Professional Documents
Culture Documents
Chapter 7
1
Chapter Overview
2
Lesson 1: Overview of Network Access
Protection
3
What is Network Access Protection?
NAP can:
Enforce health-requirement policies on client computers
Ensure client computers are compliant with policies
Offer remediation support for computers that do not
meet health requirements
NAP cannot:
Prevent authorized users with compliant computers from
performing malicious activity on the network
Restrict network access for computers that are running
Windows versions previous to Windows XP SP2, when
exception rules are configured for those computers
4
NAP Scenarios
802.1X enforcement for IEEE • Computer must be compliant to obtain unlimited access
802.1X-authenticated wired or through an 802.1X connection (authentication switch or
wireless connections access point)
VPN enforcement for remote • Computer must be compliant to obtain unlimited access
access connections through a Remote Access Service connection
• Computer must be compliant to obtain unlimited
network access
DirectAccess
• For noncompliant computers, access is restricted to a
defined group of infrastructure servers
• Computer must be compliant to receive an unlimited
DHCP enforcement for DHCP- access IPv4 address configuration from DHCP
based address configuration 6
• This is the weakest form of NAP enforcement
NAP Platform Architecture
VPN server
Active IEEE 802.1X
Directory devices
Health
Registration
Authority
Internet
NAP Health
DHCP server
Perimeter Intranet Policy Server
network
Restricted
network
Remediation
Servers NAP client with
limited access
7
Lesson 2: Overview of NAP Enforcement Processes
8
NAP Enforcement Processes
Remediation RADIUS Messages
HRA
Server
Health Requirement
Server
ges
ss a System
System Me
Health S SL Health
over Requirement
Updates T P
r HT Queries
o
T TP
H
P M e ssages
DHC
DHCP Server
PEAP
Messa
ge s over
PE P PP
NAP Client AP NAP Health
M ess
a Policy Server
ge
so
ver
E AP
OL VPN Server
IEEE 802.1X
9
Network Access Devices
IPsec Enforcement
10
802.1x Enforcement
12
DHCP Enforcement
13
Lesson 3: Configuring NAP
14
What are System Health Validators?
15
What is a Health Policy?
To make use of the Windows Security Health Validator, you
must configure a health policy and assign the SHV to it
Health policies consist of one or more SHVs and other settings, which
you can use to define configuration requirements for NAP-capable
computers that attempt to connect to your network
You can define client health policies in NPS by adding one or more
SHVs to the health policy
NAP enforcement is accomplished by NPS on a per-network
policy basis
After you create a health policy by adding one or more SHVs to
the policy, you can add the health policy to the network policy,
and enable NAP enforcement in the policy
16
What Are Remediation Server Groups?
17
NAP Client Configuration
18
Demonstration: Configuring NAP
19
Lesson 4: Monitoring and Troubleshooting NAP
20
What is NAP Tracing?
21
Demonstration: Configuring NAP Tracing
22
Troubleshooting NAP
You can use the following netsh NAP command to help
you to troubleshoot NAP issues:
23
Troubleshooting NAP with Event Logs
Event ID Meaning
24
Thanks!
25