Windows 2012 NAP (NPS) With DHCP PDF

itToby: Windows 2012 NAP (NPS) with DHCP
1 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
Because if I don't write it down I might forget it.
Tu e s d a y, J u n e 11 , 2 0 1 3
Windows 2012 NAP (NPS) with DHCP

After my last article on DHCP I decided to flesh out the Microsoft offerings and expand into Network Policy Server. NPS is
actually a set of different features from Microsoft including RADIUS and what the rest of the industry knows as NAC,
(Network Access Control) which Microsoft calls NAP (Network Access Protection). This allows you to grant or deny
network access to clients based on criteria such as:
Domain/Group Membership
Client source network
Popular Posts
Setup and Tweak Your New Asus

RT-AC66U or N66U Router!
(partially OT)
Starting Small: Set Up a Hadoop
Compute Cluster Using
Raspberry Pis
Using a Raspberry Pi as a Thin
Client for RDP/RemoteFX
/VMWare View or Citrix
Time of day
Client health (as determined by an SHV, see below for more)
Safely Demote a Windows

2008/r2 Core Domain Controller
Server 2012 Hyper-V + RDP +
RemoteFX = a Delicious
"Sangwich" of Cheap VDI
Web Application Proxy Server in
2012 R2
Search itToby.com
Follow on
Twitter
Follow @Toby_Meyer
These rules must be introduced to the clients at an insertion point (think of it as an entry gate). The supported insertion
points include:
About Me
IPSec
802.1X
VPN
DHCP
RDGateway
I'll be covering integration with DHCP since it is by far the most cost effective method considering the required role of
Microsoft based services in the environment. For information on the others, see Technet: NAP Enforcement Points.First,
let's set up NAP:
Assumptions
At least one Windows 2012 server ready to go. Note that NPS is not supported on server core. Most of these
instructions are applicable to 2008/r2 as well.
Toby
Meyer
View my
complete
profile
Blog Archive
DHCP installed and ready to go.
2015 (2)
Sufficient Privileges (Domain Admin generally)
2014 (12)
I assume you'll be installing NAP on the DHCP server itself. You can have these roles on separate servers should
you desire, but you'll need to install the NAP piece on the DHCP server as a RADIUS proxy. I won't be covering
that piece here. For more on that, see this Technet article.
2013 (30)
Installing NAP
December (2)
October (2)
September (1)
1. Using server manager, select "Manage"->"Add Roles or Features"
August (2)
2. Navigate through the Add Roles and Features Wizard, selecting the target server and "Network Policy and Access
Services".
July (2)
June (3)
Safely Demote a Windows
2008/r2 Core Domain
Contro...
Upgrade Windows Server
Core 2008r2 to 2012 In
Plac...
Windows 2012 NAP (NPS)
with DHCP
5/27/2015 5:41 PM
2 de 9
May (3)
April (3)
March (3)
February (4)
January (5)
2012 (18)
2011 (2)
2009 (2)
2008 (4)
3. When prompted to select role services, you need keep only the default "Network Policy Server" selected and
continue through the wizard.
Repeat this step for the DHCP server as well if it's a different server than the one you installed NAP on.
Configuring NAP
The NAC portion of NAP is actually a collection of several different elements. The following elements make up a NAP
policy that can be used by DHCP; numbers in front represent the default number of that item for one overall policy:
Connection Request Policy (Created by Wizard)
(3) Network Policies (Created by Wizard)
(2) Health Policies (Created by Wizard)
Windows Security Health Validator
At least one Remediation Server Group
There is a (seemingly hidden) wizard to guide you through the process of creating most of these elements, but we're
going to create the unguided ones first and then circle back and use the Wizard since we'll want to point to those during
the Wizard portion. For all these sections save the DHCP and client sections we'll be working in the Network Policy Server
management tool.
Windows Security Health Validator

The Security Health Validator is the policy for defining what a healthy windows client is. The built-in Windows SHV gives
the NAP server the capability to interact with the Network Access Protection Agent service on Windows clients (XP SP3
and newer) to determine the health status of that given client. The Security Health Validator determines what criteria
the client must pass for the client to be considered healthy. There is a default configuration that can be utilized but for
the sake of experience we'll configure the Windows SHV. To do so:
1. First, open the NAP management tool by selecting "Tools"->"Network Policy Server" from Server Manager.
2. Expand "Network Access Protection"->"System Health Validators"->"Windows Security Health Validator"->"Settings"
3. Right click "Settings"->"New"
4. Give the SHV a name; make it something meaningful to describe the target client base, i.e. "Standard Client Set"
5. Set your settings as desired; they're split into settings for Windows XP and Vista or higher. The settings are quite
straightforward though it should be noted that if you would like to utilize WSUS to update out of compliance
clients (assuming you select being out of date makes for a failed check) you'll need to check the box on the very
bottom of the options dialog. Click "OK" when complete.
5/27/2015 5:41 PM
3 de 9
6. Click on the "Error Codes" under "Settings" and take note of the Error Code Configurations. Generally the default
state of "Noncompliant" for each setting is desirable, but depending on your clients and equipment there may be
situations where you would want to change some of these SHV check failures to compliant.
Note that third parties can also create SHVs to plugin to the NAP architecture for use with other products. (Old list of
some others here)
Remediation Server Groups

