Question - NAP Network restriction within 802.1x environment RRS feed

  • Question

  • Hi mates,

     I have a question regaring network restriction within 802.1x environment. According to the below article, noncompliant client will be assigned restricted vlan by NAP server and it will have only limited network access. However, network perspective, restricted vlan will have full network connectivity by default. To achieve this, do we have to configure VLAN ACL(IP filtering) on the layer 3 switch?

    NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The following settings are available:

    ·      Allow full network access. This is the default setting. Clients that match the policy conditions are deemed compliant with network health requirements, and are granted unrestricted access to the network if the connection request is authenticated and authorized. The health compliance status of NAP-capable client computers is logged.

    ·      Allow limited access. Client computers that match the policy conditions are deemed noncompliant with network health requirements, and are placed on the restricted network.

    ·      Allow full network access for a limited time. Clients that match the policy conditions are temporarily granted full network access. NAP enforcement is delayed until the specified date and time.

    You will use the NAP configuration wizard to create two network policies in this test lab. A compliant policy will grant full network access to an intranet network segment. A noncompliant policy will demonstrate network restriction by issuing a VLAN identifier that places the client computer on a restricted network.

    Wednesday, March 30, 2011 4:57 AM


  • Hi,

    What do you mean by "restricted VLAN will have full network connectivity by default" above? If you place noncompliant clients on VLAN 2 and the full access network is on VLAN 3 then the clients located on VLAN 2 will be isolated. You should have services such as DNS and DHCP on VLAN 2 but that is all. When the clients become compliant they are moved back for VLAN 3.

    You can also use an ACL but it is not required.


    • Marked as answer by Miles Zhang Monday, April 4, 2011 1:26 AM
    Wednesday, March 30, 2011 5:31 AM