DHCP server administrators deploying DHCP NAP have often queried about provisioning clients on different subnets with separate Network policies. Here a step-by-step walk through for configuring such policies from the NPS management console as well as required settings in DHCP management console.
Kevin is a Network Administrator of an organization having two subnets managed by a Windows Server 2008 running DHCP Server role and NPS roles:
192.168.1.xxx - for permanent employees sitting inside the secured facility
10.10.10.xxx - for temporary vendors placed in the unsecured facilities who carry their Laptops to customer sites.
The Admin would like to assign addresses to clients on these two subnets through two different Network Access Policies, enforcing different level of restrictions to unhealthy client. What we have to do here is, to make the respective scopes pass specific "MS-Service Class" value to the NPS, so that NPS can match the corresponding policy to grant network access. We would call these scopes Scope192 and Scope10 respectively and create the DHCP Cope and NPS policies. We start with creating the DHCP scopes :
1. Launch the DHCP server management console either from Computer management, or directly giving the command : dhcpmgmt.msc. In the DHCP MMC ->Server-->IPv4-->Right Click -> New Scope
2. Now set the name of the scope and add some description
3. Create the Address pool for the subnet and the subnet mask
4. Set the other scope option and activate the scope
5. To complete, finish the wizard
6. Now open the properties page of the scope by right clicking the scope.
7. Open the 'Network Access Protection' tab in the porperties page and set the custom profile name to the Scope name itself. We would be using the Name of the sope here and while creating the NPS profile for consistancy.
8. Click Ok to finish.
Repeat the steps 1 thru 8 to create another scope for 10.10.10.xxx and name it 'Scope10'
Now when we have the required scope created, lets create the NPS profile for the corresponding scopes. Open the NPS MMC snap-in from Computer Management console or directly type 'nps' in the command prompt. Follow the following steps to create and configure the Network Access Policies for DHCP:
1. Click the NPS icon on the left pane of the NPS MMC and click "Configure NAP" from the "Getting Started" pane.
2. In the ensuing wizard page, select DHCP for 'Network Connection Method' and set the Policy name to the name of the scope for which you are creating the policy, 'Sope192' in our case.
3. Add any Remote RADIUS servers, if you have. click Next.
4. Now Specify the DHCP Scope this profile would be used for. Note that this name should exactly the same what we specified in Steps 2 and 7 while creating the DHCP scope. For us, it would be "Scope192". Click next and set the other properties.
5. Finish the wizard to complete creating the policy.
Repeat the steps 1 thru 5 to create policy for Scope10.
Verifying the NPS Profiles
Now when we have created the scopes and the policies, we need to verify that the appropriate NPS policies are indeed governing the network access on a particular Subnet. Open Windows Event Viewer and clear/Save events logged in the Security channel Windows Logs. Release IP of a client on the Subnet 192.168.1.xxx and renew IP. You should see the appropriate Policy being matched for any request on that subnet, in the logs for the NPS server roles:
You can verify the same for the Scope10 by generating a DHCP request on that subnet and looking at the Event Logs. If you find that request from a subnet is being matched against wrong policy, please look carefully at the Event logs. Most of such issues can be attributed to even slight errors in creating the policy.
I hope this article helps those deploying DHCP NAP in a typical enterprise network. Any comments, suggestions and queries are welcome.
[Windows Enterprise Networking Group, Microsoft]
I enjoyed your article very much; it made things clear to me.
Studying Server 2008, I have some difficulties with the scope wizard for IPv6.
Could you please do more ore less the same article for IPv6?
Would be very grateful - there is hardly any practical info to be found on this matter.
How can I refuse clients not declared in my reservations ?
I want to attribute IP for only clients declared.
Well done; very clear. Thanks