Network Access Is Not Restored After Remediation

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In a Network Access Protection (NAP) deployment, this problem can occur if a NAP DHCP server is located on a subnet different from NAP client computers and the 003 Router option has not been configured in the default NAP class.

Description of system behavior

In order for noncompliant NAP client computers to regain full network access after remediation, they must have access to a NAP enforcement point on the restricted network. If a NAP DHCP server is located on a subnet different from NAP client computers, you must configure the 003 Router option in the default NAP class with the IP address of a gateway device that can route NAP client DHCP requests to the enforcement point. If this option is not present, NAP client computers will be unable to obtain a new IP configuration when they complete the remediation process.

Associated operating system events

  • DHCP event ID 1003: Your computer was not able to renew its address from the network (from the DHCP server) for the network adapter with MAC address %1. The following error occurred: %2. Your computer will continue trying to obtain an address on its own from the DHCP server.

Root cause diagnosis and resolution

When using the NAP with DHCP enforcement method, the default gateway is removed when the access of noncompliant NAP client computers is restricted. In order to reach a DHCP server or remediation server located on a different subnet, the client computer is provided with classless static host routes. The next-hop address of these host routes is configured using the 003 Router option in the default NAP class. If this option is not configured, the classless static host route is not provisioned.

NAP DHCP clients do not acquire an IP address after remediation

NAP DHCP clients will acquire a classless IP address configuration when they are noncompliant with network health requirements. After remediation, they must renew their IP address configuration by contacting the NAP-enabled DHCP server. NAP client computers must use the restricted IP address configuration to contact a DHCP server.

Resolution

To repair this problem, configure the 003 Router option in the default NAP class with the IP address of a routing device that is capable of forwarding DHCP requests to the NAP DHCP server.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To repair this problem

  1. On the NAP DHCP server, click Start, click Run, type dhcpmgmt.msc, and press ENTER.

  2. In the DHCP console tree, open IPv4\Scope , right-click Scope Options, and then click Configure Options.

  3. On the Advanced tab, next to User class, select Default Network Access Protection Class.

  4. Under Available Options, click 003 Router.

  5. Under IP address, type the IP address of the router that NAP clients will use to communicate with the NAP DHCP server, and then click OK.

  6. Close the DHCP console.