locked
NAP w/Non-domain vpn clients RRS feed

  • Question

  • Hello,

    I have a windows 2003 domain that uses a Cisco ASA 5520 as a firewall and VPN.  We just added our first 2008 computer and wish to enable Network Access Protection.  We have 2 sites that connect using a site to site VPN tunnel and are domain members.  In addition, we have about 10 locations that can have domain member computers that would connect using the Cisco VPN client.  Also, we have about 20 users that connect to the network using the Cisco VPN client on their home (non-domain) PC's

    I am looking to implement Network Access Protection.  I have one peice of hardware (the new 2008 server) and don't have the ability to purchese any additional software/hardware.  I currently have the VPN clients using RADIUS authentication against the 2008 server.  The firewall is currently serving DHCP to all VPN clients that are not Site-to-site.

    I am looking to setup NAP so that I can assure compliance from both my remote domain capabile machines, as well as VPN client connections through the ASA from non-domain capable machines.  Any help would be welcome and appreciated.

    Thanks,

    Scott
    Tuesday, July 8, 2008 1:49 PM

Answers

  • Hi,

    NAP with VPN as the enforcement server can only be implemented fully if the VPN server is running Server 2008 operating system. You can still use NAP for VPN clients, but you will need to use the IPsec enforcement method. Your single 2008 server can function as the NPS, HRA, and CA for this method. You have the option of using either a full enforcement type of design where noncompliant computers have limited access, or a "no enforcement" design where noncompliant computers are updated but no actual network restriction occurs. This does work for both domain joined and non domain joined computers, although of course you cannot use Group Policy to provision NAP client settings on the workgroup computers.

    Let me know if you have questions.

    Thanks,
    -Greg
    Wednesday, July 9, 2008 4:46 PM
  • Hi,

    The IPsec step by step guide was republished recently and this may be why it was temporarily down. Please let me know if you are still having trouble find it. The link is here.

    -Greg
    Tuesday, July 15, 2008 8:34 PM

All replies

  • Hi,

    NAP with VPN as the enforcement server can only be implemented fully if the VPN server is running Server 2008 operating system. You can still use NAP for VPN clients, but you will need to use the IPsec enforcement method. Your single 2008 server can function as the NPS, HRA, and CA for this method. You have the option of using either a full enforcement type of design where noncompliant computers have limited access, or a "no enforcement" design where noncompliant computers are updated but no actual network restriction occurs. This does work for both domain joined and non domain joined computers, although of course you cannot use Group Policy to provision NAP client settings on the workgroup computers.

    Let me know if you have questions.

    Thanks,
    -Greg
    Wednesday, July 9, 2008 4:46 PM
  • It seems like the Step-by-step guide: Demonstrate IPSEC NAP document is down from the microsoft servers, do you have an alternate link?
    Friday, July 11, 2008 1:43 PM
  • Hi,

    The IPsec step by step guide was republished recently and this may be why it was temporarily down. Please let me know if you are still having trouble find it. The link is here.

    -Greg
    Tuesday, July 15, 2008 8:34 PM
  • Greg,

    Will you clarify your answer above, I am in the same situation an ASA 5500 series and trying to configure NAP to work with it. Are you saying that one would need to have a Server 2008 machine in the place of the ASA for NAP to work? I will consult the IPSEC guide and test from there.

    Thank you in advanced for your help

     - Alan
    Tuesday, August 18, 2009 8:18 PM
  • Hi Alan,

    The options are:

    1) Replace ASA VPN with Server 2008 or Server 2008 R2 VPN and use NAP with VPN enforcement method. The Windows Server can be both a VPN server and NAP health policy server (NPS), or you can separate these roles by installing VPN and NPS on different servers. Both must be Server 2008 or Server 2008 R2.

    2) Keep ASA VPN and install a Server 2008 or Server 2008 R2 server as a NAP health policy server and use the IPsec enforcement method. You will need HRA and CA roles to accomplish this. HRA and CA can be installed on the same server as NPS or on different servers. The CA server can be Windows 2003 but HRA and NPS must be Server 2008 or Server 2008 R2.

    The IPsec enforcement method works on any connection, so it doesn't matter if the computer accesses the network using a Cisco VPN, wireless network, or wired connection. You can also set up rules that apply differently for the different connection types.

    The VPN enforcement method uses a specific configuration on the VPN server that can only be accomplished with a Windows Server 2008/R2 RRAS server. With the VPN enforcement method you will only enforce health on VPN clients.

    -Greg

    Tuesday, August 18, 2009 10:27 PM
  • Greg,

    Thank you for your quick response and help. I'm going through the updated IPSEC instructions, hopefully we'll make some headway.

    Thank again,

    Alan
    Tuesday, August 18, 2009 11:23 PM
  • Hello Everyone,

     

    I saw this post, I have been working microsoft and cisco for several weeks going back and forth. In a nutshell, we have a Cisco ASA 5510 as a firewall and as vpn endpoint. We have a server 2008 box as a Domain controller, RADIUS and also as NAP. We have configured radius on the server 2008 server to authenticate our domain users coming in through the Cisco VPN Client which has been great!

     I am also looking to setup NAP so that I can assure compliance from both my remote domain capabile machines, as well as VPN client connections through the ASA from non-domain capable machines.  I have seent he step by step guide below using IPSEC with the ASA and NAP. Has anyone actually been able to get this to work? I have been told that it wont work. I was also told it only work with MS VPN and with domain pcs only. However, i am not buying that!

    Friday, February 18, 2011 9:19 PM