Answered by:
802.1x implementation: NAP vs NAP-NAC

Question
-
All,
Can anyone explain, what are benefits of NAP vs NAP-NAC implementation ?
I'm going to test Microsoft NAP 802.1x enforcement in my lab.
We have some Win XP SP3 clients.
All access switches are Cisco 3650.
Computers should be assigned into several VLANs (managers, sales, tech, dev + Remediation VLAN).
Is it possible to assign computer to the specific VLAN by user's AD group membership ? Can it be implemented by Microsoft NAP ?
Thanks
mcse^4Monday, November 22, 2010 4:27 PM
Answers
-
Hi,
Thanks for update.
Generally speak, if you had already purchased windows OS and Cisco devices in your environment ,and had also implemented NAP or NAC deployment, with NAP-NAC ,it could help you to integrate these together for preserve investments.
Please take time to read the article and the links in its first :
Appendix A: Deploying NAP-NAC
http://technet.microsoft.com/en-us/library/dd296894(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.- Marked as answer by Tiger LiMicrosoft employee Monday, November 29, 2010 11:15 AM
Wednesday, November 24, 2010 7:00 AM
All replies
-
Hi,
Thanks for posting here.
Have you read the article below which discuss the benefits of NAP-NAC implementation ?
Appendix D: NAP-NAC Design
http://technet.microsoft.com/en-us/library/dd125393(WS.10).aspx
Based on my knowledge that we can implement VLAN redirection base on the domain account and belonged group with define policy on NPS server, please refer to the links below:
Wireless Access Point & Server 2008 Std. NPS (Network Policy Server)
Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?
and for more information regard to implement 802.1X with NAP ,please refer to the articles below:
Network Access Protection (NAP) Deployment Planning
http://blogs.technet.com/b/nap/archive/2007/07/28/network-access-protection-deployment-planning.aspx
NAP 802.1X Configuration Walkthrough – Part 1
http://blogs.technet.com/b/nap/archive/2008/06/19/nap-802-1x-configuration-walkthrough.aspx
NAP 802.1X Configuration Walkthrough – Part 2
http://blogs.technet.com/b/nap/archive/2008/06/20/nap-802-1x-configuration-walkthrough-part-2.aspx
Thanks
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Tuesday, November 23, 2010 7:31 AM -
Hi Tiger,
Thank you for answer. I already read these guides (Appendix D/802.1x configuration parts, etc), but may be not very carefully.
But I don't see anywhere comparasion chart NAP vs NAP-NAC on detailed level.
Can anyone explain, why you choose NAP or NAP-NAC implementation.
As I can see:
NAP-NAC is more comlicated solution
NAP-NAC does not support Windows XP SP3
NAP-NAC needs several agents and/or updates from Cisco on the client computers
NAP-NAC, you can use single Cisco ACS server as tacacs/radius server for any type of authentication (login, dot1x, etc)
NAP doesn't need any agents, all is out of box
...
Thanks.
mcse^4Tuesday, November 23, 2010 11:37 AM -
Hi,
Thanks for update.
Generally speak, if you had already purchased windows OS and Cisco devices in your environment ,and had also implemented NAP or NAC deployment, with NAP-NAC ,it could help you to integrate these together for preserve investments.
Please take time to read the article and the links in its first :
Appendix A: Deploying NAP-NAC
http://technet.microsoft.com/en-us/library/dd296894(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.- Marked as answer by Tiger LiMicrosoft employee Monday, November 29, 2010 11:15 AM
Wednesday, November 24, 2010 7:00 AM