Answered by:
NAP and dynamic VLAN

Question
-
Server 2008 Enterprise edition funtionin as domain controller, DHCP, DNS, NAP
DHCP server has 4 scopes
1) 192.168.1.0/24
2) 192.168.2.0/24
3) 192.168.3.0/24
4) 192.168.4.0/24
Cisco Catalyst 3750 switch with the following VLANs
VLAN1 Sales
VLAN2 Management
VLAN3 IT
VLAN4 Non-compliant
what im tryin to implement is, when SALES user log-in, if the pc is compliant, DHCP server will assign ip address from range 192.168.1.0/24. if the pc is not compliant he will get ip address 192.168.4.0/24
when IT user connects, if he is compliant he will get ip address 192.168.3.0/24is this possible? if so how can i implement?
Friday, February 27, 2009 2:30 PM
Answers
-
Thats somewhat similar to what we wanted to solve with our own VLAN switching solution - special case rules for certain people (or rather computers), as well as remediation zones and non-compatible zones.
We used VLAN tagging on the NPS server, sending Radius attributes when the computers are trapped by certain rules.
Such rules may include "computer member of group" as well as "health status compliant / non-compliant / non-compatible".
But we're not using NAP via DHCP since it wont maintain our needs for security - but you may not have such issue.
A short description and insight into our choices in this thread where we trid to solve certain issues:
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/7713b391-d413-4141-9695-4bcd2d55289b
But in more general terms we followed the guidelines and designchoice of this document:
Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en
And yes, we've assigned certain IT staff to their own VLAN assignement rules - and sales to other, but they all share a common Remediation Zone. Everyone else is either rejcted (from WLAN) or getting a guest zone for inet-access.
Sincerly, Jon E. Carlsen- Proposed as answer by Jon E. Carlsen Wednesday, March 4, 2009 11:40 PM
- Marked as answer by Greg LindsayMicrosoft employee Saturday, March 7, 2009 5:15 AM
Wednesday, March 4, 2009 11:23 PM -
Hi,
I've accomplished such thing earlier with NAP 802.1x, like the post from Jon E. Carlsen, but the with AD user groupmembership.
The way i've done it:
Make sure that all the vlans are present on the switch(es). After that make all the vlans a NAP 802.1x Network Policy:
NAP 802.1X Noncompliant computers for assigning remediation vlan. assign Vlan 4
NAP 802.1x Compliant Sales. Assign vlan 1
NAP 802.1x Compliant Management. Assign vlan 2
NAP 802.1x Compliant IT. Assign vlan 3
If you use Active Directory, make for each compliant vlan a Global Group:
Vlan-Sales, Vlan-Management, Vlan-IT.
Then make the users member of the appropiate vlan groups.
After that, add to each compliant NAP 802.1x Network Policy a rule that the policy must check AD User Membership:
Vlan 1: user must be member of the Global Group Vlan-Sales.
Vlan 2: user must be member of the Global Group Vlan-Management.
etc.
So when a user logs in, NAP checks first the status of the client computer, and if compliant, NAP looks to which AD Vlan Group the user belongs, and places the computer in that vlan.
To assign an IP address throughout all the vlans, follow ALSO the post of Greg Lindsay.
So that's the way i find out.
Have fun with it.- Marked as answer by Greg LindsayMicrosoft employee Saturday, March 7, 2009 5:15 AM
Thursday, March 5, 2009 4:06 AM
All replies
-
Hi,
The GIADDR (gateway interface address) is added by the switch to DHCP requests that come from a particular VLAN. The server then knows to create a DHCP lease and send it back to the right VLAN, based on the GIADDR.
Here is an example that I think will work for the configuration you have provided. I don't have a layer 3 switch to test this, it is extrapolated from configurations I've seen. Let me know if you have problems.
-Greg
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.0.1
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.0.1
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip helper-address 192.168.0.1
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip helper-address 192.168.0.1
!
no ip classless
ip route 192.168.1.0 255.255.255.0 Vlan1
ip route 192.168.2.0 255.255.255.0 Vlan2
ip route 192.168.3.0 255.255.255.0 Vlan3
ip route 192.168.4.0 255.255.255.0 Vlan4
ip http server
!- Proposed as answer by Greg LindsayMicrosoft employee Wednesday, March 4, 2009 9:06 PM
Wednesday, March 4, 2009 9:04 PM -
Thats somewhat similar to what we wanted to solve with our own VLAN switching solution - special case rules for certain people (or rather computers), as well as remediation zones and non-compatible zones.
We used VLAN tagging on the NPS server, sending Radius attributes when the computers are trapped by certain rules.
Such rules may include "computer member of group" as well as "health status compliant / non-compliant / non-compatible".
But we're not using NAP via DHCP since it wont maintain our needs for security - but you may not have such issue.
A short description and insight into our choices in this thread where we trid to solve certain issues:
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/7713b391-d413-4141-9695-4bcd2d55289b
But in more general terms we followed the guidelines and designchoice of this document:
Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en
And yes, we've assigned certain IT staff to their own VLAN assignement rules - and sales to other, but they all share a common Remediation Zone. Everyone else is either rejcted (from WLAN) or getting a guest zone for inet-access.
Sincerly, Jon E. Carlsen- Proposed as answer by Jon E. Carlsen Wednesday, March 4, 2009 11:40 PM
- Marked as answer by Greg LindsayMicrosoft employee Saturday, March 7, 2009 5:15 AM
Wednesday, March 4, 2009 11:23 PM -
Hi,
I've accomplished such thing earlier with NAP 802.1x, like the post from Jon E. Carlsen, but the with AD user groupmembership.
