NAP DHCP Enforcement Inquiry

All replies

• 

  

  1

  Sign in to vote

  Hi Spideynok

  Have a look at the NAP deployment guide for detailed answers.

  https://msdn.microsoft.com/en-us/library/dd314175(v=ws.10).aspx

  BE AWARE

  NAP DHCP Enforcement is deprecated and may well be removed form Windows Server 2016.

  Server 2012 R2 deprecated the feature

  https://technet.microsoft.com/en-us/library/dn303411.aspx

  Server  2016 Technical Preview

  https://technet.microsoft.com/en-us/library/dn765482.aspx

  Note the DHCP server no longer supports NAP in the preview so one can assume it not support it in the RTM version.

  Check with you boss he may wish to use a different method for NAP or think of a different solution.

  Yours

  Ed

  Please mark this as an answer if it was helpful

  • Proposed as answer by Ed Baker (UK Evangelist)MVP Thursday, May 19, 2016 7:50 AM

  Thursday, May 19, 2016 7:50 AM
• 

  

  0

  Sign in to vote

  Hi Ed,

  Thank you for the fast reply and the remainder, this is a big help for us.

  But it's possible that my DHCP Server is different server from NPS server?

  By the way, I consider building DHCP NAP because IPsec Enforcement uses firewall to configure the Connectivity rule, w/c is not possible on our side because the default policy on our company is to keep those firewalls off managed by SEPM. Is there a way I can deploy IPsec without requiring those users computers on turning their Firewall ON?

  Thank you!

  Thursday, May 19, 2016 9:28 AM
• 

  

  1

  Sign in to vote

  So two questions there.

  Check the deployment guide, the DHCP server does not have to be the NPS server.

  This bit

  Infrastructure

  ---

  All NAP enforcement methods can be implemented using a minimum of one computer running Windows Server 2008 R2 or Windows Server 2008. All enforcement methods require that NPS is installed on this computer and configured to evaluate the health of NAP clients. Additional required services depend on the enforcement method. For example, IPsec, VPN, and DHCP enforcement methods require a NAP enforcement server running Windows Server 2008 R2 or Windows Server 2008. The 802.1X enforcement method requires network hardware that supports the 802.1X authentication method and is capable of controlling port characteristics using RADIUS tunnel attributes. For more information, see NAP Configuration Overview.

  The DHCP requires an NPS server AND a NAP server.Hope that helps

  And no IPsec needs firewalls.

  Please mark as an answer if helpful

  Yours

  Ed

  
  

  • Proposed as answer by Ed Baker (UK Evangelist)MVP Thursday, May 19, 2016 3:10 PM
  • Edited by Ed Baker (UK Evangelist)MVP Thursday, May 19, 2016 3:10 PM
  • Marked as answer by Greg LindsayMicrosoft employee Wednesday, May 25, 2016 7:43 AM

  Thursday, May 19, 2016 3:10 PM
• 

  

  1

  Sign in to vote

  Hi spideynok,

  NPS must be running on the DHCP server, but it can be configured as a proxy. You aren't required to have the health policies on the DHCP server, but you do need to at least configure a connection request policy to foward authentication requests to a remote RADIUS server group (that contains the NPS server with your health policies).

  Checklist: Configure NAP Enforcement for DHCP

  https://technet.microsoft.com/en-us/library/cc772356(v=ws.10).aspx

  ________________________________________
  Best Regards,
  Cartman
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

  
  

  • Edited by Cartman ShenMicrosoft contingent staff Friday, May 20, 2016 2:59 AM
  • Marked as answer by Greg LindsayMicrosoft employee Wednesday, May 25, 2016 7:43 AM

  Friday, May 20, 2016 2:50 AM