Escolar Documentos
Profissional Documentos
Cultura Documentos
1 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
Tu e s d a y, J u n e 11 , 2 0 1 3
Popular Posts
Time of day
Client health (as determined by an SHV, see below for more)
Search itToby.com
Follow on
Twitter
Follow @Toby_Meyer
These rules must be introduced to the clients at an insertion point (think of it as an entry gate). The supported insertion
points include:
About Me
IPSec
802.1X
VPN
DHCP
RDGateway
I'll be covering integration with DHCP since it is by far the most cost effective method considering the required role of
Microsoft based services in the environment. For information on the others, see Technet: NAP Enforcement Points.First,
let's set up NAP:
Assumptions
At least one Windows 2012 server ready to go. Note that NPS is not supported on server core. Most of these
instructions are applicable to 2008/r2 as well.
Toby
Meyer
View my
complete
profile
Blog Archive
2015 (2)
2014 (12)
I assume you'll be installing NAP on the DHCP server itself. You can have these roles on separate servers should
you desire, but you'll need to install the NAP piece on the DHCP server as a RADIUS proxy. I won't be covering
that piece here. For more on that, see this Technet article.
2013 (30)
Installing NAP
December (2)
October (2)
September (1)
August (2)
2. Navigate through the Add Roles and Features Wizard, selecting the target server and "Network Policy and Access
Services".
July (2)
June (3)
Safely Demote a Windows
2008/r2 Core Domain
Contro...
Upgrade Windows Server
Core 2008r2 to 2012 In
Plac...
Windows 2012 NAP (NPS)
with DHCP
5/27/2015 5:41 PM
2 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
May (3)
April (3)
March (3)
February (4)
January (5)
2012 (18)
2011 (2)
2009 (2)
2008 (4)
3. When prompted to select role services, you need keep only the default "Network Policy Server" selected and
continue through the wizard.
Repeat this step for the DHCP server as well if it's a different server than the one you installed NAP on.
Configuring NAP
The NAC portion of NAP is actually a collection of several different elements. The following elements make up a NAP
policy that can be used by DHCP; numbers in front represent the default number of that item for one overall policy:
Connection Request Policy (Created by Wizard)
(3) Network Policies (Created by Wizard)
(2) Health Policies (Created by Wizard)
Windows Security Health Validator
At least one Remediation Server Group
There is a (seemingly hidden) wizard to guide you through the process of creating most of these elements, but we're
going to create the unguided ones first and then circle back and use the Wizard since we'll want to point to those during
the Wizard portion. For all these sections save the DHCP and client sections we'll be working in the Network Policy Server
management tool.
5/27/2015 5:41 PM
3 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
6. Click on the "Error Codes" under "Settings" and take note of the Error Code Configurations. Generally the default
state of "Noncompliant" for each setting is desirable, but depending on your clients and equipment there may be
situations where you would want to change some of these SHV check failures to compliant.
Note that third parties can also create SHVs to plugin to the NAP architecture for use with other products. (Old list of
some others here)
5/27/2015 5:41 PM
4 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
3. Select "Dynamic Host Configuration Protocol (DHCP)" under "Network Connection Method". Note this is where you
would select a different option should you want to use a different insertion point. If you wish to enable this
policy on only specific scopes then give the policy a name, I.E. "Minneapolis NAP DHCP". If you wish this policy
to be effective on all scopes do not change it from the default name. Click "Next".
4. On the next screen, click add if the DHCP server is not on the same server as the main NAP server. If that is the
case, enter a Friendly Name, Address, and Shared Secret and click "OK". If not, no action is necessary. After this is
complete, click "Next".
5. On the next screen, "Specify DHCP Scopes", we need only add scopes if we want this policy to apply to a specific
set of scopes. If we do not specify any scopes it will apply to all NAP enabled scopes. Either add the name of all
specific scopes to which this policy will apply or just click "Next" with the scopes empty to have it apply to all.
6. The "Configure Machine Groups" screen, like the previous DHCP Scopes screen, is only for limiting access to a set of
computers. Should you choose, specify the group(s) of computers you would like to receive IP addresses. In most
cases you should leave this blank, but in the event you would restrict via group click "Add" and enter the groups
you would like to have access. Click "Next" when you are done with this screen.
5/27/2015 5:41 PM
5 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
7. On the next "Specify a NAP Remediation Server Group and URL" screen select the server remediation group we
created earlier. If you would like the clients to have access to a web site describing how to re-mediate their
machines enter that under "Troubleshooting URL". Note you must setup this site, it is not included with NAP since
the instructions will be different depending on your software selection. After entering the required information,
click "Next".
