locked
Imposition of a digital certificate to receive DHCP IP (NAP /NPS) RRS feed

  • Question

  • Good afternoon friends;
    I'm doing a project and this project I need to block any machine that has not one of my internal CA certificate to receive IP from my DHCP server.
    With this thought in NPS with NAP to create the rules and impose the same on my corporate network.
    I have already installed the Enterprise CA and created Scopo DHCP, as I set up NAP and NPS to make this charge?

    Marcus
    Tuesday, August 7, 2012 6:27 PM

Answers

  • Hi Marcus,

    This is not possible with NAP unless you use IPsec enforcement or 802.1X enforcement. In an IPsec enforcement scenario, the certificate you are referring to is called an exemption certificate. You will also need to add the system health authentication EKU to the certificate. The DHCP server would need to be placed in the secure zone and you would need to deploy IPsec policies.

    http://technet.microsoft.com/en-us/library/dd125391(WS.10).aspx

    To do this with 802.1X authentication you would need to enforce certificate authentication with 802.1X and place the DHCP server on a VLAN that is unreachable except for authenticated computers.

    -Greg

    Tuesday, August 7, 2012 7:42 PM

All replies

  • Hi Marcus,

    This is not possible with NAP unless you use IPsec enforcement or 802.1X enforcement. In an IPsec enforcement scenario, the certificate you are referring to is called an exemption certificate. You will also need to add the system health authentication EKU to the certificate. The DHCP server would need to be placed in the secure zone and you would need to deploy IPsec policies.

    http://technet.microsoft.com/en-us/library/dd125391(WS.10).aspx

    To do this with 802.1X authentication you would need to enforce certificate authentication with 802.1X and place the DHCP server on a VLAN that is unreachable except for authenticated computers.

    -Greg

    Tuesday, August 7, 2012 7:42 PM
  • Hi Marcus,

    Please feel free to let us know if the information was helpful to you.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Thursday, August 9, 2012 2:01 AM