NAP ensures that computers connecting to the network through Remote Access have the required set of policies and are “healthy.” Computers not found to be healthy have their communications limited. Designing a network protection solution involves deployment of NAP enforcement or several key areas including DHCP, IPsec, and VPN. This section examines considerations for the design of a network protection solution.
DHCP
Integrating NAP with DHCP means that enforcement happens when a client attempts to obtain or renew a DHCP lease. This works only for IPv4 clients and only when they interact with the DHCP server to request an initial lease or to renew a lease. In other words, clients configured with static IP addresses won’t ever interact with the DHCP server and, as a result, this enforcement method is ineffective.
Three components are involved in a NAP deployment for DHCP:
- A DHCP NAP enforcement server
- The NAP DHCP enforcement client with NAP-capable clients
- A Network Policy Server (NPS)
NAP is enforced at the DHCP scope level and, as such, is configured in the DHCP management console. When configuring NAP on a server that isn’t running the DHCP service, you need to install the Network Policy Server (NPS) role on the DHCP server and configure NPS to act as a Remote Authentication Dial-In User Service (RADIUS) proxy in order to forward connections to the local NPS server.
IPsec
IPsec enforcement can prevent non-compliant computers from communicating with compliant computers. With IPsec, you can set enforcement requirements for clients down to the individual IP address and/or port (TCP/UDP). This feature, coupled with the ability to restrict network communications to only compliant clients, makes IPsec enforcement the most robust NAP enforcement method available.
NAP with IPsec requires the following components:
- A health certificate server
- A Health Registration Authority (HRA)
- A Network Policy Server (NPS)
- The NAP IPsec enforcement client with NAP-capable clients
NAP with IPsec requires the HRA to have the NPS installed. The HRA NPS server is then configured as a RADIUS proxy to forward connections to the local NPS server.
VPN
VPN enforcement means that health policies are enforced when a client connects to the VPN. This requires the Remote Access role, and the NPS must be configured as the primary RADIUS server. The VPN servers also must be configured as RADIUS clients.
VPN enforcement has two components:
- A VPN enforcement server
- NAP-capable clients running the NAP Remote Access and Extensible Authentication Protocol (EAP) enforcement clients
A special Allow Full Network Access For A Limited Time option enables clients to connect to the network for a certain time period after which they are disconnected, regardless of compliance level. On reconnection, non-compliant computers are restricted.
802.1X
802.1X compliance enforcement enables the NPS to work with the 802.1X network component to keep non-compliant clients in a restricted network.
NAP for 802.1X uses the following components:
- 802.1X networking components such as wireless access points or switches
- NAP-capable clients with the NAP service and EAP enforcement client
