locked
Enabling NAP on clients through group security policies RRS feed

  • Question

  • Hi,

    Is it possible to enable NAP on all you clients in your network using group policies some how? Could someone please explain how to do this as I cannot find the Group Security Policy application in Server 2008.

    Marc
    Friday, June 8, 2007 12:52 PM

Answers

  • Hi Marc,

     

    Yes, you can. Be sure that you have installed the Group Policy Management feature on your 2008 server. Then, edit the default domain policy and navigate to:

    Computer Configuration

      Windows Settings

        Security Settings

          Network Access Protection

     

    Also, to enable 802.1X on XP clients that have the NAP client components installed, there is a setting under:

    Computer Configuration

      Administrative Templates

        Windows Components

          Network Access Protection

     

    I hope this helps.

    -Greg

     

    Friday, June 8, 2007 5:10 PM

All replies

  • Hi Marc,

     

    Yes, you can. Be sure that you have installed the Group Policy Management feature on your 2008 server. Then, edit the default domain policy and navigate to:

    Computer Configuration

      Windows Settings

        Security Settings

          Network Access Protection

     

    Also, to enable 802.1X on XP clients that have the NAP client components installed, there is a setting under:

    Computer Configuration

      Administrative Templates

        Windows Components

          Network Access Protection

     

    I hope this helps.

    -Greg

     

    Friday, June 8, 2007 5:10 PM
  • I've set up a test lab using the step-by-step guides, so I have a 2k3 domain. On the NPS server, I can see the NAP Client Configuration in the GPME console. Will those settings be applied by 2k3 domain controllers, or does AD have to be upgraded to 2k8? Thanks.  

     

    Thursday, October 25, 2007 8:17 PM
  • Hi,

     

    A 2k8 DC is not required, but it's cool 

     

    Check out some of the new AD features in 2008: http://www.microsoft.com/technet/technetmag/issues/2006/11/futureofwindows/default.aspx

     

    -Greg

    Thursday, October 25, 2007 9:12 PM
  • OK, I'm still working with WS2003 AD.  The group policy to enable NAP is now being written into the registry on my Vista client machines, and NAP is functional on them. Two things I'm not seeing:

    1. When I open napclcfg.msc on a client pc, the settings dictated by the group policy are not there. It seems the snap-in isn't  showing  the settings that are actually in the registry. Is that the expected behavior, or is it a bug?
    2. When I go into the various group policy-related tools (gpedit.msc, gpmc.msc, gpme.msc, rsop.msc), the NAP client config options are usually not there. I would expect not to see those items on the 2003 AD server, but they're missing on the Vista clients too. Do I need to load ADMX files somewhere to enable those controls in the GP tools? Thanks for the help.
    Thursday, November 8, 2007 8:48 PM
  • Hi,

    1. This is expected. From the command line, issue a "netsh nap client show config" to see the locally configured settings and a "netsh nap client show group" to see the GP settings. If both are configured, GP will win and the local settings will be ignored.
    2. You need to load the Group Policy management feature on a Server 2008 machine to see the NAP client settings. Click the top node in server manager, and then click Add Features.  Add Group Policy Management, and then run gpmc.msc.

    -Greg

    Thursday, November 8, 2007 8:56 PM
  • i'm using the following settings in GPO.

    I setup the wired autoconfig and the network access protection services to start automatic, they are manual by default.  I also built a 802.3 for vista with the appropriate 802.1x configurations, such as enabling my PEAP certfificate, and enable quarntine checks, they also work in XP sp3, populating the new supplicant settings.

    I checked off that security center should be started, this was under administrative templates I believe.  I also adjust windows update so they are setup and configured to match what we use for windows update and wsus.

    I checked the eap is enabled under network access protection for a type.

    I also enabled wait for network at computer startup.  I had used this in the past for wireless clients, but I find I need this for NAP so that the machine comes up and gets compliant prior to control-alt-del login, that way my drives and scripts run.  Without this, I would see things such as the machine would comply, then something would happen during the login, and it would noncomply me, and then comply me again, note that this was not pretty when I'm vlan hopping...and IPs need to be assigned...I'd get random drive mappings.  With the above command now, for 2 weeks I've been on NAP and everything works as it did on direct wire.


    So all I have to do is put the machine in the OU, run gpupdate /force, or wait a day or so for it to update, then turn on dot1x and it works without any manual intervention.

    Of course there is still the issue of what to do when it's a MAC, or Xp sp2, or some other device...

    <edit>
    to get the 802.3 for vista if you are in AD for w2k3 there is a technet article which shows which schema changes need to be made to make policies for this.

    http://technet.microsoft.com/en-us/library/bb727029.aspx
    Wednesday, December 5, 2007 11:31 PM
  •  

    Hello,

     

    I'm followin the NAP_DHCP_StepByStep guide but instead of vista client, I 'd like to use an XP sp3 (v.3264).

     

    My problem is I can't open the napclcfg.msc console.

     

    What can I do ?

     

    thank's

     

    Luc

     

    Friday, January 4, 2008 10:08 AM
  • Hi Luc,

     

    There is no NAP client snap-in available on the XP client. You can use the command line network shell context (netsh nap client), or the best method is to use group policy if your clients are domain-joined.

     

    -Greg

    Friday, January 4, 2008 4:43 PM