I was wondering if anyone could help me accomplish with what I thought would be a pretty simple task after reading about NPS and NAP.
Environment: Two Windows Server 2012r2 with AD, DNS, DHCP (with one scope that has failover load balancing), NPS and one of the servers has WDS/MDT (this server has DHCP option 60 to accomodate the DHCP ports)
What I would like to accomplish is to create two for sure, maybe a third if necessary:
1) When a PC on my network that is in the \Domain Computer group it NAP and NPS would authenticate it so DHCP would hand it a lease.
2) If a device that is NON NAP-Compatible then it would still be given a lease based upon its mac address (this is for our IP phones and printers).
3) (if this needs to be a policy) Any device that does not meet those policies are denied.
The network cannot support 802.1x at this time.
I followed this: http://www.technig.com/configure-network-access-protection-server-2012-r2/ article to get the ball rolling and this: https://blogs.technet.microsoft.com/teamdhcp/2008/06/15/nap-enforcement-exemption-for-printers-and-other-network-appliances/ article for the IP phones and Printers Network Policy.
The conditions that I put in for the domain computers Network Policy was Machine Group: \Domain Computers
Under constraints > Authentication, I have tried MS-CHAP-v2 and MS-CHAP and when that did not work, I switched it to Perform machine health check only.
For the SHV, I have deselected all the options.
My issue is when NAP is turned on, the computers will not receive a lease from DHCP. The Telephones work. I have ensured Failover is working and both servers are distributing a lease when NAP is turned off by deactivating one of the scopes and renewing the lease to see which DHCP server the lease was obtained from.
Thank you for your time and please let me know if I need to include any other information.