DHCP enforcement problem
hello world,
i'm facing strange behaviour of nps. evaluate compliance of clients memberships in particular computer group. everything's ok if pc compliant , member of group, full access. non-compliant granted restricted access of servers. problem non-compliant pcs tcp/ip configuration without restrictions. logs pc granted access, quarantined (according policy settings), tcp/ip settings of compliant ones.
in dhcp have 1 scope. scope nap enabled , set drop packets in case nps not available.
there 2 groups of scope option class: default user class (for compliant) , default network access protection class (for non-compliant.
could please give me an idea on how rid of odd problem?
i'm facing strange behaviour of nps. evaluate compliance of clients memberships in particular computer group. everything's ok if pc compliant , member of group, full access. non-compliant granted restricted access of servers. problem non-compliant pcs tcp/ip configuration without restrictions. logs pc granted access, quarantined (according policy settings), tcp/ip settings of compliant ones.
in dhcp have 1 scope. scope nap enabled , set drop packets in case nps not available.
there 2 groups of scope option class: default user class (for compliant) , default network access protection class (for non-compliant.
could please give me an idea on how rid of odd problem?
hi,
when manually issue ipconfig/release , /renew, please verify client computer evaluated nps each time. if incorrectly unrestricted ip address, client may not have been evaluated. please try testing short dhcp lease instead of manual /release , /renew , think won't see problem.
you said non-nap-capable clients meeting noncompliant policy. if happening, noncompliant policy not configured correctly, or non-nap-capable clients have nap agent running , dhcp enforcement client enabled.
dhcp enforcement not difficult circumvent, you've discovered. method full access configure static ip address. if want more secure method, recommend ipsec enforcement. if have 802.1x enabled switches, use 802.1x enforcement.
the logs checking should tell policy matched , whether or not client evaluated correctly. there other tools troubleshooting described here.
i hope helps,
-greg
when manually issue ipconfig/release , /renew, please verify client computer evaluated nps each time. if incorrectly unrestricted ip address, client may not have been evaluated. please try testing short dhcp lease instead of manual /release , /renew , think won't see problem.
you said non-nap-capable clients meeting noncompliant policy. if happening, noncompliant policy not configured correctly, or non-nap-capable clients have nap agent running , dhcp enforcement client enabled.
dhcp enforcement not difficult circumvent, you've discovered. method full access configure static ip address. if want more secure method, recommend ipsec enforcement. if have 802.1x enabled switches, use 802.1x enforcement.
the logs checking should tell policy matched , whether or not client evaluated correctly. there other tools troubleshooting described here.
i hope helps,
-greg
Windows Server > Network Access Protection
Comments
Post a Comment