The remediation server groups are the servers that will be made accessible to non-compliant clients if you choose to do
so. These servers can be used to patch clients to a compliant status. Note that any services needed to contact the
remediation services (WSUS, Antivir FTP, etc.) need to be available for the clients to update properly. (DNS, etc.) Under
the DHCP enforcement model, these servers are made available via static routes. Also note that you can provide a help
URL to a website instructing access-limited clients on how to repair their machines. The server that hosts this URL and all
resources required to resolve it must be part of the remediation server group as well. For more information about RSGs,
see Technet: Planning the Placement of a NAP Remediation Server. Assuming you have determined which servers need be
part of the remediation group, let's set them up:
1. Expand "Network Access Protection"->"Remediation Server Groups"
2. Right Click->"New" (Note that these can be stored as templates for use elsewhere as well)
3. Give the group a meaningful name; note that each health policy can use only one group, so everything for that
client base will need be in that group. Something like "Sitename Remediation Group"
4. Click the "Add" button to add a server.
5. Enter a friendly name for this server, i.e. "Minneapolis WSUS 01" or just the server name and then enter the DNS
name and click "Resolve". Hit "OK" when complete.
6. Repeat steps 4 and 5 for each server in this group. Then hit "OK" on the "New Remediation Server Group" page.
Setup Remaining Items with The Whiz

1. Click "NPS" on the top of the Network Policy Server management tool.
2. Click "Configure NAP" to launch the secret hidden Wizard.
5/27/2015 5:41 PM
4 de 9
3. Select "Dynamic Host Configuration Protocol (DHCP)" under "Network Connection Method". Note this is where you
would select a different option should you want to use a different insertion point. If you wish to enable this
policy on only specific scopes then give the policy a name, I.E. "Minneapolis NAP DHCP". If you wish this policy
to be effective on all scopes do not change it from the default name. Click "Next".
4. On the next screen, click add if the DHCP server is not on the same server as the main NAP server. If that is the
case, enter a Friendly Name, Address, and Shared Secret and click "OK". If not, no action is necessary. After this is
complete, click "Next".
5. On the next screen, "Specify DHCP Scopes", we need only add scopes if we want this policy to apply to a specific
set of scopes. If we do not specify any scopes it will apply to all NAP enabled scopes. Either add the name of all
specific scopes to which this policy will apply or just click "Next" with the scopes empty to have it apply to all.
6. The "Configure Machine Groups" screen, like the previous DHCP Scopes screen, is only for limiting access to a set of
computers. Should you choose, specify the group(s) of computers you would like to receive IP addresses. In most
cases you should leave this blank, but in the event you would restrict via group click "Add" and enter the groups
you would like to have access. Click "Next" when you are done with this screen.
5/27/2015 5:41 PM
5 de 9
7. On the next "Specify a NAP Remediation Server Group and URL" screen select the server remediation group we
created earlier. If you would like the clients to have access to a web site describing how to re-mediate their
machines enter that under "Troubleshooting URL". Note you must setup this site, it is not included with NAP since
the instructions will be different depending on your software selection. After entering the required information,
click "Next".
8. "Define NAP Health Policy" is the final screen. You should see the "Windows Security Health Validator" selected and
you can go ahead and enable auto-remediation of client computers with the applicable check box. I'll address this
a bit more in closing.
9. As for "Network access restrictions for NAP-ineligible client computers", select whichever you prefer. In most cases
if you've bothered to come this far you'll be selecting to deny full network access since that's usually the point.
Click "Next".
5/27/2015 5:41 PM
6 de 9
10. You will be presented with a summary screen; review the information and click "Finish".
Configure Clients
We need to configure two important elements to make the clients functional: Enable the service and configure it to
enforce via DHCP. To accomplish that, we'll use group policy. You will need to ensure your group policy objects are
targeted appropriately via something like OU linking or security filtering. If you need more information on how to target
group policy objects, see this link. Also note that according to some Microsoft documentation, the Wired and/or Wireless
Autoconfig services need to be set to automatic, but in my testing they worked when set to manual. Keep that in mind if
you have issues.
1. Edit the group policy object you plan to use for NAP client enforcement using the Group Policy Management tool.
2. Navigate to Computer Configuration->Policies->Windows Settings->Security Settings->System Services
3. Double click "Network Access Protection Agent" and check "Define this policy setting" and select "Automatic". Click
"OK" to save the setting.
5/27/2015 5:41 PM
7 de 9
4. Navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Network Access

