{"id":1409,"date":"2014-01-17T09:15:55","date_gmt":"2014-01-17T15:15:55","guid":{"rendered":"http:\/\/www.poweradmin.com\/blog\/?p=1409"},"modified":"2015-04-24T16:44:50","modified_gmt":"2015-04-24T21:44:50","slug":"nap-enforcement-network-access-protection","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/nap-enforcement-network-access-protection\/","title":{"rendered":"NAP Enforcement (Network Access Protection)"},"content":{"rendered":"

\n\tNAP or Network Access Protection<\/em> is a Windows Server security mechanism which enables you to control how computers gain access to network resources. The main functionality of NAP is to verify and ensure that only healthy computers will be marked as compliant and will receive network access. In this article we will talk about some of the enforcement technologies available with NAP. These technologies are responsible for allowing or denying network access for NAP clients. There are four main enforcement types available with NAP as follows: IPSec, DHCP, VPN and 801.2X<\/em>. Within a network you can configure one or multiple enforcement types and these technologies should be chosen according to the network\u2019s infrastructure and requirements.<\/span><\/span>\n<\/p>\n

\n\tDHCP Enforcement<\/em><\/strong> <\/span><\/span><\/span>
\n<\/h2>\n

\n\t\u2013 Uses a Windows Server that has the Dynamic Host Control Protocol (DHCP)<\/em> service running. Compliant computers will gain network access while non-compliant computers can be either redirected to remediation servers or denied network access. Once you\u2019ve installed and configured DHCP<\/a> you\u2019ll need to add the Network Policy and Access Services<\/em> role to your Windows Machine. If you need to configure additional DHCP options, check this article from IT training day<\/a>. Note that for these demonstrations I will be using a Windows Server 2012 machine. After you add the Network Policy and Access Services role<\/em>, open the NPS console and configure NAP using the wizard:<\/span><\/span>\n<\/p>\n

\n\t\"Select<\/a>\n<\/p>\n

\n\tIf you don\u2019t know how to install and configure NAP using the wizard you should check this link<\/a> for further instructions. Once NAP has been configured for the DHCP server, you\u2019ll need to enable NAP for the desired DHCP scopes. To enable NAP enforcement for all DHCP scopes<\/em>, open the DHCP console <\/em>and navigate to the IPv4 <\/em>section, right click<\/em> and select Properties<\/em>:<\/span><\/span>\n<\/p>\n

\n\t\"DHCP<\/a>\n<\/p>\n

\n\tNavigate to the Network Access Protection<\/em> tab and just under the Network Access Protection Settings <\/em>section, click the button enable on all scopes. <\/em>You can configure what behavior the DHCP server takes in case the Network Policy Server (NPS)<\/em> is unreachable. There are three options available as follows:<\/span><\/span>\n<\/p>\n

\n\tFull Access<\/em> \u2013 all NAP clients will receive network access even if they are not compatible with NAP\u2019s policies.<\/span><\/span>\n<\/p>\n

\n\tRestricted Access<\/em> \u2013 devices that are not compliant with the network\u2019s requirements will receive access to the remediation servers to fix any problems regarding their health state.<\/span><\/span>\n<\/p>\n

\n\tDrop Client Packet<\/em> \u2013 the server will drop the connection with non-compatible NAP clients requesting access to the network.<\/span><\/span>\n<\/p>\n

\n\t\"IPv4<\/a>\n<\/p>\n

\n\tIf you want to enable NAP enforcement for a single scope<\/em>, navigate to the desired scope section and select Properties<\/em>:<\/span><\/span>\n<\/p>\n

\n\t\"NAP<\/a>\n<\/p>\n

\n\tNow navigate to the Network Access Protection tab<\/em> and enable <\/em>this feature for the scope. You can use the default NAP profile or use a custom profile.<\/span><\/span>\n<\/p>\n

\n\t802.1X Enforcement <\/em><\/strong><\/span><\/span><\/span>
\n<\/h2>\n

\n\t\u2013 This NAP enforcement takes advantage of 802.1X compatible switches and APs (access points) to authenticate computers. The server running the NPS service will check each computer before it is authenticated and if the health state is not compatible with the network\u2019s requirements, the computer will be redirected to the remediation network. Switches and Access Points use special filters such as ACLs (Access Control Lists)<\/em> and\/or VLANs (Virtual Local Area Network)<\/em> to separate non-compliant computers from the rest of the network.<\/span><\/span>\n<\/p>\n

\n\tYou\u2019ll need to configure NAP for IEEE 802.1X Wired or Wireless<\/em> networks using the Wizard<\/em>:<\/span><\/span>\n<\/p>\n

\n\t\"Configure<\/a>\n<\/p>\n

\n\tWhen enabling PEAP Protected Extensible Authentication Protocol for 802.1X NAP enforcement<\/em>, you\u2019ll need to install a server certificate<\/em> from a Certification Authority (CA)<\/em> trusted by the NAP clients. The best thing to do is to enable auto-enrollment<\/em> on your local CA. If you don\u2019t know how to enable this feature then check out one of our past articles about implementing a PKI (Public Key Infrastructure) using Windows Servers.<\/a> The wizard will also require you to configure NAP exemptions which basically means group of devices that are not checked for compatibility by NAP\u2019s health validation. Once the wizard is complete, the NAP service will start and your clients will be able to access the network if the NAP validation is completed successfully.<\/span><\/span>\n<\/p>\n

\n\tVPN Enforcement <\/em><\/strong><\/span><\/span><\/span>
\n<\/h2>\n

\n\t\u2013 When NAP is configured for VPN enforcement, it will verify each remote client that is trying to authenticate within the network. There are several steps that you need to take to successfully deploy NAP for VPN. You\u2019ll need to install Routing and Remote Access services<\/em> and configure it as a VPN server<\/em>. You will then configure the server running the NPS service as the RADIUS server<\/em> in Routing and Remote Access.<\/span><\/span>\n<\/p>\n

\n\tThe NPS server will be configured using the Wizard<\/em> by specifying the Virtual Private Network (VPN)<\/em> as the network connection method. Also note that In NPS, the VPN servers will be configured as RADIUS clients:<\/span><\/span>\n<\/p>\n

\n\t\"NPS<\/a>\n<\/p>\n

\n\tOnce the Certification Authority is deployed and the certificate has been installed on the server, the VPN enforcement can be installed.<\/span><\/span>\n<\/p>\n

\n\tNAP also supports IPSec enforcement with Windows OS but, it\u2019s a long story and cannot be covered in this article. If you are interested in discovering IPSec enforcement installation and configuration, check out this article<\/a>. Hope you\u2019ve understood the main principles behind NAP enforcement, share this article to others interested in this topic. Wish you all the best and stay tuned for the following articles.<\/span><\/span>\n<\/p>\n

\n\tFeatured Photo Credit: Alain-Christian<\/a> via Compfight<\/a> cc<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

NAP or Network Access Protection is a Windows Server security mechanism which enables you to control how computers gain access to network resources. The main functionality of NAP is to verify and ensure that only healthy computers will be marked as compliant and will receive network access. In this article we will talk about some […]<\/p>\n","protected":false},"author":4,"featured_media":1444,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,13,9,8],"tags":[],"class_list":["post-1409","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-it","category-how-to","category-pc-security","category-technical","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/1409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=1409"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/1409\/revisions"}],"predecessor-version":[{"id":3539,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/1409\/revisions\/3539"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/1444"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=1409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=1409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=1409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}