DHCP Enforcement Example

  • Article

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

The following examples show how NAP with DHCP enforcement can be used to restrict network access when a computer is determined to be noncompliant with health policies. In the first example, a single server is used as both a NAP DHCP enforcement server and a NAP health policy server. In the second example, these roles are installed on separate computers that are located on different subnets.

DHCP design: example 1

The following illustrations and their corresponding steps provide a detailed description of the processes involved when a NAP client computer requests network access from a NAP-enabled DHCP server.

Compliant client access request

The following illustration provides an example of the processes involved when a compliant NAP client computer requests access to the network.

DHCP NAP compliant client access request

  1. A NAP client computer requests an IPv4 address configuration from a DHCP server.

  2. The client’s health credentials are forwarded by the DHCP service to the NPS service for analysis.

  3. If the client is compliant with health requirements, NPS instructs the DHCP service to provide a corporate IPv4 address configuration.

  4. The DHCP service provides the client computer with a corporate IPv4 address configuration.

  5. The client computer is granted access to the corporate network.

Noncompliant client restriction and remediation

The following illustration and its corresponding steps provide a detailed description of the processes involved in providing restricted network access and then remediating the health state of a noncompliant NAP client computer using the DHCP enforcement method. In this example, a client computer on the corporate network is determined to be noncompliant with health requirements. The client computer is issued a noncompliant IPv4 address configuration and its access is restricted until it is able to update its health status to be compliant.

DHCP NAP noncompliant client restriction and remediation

  1. A NAP client computer detects a change in its health state and sends its health credentials to the DHCP service on a NAP-enabled server.

  2. The DHCP service forwards the client’s health credentials to NPS for analysis.

  3. NPS determines that the client computer is noncompliant with health requirements and instructs the DHCP service to provide a noncompliant IPv4 address configuration.

  4. The DHCP service responds to the client with the results of the health evaluation and provides an IPv4 address configuration for restricted access.

  5. Network access of the client computer is restricted to a remediation server only.

  6. If required, the client computer requests updates from a remediation server.

  7. The remediation server provides required updates to make the client computer compliant with health requirements.

  8. A change in health state causes the client computer to send updated health credentials to the DHCP server.

  9. The DHCP service forwards the client computer’s health credentials to NPS for analysis.

  10. NPS determines that the client computer is compliant with health requirements and instructs the DHCP service to provide a compliant IPv4 address configuration.

  11. The DHCP service responds to the client and provides an IPv4 address configuration for full network access.

  12. Full network access is restored to the client computer.

DHCP design: example 2

The following illustrations and their corresponding steps provide a detailed description of the processes involved when a NAP client computer requests network access from a NAP-enabled DHCP server. In this example, multiple subnets are connected to each other using routers that are configured to relay DHCP messages. NAP client computers are located on subnets A and B. A NAP-enabled DHCP server and remediation server are located on subnet Y. The NAP health policy server is located on subnet Z.

Compliant client access request

The following illustration shows the processes involved when a compliant NAP client computer requests access to the network.

DHCP NAP compliant client access request

  1. A NAP client computer requests network access from a NAP-enabled DHCP server.

  2. The client computer access request is forwarded to NPS for analysis.

  3. If the client computer is determined to be compliant with health requirements, NPS instructs the DHCP server to provide a full access IPv4 address configuration.

  4. The DHCP server determines that the client computer requested access from network segment A and provides a full access IPv4 address configuration for subnet A.

  5. The client computer is granted full access to subnet A.

Noncompliant client restriction and remediation

The following illustration and its corresponding steps provide a detailed description of the processes involved in providing restricted network access and then remediating the health state of a noncompliant NAP client computer using the DHCP enforcement method. In this example, a client computer on subnet A is determined to be noncompliant with health requirements. The client computer is issued a noncompliant IPv4 address configuration and its access is restricted until it is able to update its health status to be compliant.

DHCP NAP noncompliant client restriction and remediation

  1. A NAP client computer detects a change in health state and sends an IPv4 address renewal request containing its health credentials to the DHCP server.

  2. The DHCP server forwards the client’s health credentials to NPS for analysis.

  3. NPS analyzes the health credentials and determines that the client is noncompliant with health requirements. NPS instructs the DHCP server to provide the client computer with a restricted IPv4 address configuration.

  4. The DHCP server provides the client computer with a restricted IPv4 address configuration.

  5. The client computer’s access to other computers on subnet A is blocked. Classless static host routes are added to the client’s routing table to allow access only to the DHCP server and a remediation server on subnet Y.

  6. If required, the client computer requests updates from a remediation server.

  7. The remediation server provides required updates to make the client computer compliant with health requirements.

  8. The client computer sends a DHCP renewal request that contains updated health credentials to the DHCP server.

  9. The DHCP service forwards the client’s health credentials to NPS for analysis.

  10. NPS determines that the client computer is compliant with health requirements and instructs the DHCP service to provide a compliant IPv4 address configuration.

  11. The DHCP service issues a response to the client and provides an IPv4 address configuration for full network access.

  12. Full network access is restored to the client computer.