none
DHCP Option 121 is ignored if NPS IP Filtering is enabled RRS feed

  • Question

  • Hi All

    I have the following setup:-

    Server 2016 with RRAS, DHCP and NPS roles providing VPN access for remote users.

    Two scenarios:-

    1. Users with no NPS IP filtering policies will get a DHCP address and DHCP option 121 for classless routes.

    2. Users with NPS IP filtering Policies (policy to allow only certain destination IPs and ports) will NOT get the classless routes.

    Removing the IP filters from the users who would typically get them results in the routes being applied.

    Why would simply enabling IP filtering on NPS stop DHCP from applying only option 121? - other DHCP options are applied.

    Thanks!

    Monday, June 3, 2019 12:26 AM

Answers

  • Hi,

    Did you check use clients assigned IP when you configured the option 121?

    Meanwhile, it is a good idea to analyze DHCP packets on the client.

    Best regards,

    Travis

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, June 3, 2019 9:22 AM
    Moderator

All replies

  • Hi,

    How did you configure the filter? Please try to use network address and network mask as destination.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, June 3, 2019 2:19 AM
    Moderator
  • Hi Travis

    The filters are setup for specific destination addresses, protocols and ports.
    e.g. web server IP, 255.255.255.255 TCP ANY 443

    There are no network wide definitions, e.g. 192.168.10.0 255.255.255.0


    • Edited by gaz27 Monday, June 3, 2019 2:32 AM
    Monday, June 3, 2019 2:30 AM
  • Hi,

    Did you check use clients assigned IP when you configured the option 121?

    Meanwhile, it is a good idea to analyze DHCP packets on the client.

    Best regards,

    Travis

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, June 3, 2019 9:22 AM
    Moderator
  • 'Use clients assigned IP' option was not ticked for static routes.

    I'll check the dhcp packets...

    thanks

    Monday, June 3, 2019 11:28 PM
  • Hi,

    If you didn't check the option, I would suggest you configure the filter with network address as a test.

    In my opinion, the IP filter with specific destination addresses will block the option with network address.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, June 4, 2019 7:42 AM
    Moderator
  • Tried a few things:-

    1. Enabling 'Use clients assigned IP' option for the route option made no difference - option was not applying when NPS Ip filter (specific dest addr) in place.

    2. Tried setting the NPS IP filter to a network address. Set DHCP route with and without 'use clients assigned ip' option. Same result, routes are published at the client when NPS IP filter is not applied - specific dest and/or network addr.

    Still need to review the DHCP packets...

    workaround is to run a client based script to add the routes.

    thanks.

    Monday, June 10, 2019 11:56 PM
  • Hi,

    Thanks for sharing your current progress.

    We can check the DHCP packets on DHCP server and clients.

    The DHCP packets should include option 121.

    We need to figure out if the NPS IP filter will block the DHCP option 121.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, June 11, 2019 8:33 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, June 17, 2019 8:33 AM
    Moderator
  • Using wireshark on server and client:-

    No NPS ip filter enabled, on the client i can see a dhcp inform and Ack.
    The ack has option121 and the specific routes.

    With NPS ip filter enabled, on the client i can only see dhcp inform packets, no Ack.
    From the server, i only see the inform packets too.

    The client does receive an address but no static routes.

    Tuesday, June 18, 2019 12:56 AM
  • Hi,

    It is so strange.

    Does the DHCP offer package contain DHCP option 121 when IP Filter is enabled?

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, June 18, 2019 9:57 AM
    Moderator