locked
Non NAP capable RRS feed

  • Question

  • Hello 

    I know how the processes running for the different enforement methods with a NAP Client.

    But what happen with a client, which has no NAP Client installed? 

    When a Non NAP capable client (for example a parter or a guest) plugs in the computer in  into the network.  Normally the client tries to get a DHCP address from network. Is this also the case in a NAP Scenario? Is the DHCP server the responsable server which redirects that client to the remedations servers?

    Is a DHCP server the only Enforcment Point for a Non NAP cabable client, even if the system has for example Vista installed?

    I would appreciate, when somonone can explain me the connection process for a Non NAP capable client.

    Tks
    Marc
    Wednesday, August 13, 2008 4:01 PM

Answers

  • Hi Marc,

    There are two checks with NAP, one for identity and one for health. To check health, the client must send a statement of health - but this is not needed for the identity check. A client that doesn't provide it's health can still be evaluated if you include a policy that doesn't require health (i.e. non NAP-capable).

    Remember that NAP uses RADIUS policies to evaluate client access requests. Before Server 2008 these policies could match client requests that had no health status included. This is still supported in Server 2008, but now NPS can also evaluate health. So, NAP is just adding health as one more thing that can be evaluated. When you create a non NAP-capable policy, all you are doing is saying that the access request that came from the client computer is similar to legacy, with no health status. The network access decision of full access or limited access can be made based on many different factors - only one of which is health. I hope this makes sense.

    -Greg

    Friday, August 15, 2008 6:58 AM

All replies

  • Hi Marc,

    In your network policies, there should be a policy for non NAP-capable computers. You can configure this to grant full access, or you can grant restricted access. If you grant full access here, then guest computers will receive a normal IP address profile. If you restrict access, they will be granted the same access as you typicallly provide to noncompliant computers. Let me know if you have questions.

    Thanks,
    -Greg
    Thursday, August 14, 2008 6:26 PM
  • Hello Greg

    What i do not understand is following point. If i threat a non Nap-capable client with the policy settings "grant full access", how can this client then checked by NAP without a NAP client?

    Tks

    Marc
    Friday, August 15, 2008 4:41 AM
  • Hi Marc,

    There are two checks with NAP, one for identity and one for health. To check health, the client must send a statement of health - but this is not needed for the identity check. A client that doesn't provide it's health can still be evaluated if you include a policy that doesn't require health (i.e. non NAP-capable).

    Remember that NAP uses RADIUS policies to evaluate client access requests. Before Server 2008 these policies could match client requests that had no health status included. This is still supported in Server 2008, but now NPS can also evaluate health. So, NAP is just adding health as one more thing that can be evaluated. When you create a non NAP-capable policy, all you are doing is saying that the access request that came from the client computer is similar to legacy, with no health status. The network access decision of full access or limited access can be made based on many different factors - only one of which is health. I hope this makes sense.

    -Greg

    Friday, August 15, 2008 6:58 AM