locked
NAP,DHCP and XPSP3 client RRS feed

  • Question

  •  

    I follow the step by step guide : DHCP Enforcement in test lab.

    All is working properly on a vista client.

     

    My vista client is, like indicate in the guide, a domain-joined computer.

     

    My purpose is to simulate an furnisher PC connected on my network.

    I 'd like it can only access to internet via my gateway (even if it is not up to date ..., it's not my problem in fact).

     

    on XPsp2 or XPsp3 (furnisher PC model), I 'd like to granted access to my gateway but not my servers.

     

    on XPsp2, it is not able to receive IP from DHCP, lease appear on 2008 but is not running.

    Well, excellent because SP2 is not NAP compliant.

     

    On XPsp3, it is not able to receive IP from DHCP, lease appear on 2008 but is not running.

    netsh nap client show state don't indicate any problems.

    1) I 'd like to understand why it can receive a restriced network parameters.

    NAP service is of course activated on XPsp3 before testing.

    I obtain the following event 1001: the semaphore timeout period has expired.

    2) In the SHV settings, even if I select compliant in all list, PC don't receive IP address.

     

    Of course, I don't want to joined the furnisher PC on my domain.

     

    Can anyone explain to me what's wrong or if I missunderstand something.

     

    It could be  like the bug corrected in the vista build 6000 (cf post greg lindsay 02/01/2008 - another NAP DHCP question)

    In that case, how I have to do with my XPSP3 ?

     

    Thank's

     

    Luc

     

     

     

     

    Wednesday, January 23, 2008 4:42 PM

Answers

  • Hi Luc,

     

    This looks like a network connection problem on your XP client. The semaphore timeout problem means that it didn't locate a DHCP server, and this explains why it is not getting an IP address and there are no references to this machine in events 6272 and 6278.

     

    Please check the network connection between DHCP and the XP machine. You can try assigning a static IP address to the XP client and then see if you can ping from the server to the XP machine. To ping in the other direction, I believe you will need to open the firewall on the server to ICMPv4. There are instructions on how to do this in the IPsec step by step guide.

     

    -Greg

    Thursday, February 7, 2008 7:39 PM

All replies

  • Hi Luc,

     

    When you say it does not receive an IP, do you mean it is assigned a 169.x.x.x address, or is it assigned a restricted IP address with a 255.255.255.255 subnet and no gateway?

     

    On the NPS server, what network policy is matched when the XP SP3 computer attempts to access the network? Also, can you confirm that you configured the requirements of the Windows System Health Validator, Windows XP tab?

     

    -Greg

     

    P.S. Look for NAP logs in Event Viewer, custom views, server roles, network policy and access services. The events you are looking for are 6272, 6276, 6278. 

    Friday, January 25, 2008 5:42 AM
  •  

    Hi Greg,

     

    in fact the ipconfig /all of xpws3 client give this :

    DHCP enabled :yes

    autoconfiguration enabled: yes

    IP address 0.0.0.0

    subnet 0.0.0.0

    gateway : - - - -

    DHCP server : 255.255.255.255

     

    On the NPS,

    I grant access for compliant and for non compliant (like the exemple on step by step guide)

    I confirm I check only in the shv option, in the XP tab 'a firewall is enabled on all the connections"

     

    I have 6272 and 6278 event but not 6276. they concern only my vista client, not XPsp3

     

    thank's

    Monday, January 28, 2008 2:03 PM
  • Hi Luc,

     

    This looks like a network connection problem on your XP client. The semaphore timeout problem means that it didn't locate a DHCP server, and this explains why it is not getting an IP address and there are no references to this machine in events 6272 and 6278.

     

    Please check the network connection between DHCP and the XP machine. You can try assigning a static IP address to the XP client and then see if you can ping from the server to the XP machine. To ping in the other direction, I believe you will need to open the firewall on the server to ICMPv4. There are instructions on how to do this in the IPsec step by step guide.

     

    -Greg

    Thursday, February 7, 2008 7:39 PM
  • I agree with Greg - it looks to me that perhaps there is a missing DHCP relay-agent configuration, or other such infrastructure piece.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

     

    Thursday, February 21, 2008 9:50 PM