Changes

Jump to: navigation, search

Configuring Windows Server 2008 NAP DHCP Enforcement

5 bytes removed, 18:48, 6 April 2009
no edit summary
Network Access Protection (NAP) is a system designed to protect networks from clients which are not deemed to be secure or healthy (to use Microsoft's terminology). When NAP is implemented, clients without the required level of "health", the user is are directed to a ''remediation server'' where the necessary updates may be obtained to bring the system into compliance with the Network Access policy of the network. In addition, the user may also be directed to a web page provided providing details of why access to the network has been declined and outlining the steps necessary to remedy the problem.
One way to implement NAP is to integrate it with DHCP so that the NAP policies can be enforced whenever a client attempts to lease or renew an IP address. One point to note before implementing such a configuration is that NAP enforcement will only take place for clients which obtain an IP address via DHCP. Clients with static IP addresses will not be subject to NAP enforcement.
== Installing the Network Policy Server ==
The first step in integrating DHCP and NAP is to install the Network Policy Server role on the system. This is achieved by starting the Server Manager, selecting ''Roles'' from the left hand pane and clicking on ''Add Roles''. In the Add Roles wizard select the chck check box next to ''Network Policy and Access Services'' and then click ''Install'' to continue the installation process.
AltrenativelyAlternatively, the role may be installed from the command prompt using the '''servermanagercmd''' tool as follows:
<pre>
== Configuring NAP in the NAP console ==
With the Network Policy Server role installed the next step is to configure NAP. Begin by launching the Network Policy console (''Start -> All Programs -> Administration Tools -> Network Policy Server''). Once loaded, select ''Dynamic Host Configuration Protocol'' as the Network connection method and either accept the default polcy policy name of ''NAP DHCP'', or enter a new name for the policy:
Within this screen, Network Access Protection settings on all scopes can be enabled or disabled using the two buttons. Further, the default behavior of the DHCP server when the Network Policy Server (NPS) is unreachable may also be configured. In ''Full Access'' mode, all DHCP clients are given full and unrestricted access to the network (essentially behaving as though NAP enforcement is not implemented). ''Restricted Access'' allows clients to access resources only on the server to which they are connected. The rest of the netwrok network is off limits untils until the NPS server comes back online. Finally, ''Drop Client Packet'' prevents all client access to the network.
== Configuring NAP Settings for Scopes ==
The NAP settinmgs settings for specific scopes can also be accessed and modified using the DHCP console. Once the DHCP console is running (as outlined in the preceding section), unfold the required server from the left hand panel then unold unfold the IPv4 entry so that currently configured scopes are listed. Right click on the required scope entry, select ''Properties'' and click on the ''Network Access Protection'' tab:
Enable or disable NAP for the select scope using the appropriate selections in the property panel. If NAP is to be enabled for the scope, either elect to use the default NAP profile, or specify the name of a pre-existing custom profile. Once the settings are configured, click ''OK''.

Navigation menu