8. "Define NAP Health Policy" is the final screen. You should see the "Windows Security Health Validator" selected and
you can go ahead and enable auto-remediation of client computers with the applicable check box. I'll address this
a bit more in closing.
9. As for "Network access restrictions for NAP-ineligible client computers", select whichever you prefer. In most cases
if you've bothered to come this far you'll be selecting to deny full network access since that's usually the point.
Click "Next".
5/27/2015 5:41 PM
6 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
10. You will be presented with a summary screen; review the information and click "Finish".
Configure Clients
We need to configure two important elements to make the clients functional: Enable the service and configure it to
enforce via DHCP. To accomplish that, we'll use group policy. You will need to ensure your group policy objects are
targeted appropriately via something like OU linking or security filtering. If you need more information on how to target
group policy objects, see this link. Also note that according to some Microsoft documentation, the Wired and/or Wireless
Autoconfig services need to be set to automatic, but in my testing they worked when set to manual. Keep that in mind if
you have issues.
1. Edit the group policy object you plan to use for NAP client enforcement using the Group Policy Management tool.
2. Navigate to Computer Configuration->Policies->Windows Settings->Security Settings->System Services
3. Double click "Network Access Protection Agent" and check "Define this policy setting" and select "Automatic". Click
"OK" to save the setting.
5/27/2015 5:41 PM
7 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
6. Provided you're ready, take any steps necessary to apply the GPO to the desired clients. (Link, etc.)
Enable in DHCP
You can either enable globally or on a per-scope basis. I will give the instructions on how to enable globally. If you want
to enable on a per-scope basis substitute right-clicking on the "IPv4" below with the scope(s) you desire instead. In that
case, you'll need to specify the custom name of the policy you created in step 3 above.
1. Open the DHCP Manager and point it at the server in question.
2. Right click "IPv4" and click "Properties"
3. Click "Network Access Protection"
4. Select what you would like to happen should the NAP server become unavailable, then click "Enable on all scopes".
5. You will be notified that your NAP settings will be overridden on all scopes. Assuming this is what you would like to
5/27/2015 5:41 PM
8 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
Usage Notes/Troubleshooting
If using a custom profile name for a specific scope, you'll need to provide the custom profile name. This name
is the name of the connection request policy you would like to use. For more info see: Configuring Custom NPS
Policies Per DHCP scope
The event log location relevant to NPS authentication is in the security log with the task category of "Network
Policy Server". A filtered view of this can be found under "Custom Views->Server Roles->Network Policy and
Access Server".
Know that this solution won't keep out anyone trying to infiltrate your network; anyone with a moderate
amount of savvy can take steps to determine what IP to assign themselves should they have physical access to
your network.
What references what?
* Compliant and * Non-Compliant Network Policies reference Health Policies
Health Policies reference Security Health Validators
DHCP scopes reference Connection Request Policies
You can add several other types of criteria to your policy should you desire. Take a look at your policies under
NPS->Policies->Network Policies for more options.
If you enabled auto-remediation, clients will try to repair themselves for simple issues. For example: if a
client's firewall is off and the policy requires it, the client will re-enable the firewall and attempt to pass the
health check again. Should this fail manual intervention will be necessary. For more information on how to
troubleshoot the client, see "Configure NAP Tracing" on Technet.
Make sure you monitor the load on your NPS servers; the last thing you want is for them to get overwhelmed
and prevent proper servicing of DHCP requests. There are some performance counters that can help you with
this task; for more info see Technet: Load Balancing with NPS Proxy. Also, be sure to read up on Technet: Best
Practices for NPS which covers performance as well as other important info.
For some information regarding how to use Powershell to configure/manipulate NPS, see my post here.
Prologue
5/27/2015 5:41 PM
9 de 9
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
Obviously we're just scratching the surface here; there is quite a bit more that we could dig into but I'm going to stop
here in the interest of time. NAC solutions aren't particularly popular right now in a regular office scenario, but as issues
continue to arise with malware, etc. more companies may determine these sorts of solutions are necessary. If you already
have a Microsoft based infrastructure you probably have nearly everything you need to implement this solution. If you
have questions/concerns/comments please feel free to comment. Thanks!
References
Network Policy Server
Network Policy and Access Services Overview
Network Access Protection in NPS
Checklist: Implementing a DHCP Enforcement Design
Networking and Access Technologies: Network Policy and Access Services
Planning the Placement of a NAP Health Requirement Server
NAP Client and Server-side Component Communication
2 comments:
Vi said...
Thank you very much for this helpful blog!
This is the best article I have found about the "NAP with DHCP" subject. Beautiful work!
I wish this article could be published in Microsoft books. Then the student could be better and quicker aducated.
Thank you!
April 8, 2014 at 6:06 PM
Home
Older Post
5/27/2015 5:41 PM