The way i've done it:
Make sure that all the vlans are present on the switch(es). After that make all the vlans a NAP 802.1x Network Policy:
NAP 802.1X Noncompliant computers for assigning remediation vlan. assign Vlan 4
NAP 802.1x Compliant Sales. Assign vlan 1
NAP 802.1x Compliant Management. Assign vlan 2
NAP 802.1x Compliant IT. Assign vlan 3
If you use Active Directory, make for each compliant vlan a Global Group:
Vlan-Sales, Vlan-Management, Vlan-IT.
Then make the users member of the appropiate vlan groups.
After that, add to each compliant NAP 802.1x Network Policy a rule that the policy must check AD User Membership:
Vlan 1: user must be member of the Global Group Vlan-Sales.
Vlan 2: user must be member of the Global Group Vlan-Management.
etc.
So when a user logs in, NAP checks first the status of the client computer, and if compliant, NAP looks to which AD Vlan Group the user belongs, and places the computer in that vlan.
To assign an IP address throughout all the vlans, follow ALSO the post of Greg Lindsay.
So that's the way i find out.
Have fun with it.- Marked as answer by Greg LindsayMicrosoft employee Saturday, March 7, 2009 5:15 AM
Thursday, March 5, 2009 4:06 AM -
Hello..
the steps i have done as follow
1. create vlans on switch
2. make all the vlans a NAP 802.1x Network Policy
Authentication Method: EAP
Select User Group
VLAN Attributes :
Tunnel-Type = VLAN
Tunnel-Medium-Type = 802...
Tunnel-Pvt-Group-id= 3
Vendor Specific Attribute: Cisco AV-Pair (Value 9)
3. now created additional network policy that the policy must check AD User Membership
in specify conditions i selected user group and all other settings default
anything addition i have to do?
Wednesday, March 18, 2009 5:19 AM -
If you look at the "Step by step" document it also shows that you must configure the client-side environment. (You've performed everything up to page 27?).
(Note, I'm not sure what steps you've performed on the switch - but you need to configure it to use Radius and 802.1x of course)
You *can* use a manually configured client, but in my previous tests I found a got more consistent results (during boot of clients) in the test by configuring the client by using Group Policy Objects.
Create a Wired Policy using "Microsoft: Protected EAP" and customize it to your needs.
Here's one we are using;
Security Settings - Enable use of IEEE 802.1X authentication for network access Enabled - Enforce use of IEEE 802.1X authentication for network access Disabled IEEE 802.1X Settings - Cache user information for subsequent connections to this network Disabled - Computer Authentication Computer only - EAPOL Start Message Transmit per IEEE 802.1X - Maximum Authentication Failures 2 - Maximum EAPOL-Start Messages Sent 3 - Held Period (seconds) 1 - Start Period (seconds) 5 - Authentication Period (seconds) 18
You need to set the correct certificate settings, which means you should select "Smart card or other certificate" as auth method within the "Protected EAP" properties.
Enable "Fast Reconnect" and "Quarantine Checks" in the same properties as well.
(PKI infrastructure, automatic user/computer certificate deployment is a "must", this goes without a further explanation).
For testing purposes you can turn of the "validate server certificate", but for production I recommend you keep it on.
The same goes for the Smartcard configuration.
Then add the required "System Services" startup mode;
* Network Access Protection = Automatic
* Wired Autoconfig = Automatic
* Background Intelligent Transfer Service = Automatic
(Not 100% sure that BITS need to be kickstarted like this, but we had issues in our lab test without it).
Lastly add the "Network Access Protection" configuration to the policy;
* EAP Quarantine Enforcement Client
After the policy is applied you might to a reboot then to check the clientside settings do the following;
netsh nap client>show grouppolicy
A final recomendation is to enable the NPS Accounting logs, all the options - and start reading. :-)
Sincerly, Jon E. Carlsen- Edited by Jon E. Carlsen Wednesday, March 18, 2009 5:53 AM Audit->Accounting
Wednesday, March 18, 2009 5:51 AM -
In the previous post, Jon mentioned the configuration of the NAP client. I think that you (maldiveboy) ment the further configuration of the NAP vlan part?
what you've done:
1. create vlans on switch (This is OK)
2. make all the vlans a NAP 802.1x Network Policy (This is OK)
Authentication Method: EAP
Select User Group
VLAN Attributes :
Tunnel-Type = VLAN
Tunnel-Medium-Type = 802...
Tunnel-Pvt-Group-id= 3
Vendor Specific Attribute: Cisco AV-Pair (Value 9)
3. now created additional network policy that the policy must check AD User Membership
in specify conditions i selected user group and all other settings default
The last step is not OK. The AD User Membership check must be added to each Network Policy (exept the one for noncompliant computers).
So regarding the first post you must have the following:
1. 4 vlans on the switch (including the noncompliant vlan)
2. 4 Network Policies (3 compliant vlans (IT, Sales, Managment) and 1 for noncompliant computers)
3. Created 3 AD Global Groups, regarding the Compliant vlans (IT, Sales, Managment), and add the appropiate users to the vlan Global Groups.
4. Added the User Group membership condition to the 3 compliant vlans Network Policies (IT, Sales, Management), and specify in the User Check the appropiate AD Global Group of the vlan.
For the noncompliant vlan you don't have to add a user check, because the computer is already determined noncompliant.Wednesday, March 18, 2009 5:21 PM