domain:                                            -

                    Fully Qualified Account Name:  -

    Client Machine:

                    Security ID:                                        SANDBOXG\TESTCLIENTG1$

                    Account Name:                                               TestClientG1.sandboxG.com

                    Fully Qualified Account Name:  SANDBOXG\TESTCLIENTG1$

                    OS-Version:                                      6.1.7601 1.0 x64 Workstation

                    Called Station Identifier:                             192.168.50.0

                    Calling Station Identifier:                             00155DFD0520

    NAS:

                    NAS IPv4 Address:                         192.168.50.1

                    NAS IPv6 Address:                         -

                    NAS Identifier:                                 TESTGDANSKDC2

                    NAS Port-Type:                                               Ethernet

                    NAS Port:                                           -

    RADIUS Client:

                    Client Friendly Name:                   -

                    Client IP Address:                                           -

    Authentication Details:

                    Connection Request Policy Name:          DHCPv2

                    Network Policy Name:                 -

                    Authentication Provider:                            Windows

                    Authentication Server:                 testGdanskdc2.sandboxG.com

                    Authentication Type:                    Unauthenticated

                    EAP Type:                                          -

                    Account Session Identifier:                        31373339373131393039

                    Logging Results:                                              Accounting information was written to the local log file.

                    Reason Code:                                   48

                    Reason:                                                              The connection request did not match any configured network policy."


    And a health policy is just to check wheather Firewall is enabled (and is ).


    • Edited by agat90 Thursday, August 28, 2014 3:55 PM
    Thursday, August 28, 2014 3:54 PM
  • Ok, so now this network policies are working fine, but I cannot access internet on my clients.

    Test DC gets internet normally and clients dont so I assume  there is a problem in NAP settings.

    How you seen such a problem before?

    Agnieszka

    Monday, September 1, 2014 1:33 PM
  • Hi Agnieszka,

    Please check the event of the NPS authentication. If the clients don't meet the health policy, they will be restricted.

    If the event shows that the clients are granted full access, please make sure that the clients have got the right TCP/IP configuration.

    Best Regards. 



    Steven Lee

    TechNet Community Support

    Monday, September 1, 2014 3:13 PM
  • Hi,

    You said the network policies are working fine? Which policy is matched? In the Event Viewer output above, it shows that no Network Policy was matched. You might be matching a policy now but not the correct one.

    Also please provide the output of ipconfig /all from a client computer.

    FYI, if you see no output from netsh nap client show group (which was in the title of the post) this means the client is not getting NAP settings from Group Policy. It might still be getting them from local group policy. The command to tell if the client is getting NAP settings is netsh nap client show state.

    Thanks,

    -Greg

    Tuesday, September 2, 2014 7:44 PM
  • Hey guys,

    the case that we mentioned above is already resolved - TCP/IP configuration was not proper - now is and internet is granted.

    my question of concern is - I have chosen NAP to protect us from wave of unprotected computers connecting to our network. And I would like to be able to assign IP address and network connection to each computer that passes helath checks. But what if computer will have IP address manually assigned(not but DHCP)? As well is that possible to get different IP addresses to computers compliant and not compliant, like from different scopes?

    Cheers

    Aggie

    • Proposed as answer by Steven_Lee0510 Monday, September 8, 2014 6:39 AM
    • Marked as answer by Steven_Lee0510 Monday, September 8, 2014 6:43 AM
    Thursday, September 4, 2014 3:46 PM
  • Hi Aggie,

    If you assign a static IP address, this prevents DHCP NAP from working. You can still use NAP, but you would have to use a different NAP enforcement method.

    -Greg

    • Proposed as answer by Steven_Lee0510 Monday, September 8, 2014 6:38 AM
    • Marked as answer by Steven_Lee0510 Monday, September 8, 2014 6:43 AM
    Thursday, September 4, 2014 3:52 PM
  • Is there a workaround maybe? Can I enforce in GPO that IP address is automaticlly obtained from DHCP and manually assigned is just ommited?- Aggie

    Thursday, September 4, 2014 4:02 PM
  • Hi,

    You can try using a startup script that configures the interface for DHCP, but if the user has privileges, they can reconfigure TCP/IP to use a static address after the computer is running.

    http://minasi.com/forum/topic.asp?TOPIC_ID=36632

    Thanks,

    -Greg

    Thursday, September 4, 2014 4:13 PM
  • Greg, you are great help.

    What would you advice if the main problem in my organization is to have this static IP address security issue? If user knows in which dhcp scope or subnetwork are compliant IP addresses, he can access network freely.

    I just need to restrain that access from the user and make him not able to access manually network (by putting IP address f.ex.) 

    Right now we have to put each MAC address into DHCP whitelist and we are already crazy with that (company with more than 500+ employees)

    Thursday, September 4, 2014 4:46 PM
  • Hi,

    You should be able to reset the interfaces to DHCP remotely, so if someone configures a static IP address you can just change it again later back to DHCP. You could do this periodically if you wish on the entire network, or you could target specific computers.

    However, I would not be too concerned about people doing this. Not only do they need to know an IP address that is not in use (- they could use the one they were issued with a 255.255.255.255 subnet mask temporarily, but as soon as the lease expires it would be issued to another computer and cause a conflict -), but they also need to know the correct subnet mask and default router. A person would need to have more networking expertise than most to do this.

    You can also ping sweep the network looking for IP addresses that are not issued by DHCP and then block the MAC address manually if necessary. Typically just sending a message that circumventing the network policy will result in your computer being banned from the network is enough to prevent the issue.

    -Greg


    Thursday, September 4, 2014 5:18 PM
  • I had another thought while driving home today.

    You could consider deploying IPsec enforcement in reporting mode. This would tell you what computers were noncompliant without having to do any sort of ping sweep and comparison with DHCP leases.

    Friday, September 5, 2014 1:29 AM
  • Ipsec enforcement is not known to me by now. But it is a good to have another solution.

    I was wondering if there is maybe solution not NAP, but any other security Microsoft app that will disable static IP assignment or ban users from network while doing that.

    Wednesday, September 10, 2014 9:17 AM
  • Hi,

    There are Group Policy settings under User Configuration > Administrative Templates > Network > Network Connections that can restrict access to TCP/IP for non-admins.  For example, 'Prohibit access to properties of a LAN connection' is available.

    There appears to be an interaction of this setting with the 'Enable Windows 2000 Network Connections settings for Administrators' setting but I haven't tested these myself.

    -Greg

    Wednesday, September 10, 2014 5:53 PM