This document provides an overview of implementing Network Access Protection (NAP). It discusses key NAP concepts like how NAP works, enforcement methods, and the NAP architecture. It also provides step-by-step demonstrations for configuring NAP including health policies, network access policies, tracing, and troubleshooting. The document concludes with a lab scenario where the reader will configure NAP components and client settings to integrate NAP into a VPN remote access solution.
2. Module Overview
• Overview of Network Access Protection
• How NAP Works
• Configuring NAP
• Monitoring and Troubleshooting NAP
3. Lesson 1: Overview of Network Access Protection
• What Is Network Access Protection?
• NAP Scenarios
• NAP Enforcement Methods
• NAP Platform Architecture
4. What Is Network Access Protection?
Network Access Protection can:
• Enforce health-requirement policies on client computers
• Ensure client computers are compliant with policies
• Offer remediation support for computers that do not
meet health requirements
Network Access Protection cannot:
• Enforce health requirement policies on client computers
• Ensure client computers are compliant with policies
5. NAP Scenarios
NAP helps you verify the health state of:
• Roaming laptops
• Desktop computers
• Visiting laptops
• Unmanaged home computers
6. NAP Enforcement Methods
Method Key Points
IPsec enforcement for IPsec-
protected communications
• Computer must be compliant to communicate
with other compliant computers
• The strongest NAP enforcement type, and can be
applied per IP address or protocol port number
802.1X enforcement for IEEE
802.1X-authenticated wired
or wireless connections
• Computer must be compliant to obtain unlimited
access through an 802.1X connection
(authentication switch or access point)
VPN enforcement for remote
access connections
• Computer must be compliant to obtain unlimited
access through a RAS connection
DirectAccess
• Computer must be compliant to obtain unlimited
network access
• For noncompliant computers, access restricted to
defined group of infrastructure servers
DHCP enforcement for DHCP-
based address configuration
• Computer must be compliant to receive an
unlimited access IPv4 address configuration from
DHCP
• This is the weakest form of NAP enforcement
8. Lesson 2: How NAP Works
• NAP Enforcement Processes
• IPsec Enforcement
• 802.1x Enforcement
• VPN Enforcement
• DHCP Enforcement
9. NAP Enforcement Processes
HRA
VPN Server
DHCP Server
IEEE 802.1X
Network Access Devices
Health Requirement
Server
Remediation
Server
NAP Client NAP Health
Policy Server
RADIUS Messages
System
Health
Updates
System
Health
Requirement
Queries
10. IPsec Enforcement
Intranet
Remediation
Servers
Internet
NAP Health
Policy Server
DHCP Server
Health
Registration
Authority
IEEE 802.1X
Devices
Active
Directory
VPN Server
Restricted
Network
NAP Client with
limited access
Perimeter
Network
Key Points of IPsec NAP Enforcement:
• Comprised of a health certificate server and an IPsec NAP EC
• Health certificate server issues X.509 certificates to quarantine
clients when they are verified as compliant
• Certificates are then used to authenticate NAP clients when
they initiate IPsec-secured communications with other
NAP clients on an intranet
• IPsec Enforcement confines the communication on a network
to those nodes that are considered compliant
• You can define requirements for secure communications with
compliant clients on a per-IP address or a
per-TCP/UDP port number basis
11. 802.1x Enforcement
Intranet
Remediation
Servers
Internet
NAP Health
Policy Server
DHCP Server
Health
Registration
Authority
IEEE 802.1X
Devices
Active
Directory
VPN Server
Restricted
Network
NAP Client with
limited access
Perimeter
Network
Key Points of 802.1X Wired or Wireless NAP Enforcement:
• Computer must be compliant to obtain unlimited network
access through an 802.1X-authenticated network connection
• Noncompliant computers are limited through a
restricted-access profile that the Ethernet switch or
wireless AP place on the connection
• Restricted access profiles can specify IP packet filters or a
virtual LAN (VLAN) identifier (ID) that corresponds to the
restricted network
• 802.1X enforcement actively monitors the health status of the
connected NAP client and applies the restricted access profile
to the connection if the client becomes noncompliant
12. VPN Enforcement
Intranet
Remediation
Servers
Internet
NAP Health
Policy Server
DHCP Server
Health
Registration
Authority
IEEE 802.1X
Devices
Active
Directory
VPN Server
Restricted
Network
NAP Client with
limited access
Perimeter
Network
Key Points of VPN NAP Enforcement:
• Computer must be compliant to obtain unlimited network
access through a remote access VPN connection
• Noncompliant computers have network access limited through
a set of IP packet filters that are applied to the VPN connection
by the VPN server
• VPN enforcement actively monitors the health status of the NAP
client and applies the IP packet filters for the restricted network
to the VPN connection if the client becomes noncompliant
13. DHCP Enforcement
Intranet
Remediation
Servers
Internet
NAP Health
Policy Server
DHCP Server
Health
Registration
Authority
IEEE 802.1X
Devices
Active
Directory
VPN Server
Restricted
Network
NAP Client with
limited access
Perimeter
Network
Key Points of DHCP NAP Enforcement:
• Computer must be compliant to obtain an unlimited access
IPv4 address configuration from a DHCP server
• Noncompliant computers have IPv4 address configuration,
allowing access to restricted network only
• DHCP enforcement actively monitors the health status of the
NAP client, renewing the IPv4 address configuration for access
only to the restricted network if the client becomes noncompliant
14. Lesson 3: Configuring NAP
• What Are System Health Validators?
