Freigeben über


Non-NAP Capable computers receive full network access using DHCP enforcement

This is an issue of NAP.

You set up NAP DHCP enforcement through Windows 2008 or R2.
When a client is non-NAP capable (NAP agent is not running) it should be quarantined because of having configured the non-NAP capable policy's "NAP enforcement" setting to provide limited network access. This is expected.
However, when a Windows XP SP3 client accessed to the protected network, it received an IP address which was no restricted. Although Windows XP SP3 supports NAP agent, in this scenario the client machine is non-nap capable because the NAP agent service was not started.

Background:
Network Access Protection (NAP) is a new platform and solution that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.

There is an workaround that we confirmed can resolve this problem:

Create the following registry in the Windows XP SP3 client.
1. Create a REG_MULTI_SZ key named DhcpOptionLocationList under
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices DhcpParametersOptions
Add the following values to the key:
1 15 3 44 46 47 6 DhcpNetbiosOptions

Use ipconfig/renew in the logon script for XP computers only.