NAP configuration for IPsec and 802.1X means that clients interacting through those methods are subject to the NPS policies and health validation. Configuration of both IPsec and 802.1X NAP enforcement policies is accomplished within the Network Policy Server management console, under the NPS (Local) details pane, as shown in Figure 3-18.
FIGURE 3-18 Configuring enforcement policies in the Network Policy Server MMC snap-in.
IPsec policy enforcement
Within the Standard Configuration section, selecting Configure NAP invokes the Configure NAP Wizard.
In the first dialog box of this wizard, shown in Figure 3-19, you choose IPsec With Health Registration Authority (HRA) from the drop-down.
FIGURE 3-19 Configuring IPsec NAP enforcement.
The Specify NAP Enforcement Servers Running HRA dialog box is next (see Figure 3-20).
FIGURE 3-20 Specifying the server for HRA.
If you need a RADIUS client, you can specify it on this dialog box by clicking Add, which reveals the New RADIUS Client dialog box shown in Figure 3-21.
FIGURE 3-21 Adding a new RADIUS client.
However, if the local server is also an HRA, adding a new client isn’t necessary, and you can just click Next in the Specify NAP Enforcement Servers Running HRA dialog box (refer to Figure 3-20). Doing so opens the Configure Machine Groups dialog box, as shown in Figure 3-22.
FIGURE 3-22 The Configure Machine Groups dialog box is optional.
If the policy will apply only to certain client computers, they can be added here through an Active Directory group; otherwise, the policy will apply to all users. Clicking Next reveals the Define NAP Health Policy dialog box, shown in Figure 3-23.
FIGURE 3-23 Configuring the SHVs to apply for this policy.
In this dialog box, you choose the Security Health Validators (SHVs) that you want to apply for this policy and whether you want computers affected by the policy to be automatically remediated. Clicking Next reveals a confirmation dialog box in which you click Finish.
802.1X policy enforcement
802.1X policy enforcement comes in two varieties: wired and wireless. In a wired scenario, the access requests come from switches; in a wireless scenario, the access requests come from wireless access points. Each policy is configured separately.
The policies begin their configuration in the same Configure NAP Wizard seen earlier in Figure 3-19, except this time, rather than select IPsec, you select IEEE 802.1X (Wired) or IEEE 802.1X (Wireless), depending on the type of access devices used.
If you choose the wired scenario, the next dialog box you’ll see is the Specify 802.1X Authenticating Switches dialog box shown in Figure 3-24.
FIGURE 3-24 Specifying 802.1X switches for a wired deployment.
If you chose a wireless scenario, you’ll use the dialog box in Figure 3-25 to choose authenticating switches or access points.
FIGURE 3-25 Choosing the authenticating switches or access points in a wireless deployment of 802.1X.
Unlike an IPsec deployment, RADIUS clients need to be configured for the 802.1X scenario but can be added later. Refer to Figure 3-21 for an example of the New RADIUS Client dialog box.
With 802.1X, you can also specify user groups as well as machine groups, and this is shown on the Configure User Groups and Machine Groups dialog box (see Figure 3-26).
FIGURE 3-26 Configuring user or machine groups as part of an 802.1X deployment.
Next, you configure an authentication method, as shown in Figure 3-27.
FIGURE 3-27 Configuring an authentication method as part of an 802.1X deployment.
You can configure traffic controls through RADIUS attributes or VLANs on the next dialog box (see Figure 3-28).
FIGURE 3-28 Configuring traffic controls as part of an 802.1X deployment.
Finally, you configure the health policy, including the SHVs and remediation policy (see Figure 3-29). You also can configure the handling of clients that can’t deploy NAP in this dialog box.
FIGURE 3-29 Defining the SHVs to be applied to this policy along with how to handle computers that aren’t NAP-capable.