• What Is a Health Policy?
• What Are Remediation Server Groups?
• NAP Client Configuration
• Demonstration: How to Configure Network Access Policies
15. What Are System Health Validators?
System Health Validators are server software counterparts to
system health agents
• Each SHA on the client has a
corresponding SHV in NPS
• SHVs allow NPS to verify the
statement of health made by its
corresponding SHA on the client
• SHVs contain the required
configuration settings on
client computers
• The Windows Security SHV
corresponds to the Microsoft SHA
on client computers
16. What Is a Health Policy?
To make use of the Windows Security Health Validator, you
must configure a Health Policy and assign the SHV to it
• Health policies consist of one or more SHVs and other settings that
allow you to define client computer configuration requirements for
NAP-capable computers that attempt to connect to your network
• You can define client health policies in NPS by adding one or more
SHVs to the health policy
• NAP enforcement is accomplished by NPS on a per-network
policy basis
• After you create a health policy by adding one or more SHVs to
the policy, you can add the health policy to the network policy and
enable NAP enforcement in the policy
17. What Are Remediation Server Groups?
With NAP enforcement in place, you should specify remediation
server groups so the clients have access to resources that bring
noncompliant NAP-capable clients into compliance
• A remediation server hosts the updates that the NAP agent can
use to bring noncompliant client computers into compliance with
the health policy that NPS defines
• A remediation server group is a list of servers on the restricted
network that noncompliant NAP clients can access for
software updates
18. NAP Client Configuration
• Some NAP deployments that use Windows Security Health Validator
require that you enable Security Center
• The Network Access Protection service is required when you deploy
NAP to NAP-capable client computers
• You also must configure the NAP enforcement clients on the
NAP-capable computers
19. Demonstration: How to Configure Network
Access Policies
• Install the NPS server role
• Configure NPS as a NAP health policy server
• Configure health policies
• Configure network policies for compliant computers
• Configure network policies for noncompliant computers
• Configure the DHCP server role for NAP
• Configure client NAP settings
• Test NAP
20. Lesson 4: Monitoring and Troubleshooting NAP
• What Is NAP Tracing?
• Demonstration: How to Configure NAP Tracing
• Troubleshooting NAP with Netsh
• NAP Event Logs
21. What Is NAP Tracing?
• NAP tracing identifies NAP events and records them to a
log file based on the one of the following tracing levels:
• Basic
• Advanced
• Debug
• You can use tracing logs to:
• Evaluate the health and security of your network
• For troubleshooting and maintenance
• NAP tracing is disabled by default, which means that no
NAP events are recorded in the trace logs
22. Demonstration: How to Configure NAP Tracing
In this demonstration, you will see how to:
• Configure tracing from the GUI
• Configure tracing from the command-line
23. Troubleshooting NAP with Netsh
You can use the following netsh NAP command to help you to
troubleshoot NAP issues
• netsh NAP client show state
• netsh NAP client show group
• netsh NAP client show config
24. NAP Event Logs
Event ID Meaning
6272 Successful authentication has occurred
6273 Successful authentication has not occurred
6274 A configuration problem exists
6276 NAP client quarantined
6277 NAP client is on probation
6278 NAP client granted full access
25. Lab: Implementing NAP into a VPN Remote
Access Solution
• Exercise 1: Configuring NAP Components
• Exercise 2: Configuring Client Settings to support NAP
Estimated time: 60 minutes
Logon information
Virtual machines
6421B-NYC-DC1
6421B-NYC-EDGE1
6421B-NYC-CL1
User name ContosoAdministrator
Password Pa$$w0rd
26. Lab Scenario
Contoso, Ltd. is required to extend their virtual private
network solution to include Network Access Protection.
As a Contoso, Ltd. technology specialist, you need to
establish a way to bring client computers automatically into
compliance. You will do this by using Network Policy Server,
creating client compliance policies, and configuring a NAP
server to check the current health of computers.
27. Lab Review
• The DHCP NAP enforcement method is the weakest
enforcement method in Microsoft Windows Server 2008
R2. What makes it less preferable than other ways?
• Could you use the remote access NAP solution alongside
the IPsec NAP solution? What benefit would be realized by
using such a scenario?
• Could you have used DHCP NAP enforcement for the
client? Why or why not?