Not getting NAP DHCP to work RRS feed

  • Question

  • Hi!


    We are two IT security students that are doing an evaluation project on NAP for a major IT consulting corporation. Unfortunately we have found it impossible for us to get NAP to work as intended.


    We followed the "DHCP with NAP" step-by-step guide with the difference that we use Longhorn Beta 3 (we’ve tried both Vista Enterprise (full release) and Vista Business (full release) on the client and the DC uses Windows 2003 Server R2). Everything works fine when the client is in compliance.


    If we turn off the Vista client's firewall and do an ipconfig we see that the default gateway has been removed but the connection-specific DNS Suffix is also empty (was nac.local when in compliance and should be restricted.nac.local now(?) in quarantined mode) and the most important part is that the firewall isn't automaticly turned on again by Windows Security Center (auto-remediate is checked in the set policy). And neither do we get a message in the tray that tells us if we fulfill all the network requirements or not.


    By looking at the event logs we got a feeling that it seems like the communication between the nps-server and the nap-client is somehow not complete when we force the client to go noncompliant.


    We have gone through the guide a couple of times, checked every setting in the NPS and DHCP services and we still can't get it to work correctly. We’ve tried to look at the other posts in the forum and found some similar posts but still no solution to our problem.


    I have made a zip-file of our NPS config file and some logfiles that hopefully can be helpful. The zip-file can be downloaded here.


    The company we are doing this evaluation for is also very interested in knowing how NAP actually works with Windows XP and we wonder if it is possible to get access to the Windows XP NAP Agent Beta 3 to test it.


    We are most grateful for any help we can get.



    Niklas Persson

    Sunday, April 22, 2007 11:08 PM


  • Found issue on private chat. On beta3 build Default Gateway [003 Router] for "Default NAP User class" was configured. This need not be configured if the DHCPServer is on the same subnet of the client.

    Monday, April 23, 2007 1:08 PM

All replies

  • Thanks a lot for very well detailed description of your problem. But still (sorry) we do require few more info to corner the issue and help you. The server eventlog has only one entry, we like to have the event log for both compliant and non-compliant. NPS Configuration looks fine. Netmon capture would also help us a lot. You can download the netmon from http://www.microsoft.com/downloads.

    Take netmon captures when the machine goes into quarantine from healthy state and the eventlog of the server too.


    Send us the DHCPServer debug trace file [%WINDIR%\Debug\dhcpssvc.log] also to us. Also send us the OS Build version of the client & LornHorn Server, you get this information from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion!BuildLabEx.


    Regarding restricted.nac.local, util restricted.nac.local is configured on option 15 for Default NAP User class, this will not be sent on  to the client by DHCPServer.


    For more information on Windows XP NAP Agent Beta 3 is available @ http://blogs.technet.com/nap/archive/2007/02/09/network-access-protection-client-for-windows-xp-sp2-beta-3-release.aspx



    Monday, April 23, 2007 5:33 AM
  • Thank you for your help!


    We have made a new zip file containing the requested information; a full event log from the nap server, netmon captures, the DHCP server log and finally a textfile with the detailed OS-versions. It can be downloaded here



    Niklas Persson

    Monday, April 23, 2007 7:38 AM
  • Thanks for quicker reply. The latest eventlog entry shows that 4/22/2007 10:50:41 PM is "Machine Client1.nac.local was quarantined." But the DHCP Debug trace file doesn't have any entry on the date 4/22/2007. Is the machine DHCPServer & NPS are hosted on the same machine or in different machine ?

    Can you check the DHCPServer eventlog also to ensure that the DHCPServer doesn't lose the connection with IAS?

    The Netmon capture shows that the machine is health.


    SO this is little bit confusing for me. I would need the netmon capture like...


    Make the machine health.

    Start the NETMON

    Make the machine unhealthy [Stop the firewall]

    Wait for few secs.

    Do IPCONFIG and make sure the default gateway is deleted,

    Then Stop the NETMON Trace and save it.





    Monday, April 23, 2007 11:40 AM
  • I think it may be because we copied the DHCP debug trace file before we did the NETMON-capture and then copied the NAP server eventlog. We have included an updated DHCP debug trace file.


    Yes, the DHCP and NPS server are hosted on the same machine.


    The new zip file with updated DHCP debug trace file, DHCP log and NETMON captures are here.


    Thanks for your help!


    Monday, April 23, 2007 12:37 PM
  • Found issue on private chat. On beta3 build Default Gateway [003 Router] for "Default NAP User class" was configured. This need not be configured if the DHCPServer is on the same subnet of the client.

    Monday, April 23, 2007 1:08 PM
  • We want to thank RamaSubbu for the time and help. Excellent support!!
    Monday, April 23, 2007 3:04 PM