locked
Is NAP Guest access possible? RRS feed

  • Question

  • Is it possible at all to provide network access for guest PCs that are health checked and assigned to a dynamic VLAN via the RADIUS response. I am trying to see if there is a MAC authentication based approach we can use.

    In "Network Policies" on the NPS under "Constraints" there is a checkbox with the title "Perform machine health check only" is this related? Could anyone explain what this checkbox does?

    Thanks
    Marc
    Monday, June 4, 2007 2:29 PM

Answers

  • I understand and agree with what you are saying. This may be unavoidable though if you plan to use 802.1X enforcement for health checks. There is already a setting that must be enabled on the authentication tab under PEAP properties. This is "Enable Quarantine Checks" For a guest computer, there is no way to guarantee that this setting is on. I'm thinking it may be better for your scenario to use DHCP NAP to execute the health checks.

     

    -Greg

    Friday, June 8, 2007 4:55 PM

All replies

  • Hi Marc,

     

    Guest access can be set up several ways, but keep in mind that in order to report health state, a client computer must be running the NAP Agent service, and have the appropriate enforcement client and SHA turned on.

     

    Edit: I'm looking into the ability to do health checks when the access request is unauthenticated. This may be restricted by the 802.1X environment.

     

    -Greg

    Monday, June 4, 2007 10:12 PM
  • The Guest access requirements look okay to me. Do you know if NAP is enabled on Vista and XP SP3 by default? I assume it is.

    With the "Perform machine health check only" mode I assume you still need either MAC authentication or 802.1X enabled to kick off the RADIUS packet exchange? Or, is this not necessary as you say that it requires no authentication? Do you know of any documentation on this mode that I can do a little further reading on tweaking the network setup?

    Greg, thanks for all your help it has been very useful.

    Marc
    Tuesday, June 5, 2007 7:52 AM
  • Hi Marc,

     

    The NAP agent service is not on by default in Vista or XP SP3, and all enforcement clients are disabled. In a guest environment, you will need to ensure these are started and enabled.

     

    It looks like you have another question on the forum about guest authentication that Chris has answered. He has a lot of expertise in this area, and should be able to answer any of your questions. I don't have a document to point you to yet, but I will run a few tests with my NAP 802.1X demo and a guest VLAN and let you know what happens.

     

    -Greg

    Tuesday, June 5, 2007 7:52 PM
  • Thanks Greg, I look forward to seeing your results.

    Marc
    Wednesday, June 6, 2007 9:16 AM
  • I'm still looking into this. There are some limitations of 802.1X authentication that make guest access a little more tricky than I originally thought.

     

    There is a method that may work whereby you would provide guest account credentials (i.e. a username and password), then disable the client 802.1X authentication setting to automatically send username, password, and domain. When the client attempts 802.1X authentication, they are prompted for credentials and then they undergo all the usual NAP health checks.

     

    -Greg

    Thursday, June 7, 2007 5:56 PM
  • I'm not sure whether the option you suggest would be workable. Guest access is something that I envisage the user logging on as they normally would (after they have the NAP client enabled and setup) and the network realizing that this is a guest user because they aren't in Active Directory and somehow providing them with guest access after running a health check. Getting most users to tweak their 802.1X settings just for guest access onto someone else's network would probably be out of their area of understanding and capability.

    I guess what I am hoping NAP can do is perform a machine based authentication and health check when it first appears on the network and then when the user logs in they would still have access to the network based on their machine health check.

    Thank you for your continuing support.
    Marc
    Friday, June 8, 2007 7:48 AM
  • I understand and agree with what you are saying. This may be unavoidable though if you plan to use 802.1X enforcement for health checks. There is already a setting that must be enabled on the authentication tab under PEAP properties. This is "Enable Quarantine Checks" For a guest computer, there is no way to guarantee that this setting is on. I'm thinking it may be better for your scenario to use DHCP NAP to execute the health checks.

     

    -Greg

    Friday, June 8, 2007 4:55 PM