DHCP NAP Clients Do Not Obtain an IP Address

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This problem commonly occurs because you have configured the MS-Service class conditions in network policy, but have not assigned a custom profile to the Network Access Protection (NAP) scope on the DHCP server. Some less common causes include:

  • Computers are evaluated as non-NAP-capable and you have not configured a non-NAP-capable network policy.

  • You have configured the DHCP server to drop client packets when Network Policy Server (NPS) cannot be contacted.

Description of system behavior

When a DHCP client request does not match the conditions of any network policy, the client computer will fail to obtain an IP address configuration from the DHCP server. This can happen if you enter a policy condition on the Specify DHCP Scopes page of the NAP configuration wizard. When you enter a condition on this page, it is configured as an MS-Service class condition in network policy. To match this condition, you must configure an identical profile name in your NAP scope.

Associated operating system events

  • NPS event ID 6273: The Network Policy Server denied access to a user.

Root cause diagnosis and resolution

This problem occurs when the client access request fails to match any network policy. Repair this condition by configuring the NAP scope to match the MS-Service class condition.

The NAP scope is not configured with a custom profile name

You can repair this condition by either removing the MS-Service class condition from network policy, or by configuring a custom profile name.

Resolution

To repair this problem, configure a custom profile name in your NAP-enabled DHCP scope.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure a custom profile name

  1. On the NAP-enabled DHCP server, click Start, click Run, type dhcpmgmt.msc, and press ENTER.

  2. In the DHCP console tree, right-click the name of your NAP-enabled scope and then click Properties.

  3. On the Network Access Protection tab, click Use custom profile.

  4. Under Profile Name, type the name that you entered for the MS-Service class condition in network policy, and then click OK.