Protection->NAP Client Configuration->Enforcement Clients
5. Double click "DHCP Quarantine Enforcement Client", check "Enable this enforcement client" and click "OK" to save
the setting.
6. Provided you're ready, take any steps necessary to apply the GPO to the desired clients. (Link, etc.)
Enable in DHCP
You can either enable globally or on a per-scope basis. I will give the instructions on how to enable globally. If you want
to enable on a per-scope basis substitute right-clicking on the "IPv4" below with the scope(s) you desire instead. In that
case, you'll need to specify the custom name of the policy you created in step 3 above.
1. Open the DHCP Manager and point it at the server in question.
2. Right click "IPv4" and click "Properties"
3. Click "Network Access Protection"
4. Select what you would like to happen should the NAP server become unavailable, then click "Enable on all scopes".
5. You will be notified that your NAP settings will be overridden on all scopes. Assuming this is what you would like to
5/27/2015 5:41 PM
8 de 9
do, click "Yes".

6. Click "OK".
If you're using a 2012 failover/loadbalance configuration the NAP settings will replicate for each scope, but make sure
communication to the NAP server is configured correctly for each DHCP server. That connection information is not
replicated. Here is additional info should you need it: Technet: Configure a DHCP Server for NAP. No restart of anything is
needed; you should be using NAP now!
Usage Notes/Troubleshooting
If using a custom profile name for a specific scope, you'll need to provide the custom profile name. This name
is the name of the connection request policy you would like to use. For more info see: Configuring Custom NPS
Policies Per DHCP scope
The event log location relevant to NPS authentication is in the security log with the task category of "Network
Policy Server". A filtered view of this can be found under "Custom Views->Server Roles->Network Policy and
Access Server".
Know that this solution won't keep out anyone trying to infiltrate your network; anyone with a moderate
amount of savvy can take steps to determine what IP to assign themselves should they have physical access to
your network.
What references what?
* Compliant and * Non-Compliant Network Policies reference Health Policies
Health Policies reference Security Health Validators
DHCP scopes reference Connection Request Policies
You can add several other types of criteria to your policy should you desire. Take a look at your policies under
NPS->Policies->Network Policies for more options.
If you enabled auto-remediation, clients will try to repair themselves for simple issues. For example: if a
client's firewall is off and the policy requires it, the client will re-enable the firewall and attempt to pass the
health check again. Should this fail manual intervention will be necessary. For more information on how to
troubleshoot the client, see "Configure NAP Tracing" on Technet.
Make sure you monitor the load on your NPS servers; the last thing you want is for them to get overwhelmed
and prevent proper servicing of DHCP requests. There are some performance counters that can help you with
this task; for more info see Technet: Load Balancing with NPS Proxy. Also, be sure to read up on Technet: Best
Practices for NPS which covers performance as well as other important info.
For some information regarding how to use Powershell to configure/manipulate NPS, see my post here.
Prologue
5/27/2015 5:41 PM
9 de 9
Obviously we're just scratching the surface here; there is quite a bit more that we could dig into but I'm going to stop
here in the interest of time. NAC solutions aren't particularly popular right now in a regular office scenario, but as issues
continue to arise with malware, etc. more companies may determine these sorts of solutions are necessary. If you already
have a Microsoft based infrastructure you probably have nearly everything you need to implement this solution. If you
have questions/concerns/comments please feel free to comment. Thanks!
References
Network Policy Server
Network Policy and Access Services Overview
Network Access Protection in NPS
Checklist: Implementing a DHCP Enforcement Design
Networking and Access Technologies: Network Policy and Access Services
Planning the Placement of a NAP Health Requirement Server
NAP Client and Server-side Component Communication
Posted by Toby Meyer at 6:10 PM

Labels: 2008, 2012, DHCP, NPS, secuirty, Windows
2 comments:
Vi said...
Thank you very much for this helpful blog!
This is the best article I have found about the "NAP with DHCP" subject. Beautiful work!
I wish this article could be published in Microsoft books. Then the student could be better and quicker aducated.
Thank you!
April 8, 2014 at 6:06 PM
Toby Meyer said...

@Vi
Thank you for your kind words, I'm glad you liked it!
April 8, 2014 at 11:45 PM
Post a Comment
Newer Post
Home
Older Post
Subscribe to: Post Comments (Atom)
Simple template. Powered by Blogger.
5/27/2015 5:41 PM

Windows 2012 NAP (NPS) With DHCP PDF

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Windows 2012 NAP (NPS) With DHCP PDF

Enviado por

Direitos autorais:

Formatos disponíveis

itToby: Windows 2012 NAP (NPS) with DHCP

Because if I don't write it down I might forget it.