locked
NAP 802.1x and its remediation deployment RRS feed

  • Question

  • Hi all,

    I have configured NAP 802.1x according to the 802.1x step by step guide from Microsoft successfully. But from the guide it doesn't mention the update remediation deployment. 

    So our deployment is like the following:
    Compliant VLAN
    NonCompliant VLAN
    We have a wsus server in our production domain in Compliant VLAN and its used for update all domain servers and workstations.

    We configured our cisco router to act as a DHCP server to assign different IP address in NonCompliant VLAN so that the workstations put in that VLAN will got a different ip address in the different subnet.

    But it doesn't work and when workstations need update I can see NAP Client agent is updating the workstations but finally failed.

    What we are thinking is to use the same wsus server or another wsus server to update all the cilents.

    Is there any idea about the best practise of deploying the remediation servers in our scenario.

    Thanks.

    Wednesday, August 13, 2008 10:17 AM

Answers

  • Hi,

    In order for noncompliant NAP clients to reach WSUS, you will have to allow access from the noncompliant VLAN. This can be done a few different ways.

    1. You can dual home the WSUS server using two interfaces, one in each VLAN.
    2. You can place the WSUS server on a trunking port with access to both VLANs.
    3. You can use a second WSUS server and place this in the noncompliant VLAN.

    I believe you might also be able to enable inter-VLAN routing on the switch (if it is layer 3) and use an ACL to filter traffic so that only traffic going to/from WSUS is allowed from the noncompliant VLAN. I'm not as familiar with the details of implementing this type of solution though.

    I hope this helps. Let me know if you have questions.

    Thanks,
    -Greg
    Thursday, August 14, 2008 6:33 PM