locked
Configuring NAP RRS feed

  • Question

  • I do have another thread regarding the issue I am having adding the NAP role to my 2008 DC (in 2003 Native Mode).  I can, if needed, run NAP on a member server until this get's resloved.

    I have a CISCO ASA VPN Device and I want NAP to authenticate my VPN users against AD.  What role(s) or options under NAP do I need to add?  With so many configirations available in NAP, how do I configure NAP on a member server to authenticate my users against my AD? 

    Thanks - TD
    Tuesday, October 7, 2008 4:40 PM

Answers

  • TD,

    I see. You're just installing the NPS role and not configuring NAP then. You just need to install NPS under network policy and access services. After it is installed, click NPS on the left, and on the right under Standard Configuration, select RADIUS server for dial-up or VPN connections and run through the wizard.

    I hope this helps,
    -Greg

    Wednesday, October 8, 2008 9:57 PM

All replies

  • Hi TD,

    For VPN users, you have two choices of NAP enforcement method: VPN and IPsec.

    For VPN enforcement to be guaranteed to work, you must use a Microsoft VPN (Routing and Remote Access) server. To use the Cisco device, it must support EAP pass through to RADIUS (most VPN servers support this), network restriction with RADIUS tunnel attributes (device dependent), and VPN client reauthentication during the session (I'm not sure about the support for this).

    For IPsec enforcement to succeed, you just need to set up IPsec enforcement and apply the IPsec policies to VPN clients. If these clients aren't domain joined, then NAP enforcement will have to occur using local IPsec policy settings. You don't need IPsec policies to deploy NAP in a no-enforcement mode, however.

    Bottom line is that you can test your VPN server with NPS and NAP policies, but it might not be able to restrict noncompliant users and/or it may not be able to dynamically change access when a VPN client remediates health unless the client disconnects and reconnects to the VPN. To get NAP going with the IPsec enforcement method, you'll need to set up an HRA and NAP CA in addition to NPS. You then need to configure clients to request health certificates from HRA, and optionally push down IPsec policies.

    -Greg
    Tuesday, October 7, 2008 10:33 PM
  • Hi Greg -

    I am not trying to enforce any compliancy rules.  I am simply trying to build the NAP equivilant to IAS 2003 to authenticate my CISCO ASA VPN clients against their AD accounts.    We are using IpSec....

    Thanks - TD
    Wednesday, October 8, 2008 2:25 PM
  • TD,

    I see. You're just installing the NPS role and not configuring NAP then. You just need to install NPS under network policy and access services. After it is installed, click NPS on the left, and on the right under Standard Configuration, select RADIUS server for dial-up or VPN connections and run through the wizard.

    I hope this helps,
    -Greg

    Wednesday, October 8, 2008 9:57 PM
  •  Hi TD,

    Just want to know whether it has worked for you ?Im trying to enforce the NAP Policy for Cisco VPN Users but not get through.

    Friday, March 20, 2009 5:55 PM
  • Hi Greg,
    Just to add one more query can we put users in quarantine before giving the access to network for VPN Users.
    Sunday, March 22, 2009 12:38 PM