locked
How to exempt everything but Vista and XP from NAP RRS feed

  • Question

  • We have a student network at our college.  Students bring a wide range of devices and operating systems.   We would like to enforce NAP on only the Windows PCs which are nap capable.   The problem is that Vista and XP are non-nap capapable by default.   There doesn't seem to be a wasy for the NAP server to identify the client OS unless the Vista or XP SP3 client has the NAP service enabled and the command line set to turn it on.   The student PCs are not on our domain, so we can't use group policy.   We would like to put the Vista and XP SP3 PCs into remediation to enable the NAP service to pass our health policy, while allow the other non-nap capable devices to just be granted full access.   Because the Vista and XP clients are non-nap capable by default, we can't logically have a health policy allow the other non-nap capable devices to just be granted full access.   We don't want to install NAP client software on our Apple and Linux clients.   Does anyone know how to get out of this catch-22 situation?   We are using DHCP without authentication on the NAP server.   Thanks! 
    Friday, November 21, 2008 3:20 PM

Answers

  • If you are doing DHCP enforcement, better you can create two Scope on your DHCP Server let say" NAP-capable scope", and "non-napcapable socpe" and apply the apply the NAP DCHP enforcement on NAP-capable scope only. Put your Windows-XP and VISTA client on NAP-capable-scope, and give the IP addressto other non nap capable machine from your non-napcapable socpe IP address.

    Regards
    Brijesh Shukla
    Sunday, November 23, 2008 1:29 AM
  • Jeff,

    The problem you are outlining really applies to just about anything and not just NAP.  You basically want to manage a machine without really managing it :-)

    I have worked with a few univerisites on NAP deployments and I have seen things done a variety of ways.  In your scenario one way you could do this is force all students to run a script that you issue to them (via CD, thmb drive, network share, etc...) which would enable NAP.   Since you are using DHCP and not doing network authentication your options are limited unfortunately.

    As you point out, NPS cannot determine the client OS of the machine unless it is configured for NAP since the OS data is sent in the Statement of Health (SoH).

    I wish I had a better answer for you, but unfortunatley your options are a bit limited here.

    Pat


    Program Manager Windows Server Customer Connection: ** This posting is provided "AS IS" with no warr
    Monday, December 8, 2008 6:37 PM

All replies

  • If you are doing DHCP enforcement, better you can create two Scope on your DHCP Server let say" NAP-capable scope", and "non-napcapable socpe" and apply the apply the NAP DCHP enforcement on NAP-capable scope only. Put your Windows-XP and VISTA client on NAP-capable-scope, and give the IP addressto other non nap capable machine from your non-napcapable socpe IP address.

    Regards
    Brijesh Shukla
    Sunday, November 23, 2008 1:29 AM
  • Jeff,

    The problem you are outlining really applies to just about anything and not just NAP.  You basically want to manage a machine without really managing it :-)

    I have worked with a few univerisites on NAP deployments and I have seen things done a variety of ways.  In your scenario one way you could do this is force all students to run a script that you issue to them (via CD, thmb drive, network share, etc...) which would enable NAP.   Since you are using DHCP and not doing network authentication your options are limited unfortunately.

    As you point out, NPS cannot determine the client OS of the machine unless it is configured for NAP since the OS data is sent in the Statement of Health (SoH).

    I wish I had a better answer for you, but unfortunatley your options are a bit limited here.

    Pat


    Program Manager Windows Server Customer Connection: ** This posting is provided "AS IS" with no warr
    Monday, December 8, 2008 6:37 PM
  • Hi Brijesh, I know this is an old thread but I still wanted to see if anyone here can help me.

    You said create two DHCP scopes, one for NAP-capable and another for non NAP-capable clients. How can I achieve this? Where do I set a policy saying that the non NAP-capable clients should be issued an IP address from another scope?

    Thanks.
    Mayur
    Wednesday, August 26, 2009 2:28 PM