locked
NAP Enforcement RRS feed

  • Question

  • Hi Everyone!

    I want NAP enforcement in my network; the details of my network are:

    i have a Primary domain controller and 2 Addlitional domain controllers
    i have a DHCP server on separate machine
    i have RADIUS and CA (certificate Server) both together on one machine
    All switches configured for 802.1x authentication.

    Which NAP enforcement will be best for me 802.1x or DHCP?

    On which server i configure NAP keeping in view above mentioned network architecture?

    Reply will be helpful for me thanks!

    Wednesday, November 21, 2012 12:55 PM

Answers

  • Hi,

    Use this table to decide which is better for you.

    http://technet.microsoft.com/en-us/library/dd125346(WS.10).aspx

    802.1X is always more secure because DHCP NAP can by bypassed if the user configures a static IP address on their computer.

    DHCP is simpler, however. It is sometimes a good idea to try a simpler enforcement method like DHCP first as a proof of concept. If you use DHCP, you must install NPS on the DHCP server. However, you can configure it as a proxy and forward authentication requests to another NPS. It is common to install NPS on a DC because NPS needs to contact the DC to authenticate against AD. If you already have NPS installed somewhere you can just use this and you don't need to install another one, except for the NPS on the DHCP server if you use the DHCP enforcement method.

    -Greg

    • Marked as answer by Diadem 85 Thursday, November 22, 2012 9:04 AM
    Thursday, November 22, 2012 5:50 AM
  • Hi,

    Remediation depends on what you decide you want to require and which SHVs you install. The default SHV is the Windows SHV which includes anti-virus, firewall, windows updates, etc. For something like firewall, remediation simply turns the firewall on (if you enable auto-remediation) when someone turns the firewall off. This can also be done for automatic update settings. For something like an antivirus application, the user needs to keep this up to date themselves so you need to give them that ability (to download virus signatures) when they are out of date.

    Restriction is done connection by connection for IPsec. Each device on the network has an IPsec policy that either approves or denies the connection from a computer that is not healthy. A computer is considered healthy if it has a health certificate. Basically, when a connection request comes in, the policy checks to see if health certificates are present on both sides of the connection.

    You can install long lasting certificates on computers and servers that should not be restricted - these are called exemption certificates. The typical health certificate is short lived - 4 hours by default (this is configurable) and is deleted immediately when a computer becomes unhealthy. If a computer remains healthy then the certificate is renewed periodically.

    -Greg

    • Marked as answer by Aiden_Cao Monday, November 26, 2012 4:43 AM
    Friday, November 23, 2012 7:30 AM

All replies

  • Hi,

    Use this table to decide which is better for you.

    http://technet.microsoft.com/en-us/library/dd125346(WS.10).aspx

    802.1X is always more secure because DHCP NAP can by bypassed if the user configures a static IP address on their computer.

    DHCP is simpler, however. It is sometimes a good idea to try a simpler enforcement method like DHCP first as a proof of concept. If you use DHCP, you must install NPS on the DHCP server. However, you can configure it as a proxy and forward authentication requests to another NPS. It is common to install NPS on a DC because NPS needs to contact the DC to authenticate against AD. If you already have NPS installed somewhere you can just use this and you don't need to install another one, except for the NPS on the DHCP server if you use the DHCP enforcement method.

    -Greg

    • Marked as answer by Diadem 85 Thursday, November 22, 2012 9:04 AM
    Thursday, November 22, 2012 5:50 AM
  • thanks Greg!

    I have gone through http://technet.microsoft.com/en-us/library/dd125346(WS.10).aspx  and understand that;

       keeping in view my network architecture IPsec enforcement design suits me alot ....... because i have already configured NPS and Certificate services on one machine and this method don't affected by switch side configuration ..............    plz corrcet me if m wrong....

    thanks

    Thursday, November 22, 2012 9:04 AM
  • Hi,

    You can use IPsec enforcement. You are right that it isn't affected by switch config. It is the most complex method, but works well, and you can use the "no enforcement method" at first to test the certificate infrastructure without deploying IPsec policies. Let me know if you have any questions as you go along.

    -Greg

    Thursday, November 22, 2012 4:36 PM
  • Well,

            I am already using certificate absed authentication in my infrastructure and thats is working very well and i hope that this will not create any problem for me ...... but one thing m not cleared about that how the remidiation will take place ?    how and at which place i will restrict a non-complaint computer to go for updates?

    Friday, November 23, 2012 4:56 AM
  • Hi,

    Remediation depends on what you decide you want to require and which SHVs you install. The default SHV is the Windows SHV which includes anti-virus, firewall, windows updates, etc. For something like firewall, remediation simply turns the firewall on (if you enable auto-remediation) when someone turns the firewall off. This can also be done for automatic update settings. For something like an antivirus application, the user needs to keep this up to date themselves so you need to give them that ability (to download virus signatures) when they are out of date.

    Restriction is done connection by connection for IPsec. Each device on the network has an IPsec policy that either approves or denies the connection from a computer that is not healthy. A computer is considered healthy if it has a health certificate. Basically, when a connection request comes in, the policy checks to see if health certificates are present on both sides of the connection.

    You can install long lasting certificates on computers and servers that should not be restricted - these are called exemption certificates. The typical health certificate is short lived - 4 hours by default (this is configurable) and is deleted immediately when a computer becomes unhealthy. If a computer remains healthy then the certificate is renewed periodically.

    -Greg

    • Marked as answer by Aiden_Cao Monday, November 26, 2012 4:43 AM
    Friday, November 23, 2012 7:30 AM