DHCP servers are usually used in network construction. In order to better understand this aspect, we will give a detailed introduction to the running principle and process of the DHCP address configurations implementation method.
Running principle and process of DHCP address configurations Implementation Method
In the "DHCP address configurations" Implementation Method on the Microsoft NAP platform, the content of "route Table Routing Table" in IPv4 of the DHCP Client is controlled to restrict its access to the enterprise network. This method sets the vro project value of the DHCP client to 0.0.0.0. Therefore, the IP address of the default gateway of a DHCP client that does not comply with the computer's health policy will not be set with the predefined default gateway IP address. In addition, the "DHCP address configurations" implementation method also sets the IPv4 subnet mask value of the DHCP Client Computer to 255.255.255.255. Therefore, DHCP clients that do not meet the computer's health policy cannot connect to any enterprise's IP network. If you want to allow computers that do not comply with the computer health policy to access the Update Server located in the "restricted network, then, the DHCP server can specify the settings that include setting the host route to "Classless Static Routes DHCP option" for "Classless Static Routes DHCP option, for example, the IP address of the DNS server and the IP address of the Update Server. Therefore, the IP Address Configuration and route table of DHCP clients that do not comply with the computer's health policy are controlled, the final result used to restrict network access is to allow only the DHCP client to connect to a specific IP address in the restricted network. If an application on the DHCP Client Computer attempts to send data to an IP address other than the IP address provided by the classless Static Routing DHCP option, the TCP/IP protocol will return a route error message.
However, network administrators should note that the "DHCP address configurations" implementation method provided by Microsoft NAP is only valid for DHCP clients that use the IPv4 protocol, there is no restriction on DHCP clients using IPv6 protocol. If a DHCP Client user has system administrator permissions on the computer in use, the user can manually change the IPv4 address and route table information by executing commands, to obtain access capabilities that are not limited by the enterprise network.
The following procedure occurs when a DHCP client computer that supports Microsoft NAP is connected to the enterprise network, and try to obtain the IPv4 IP address and configuration settings provided by the DHCP server that supports Microsoft NAP in the enterprise network.
Step 1 dhcp nap ec of the NAP client to which the DHCP client belongs will query SSoH information from the NAP Agent component.
Step 2 the NAP Agent component of the NAP client to which the DHCP client belongs will send the SSoH information to the dhcp nap ec component.
Step 3 the DHCP Client encapsulates and transmits the DHCP Discover packet containing the SSoH information that is used as the Microsoft vendor-specific DHCP option.
Step 4 the DHCP server that supports Microsoft NAP in the enterprise network receives the DHCP Discover packet of Step 03. The dhcp nap esdhcp nap Enforcement Server to which the DHCP Server belongs will retrieve the SSoH information from the DHCP Discover packet and package it in the RADIUS Access-Request packet, and then sent to NPSNAP health policy server ).
Step 5 the NPS Service of the NAP health policy server receives the RADIUS Access-Request packet of Step 04 and retrieves the SSoH information from the RADIUS Access-Request packet, and then pass it to the NAP Administration server component to which the NAP health policy Server belongs.
Step 6 the NAP Administration Server Component sends the SoH in the SSoH information to the appropriate SHVSystem health Validator in the NAP Health policy server ).
Step 7 SHV analyzes the SoH content to which it belongs and then returns SoHRStatement of Health Response to the NAP Administration Server component.
Step 8 the NAP Administration Server Component sends SoHR of Step 07 to the NPS Service to which the NAP health policy server belongs.
Step 9 the NPS Service to which the NAP health policy server belongs compares SoHR with the preset Health Requirements policy, and establishes SSoHRSystem Statement of health Response ).
Step 10 the NPS Service to which the NAP health policy server belongs will establish and transmit the RADIUS Access-Accept packet containing the SSoHR information to the DHCP server of step 04.
Step 11 when the DHCP server receives the RADIUS Access-Accept packet, the SSoHR information including the packet is taken out.
The Step12 DHCP server sends DHCP Offer packets containing IPv4 format IP addresses, related configuration information, and SSoHR information as DHCP vender-specific options to the DHCP client of Step01.
After the DHCP client receives the DHCP Offer packet of step 12, it will respond to a DHCP Request packet containing an IPv4-format IP address and relevant parameter requirements.
Step 14 after receiving the DHCP Request packet from step 13, the DHCP server will respond to an IPv4-format IP address and related parameters that will be provided to the DHCP client, and the SSoHR information DHCP Ack packet to the DHCP client.
After the DHCP client receives the DHCP Ack packet from Step 14, the dhcp nap ec component of the NAP client retrieves the SSoHR information from the received DHCP Ack packet, and send it to the NAP Agent component of the NAP client to which the DHCP client belongs.
The Step16 NAP Agent component then sends SoHR information to the appropriate SHA component in the NAP client to which the DHCP client belongs.
If the computer health status of the NAP client meets the computer health policy requirements set by the enterprise, the DHCP Ack packet received by the DHCP client will contain the router DHCP option of the correct default gateway IP address, the subnet mask authorized to connect to the enterprise subnet with the NAP client, but does not contain the setting information of "Classless Static Routes option. Therefore, the NAP client can access authorized resources in its authorized enterprise network without restriction.
However, if the computer health status of the NAP client does not meet the requirements of the Computer health policy formulated by the enterprise, the DHCP Ack packet received by the DHCP client will contain the vrodhcp DHCP option 0.0.0.0 and the subnet mask value of 255.255.255.255.255, and include the classless Static Routing option for setting static host routes to update servers in the "restricted network.