Checklist: Configure NAP Enforcement for 802.1X Wireless

Applies To: Windows Server 2008

Configure NAP Enforcement for 802.1X Wireless

This checklist provides the steps required to deploy 802.1X wireless access points with Network Policy Server (NPS) and Network Access Protection (NAP).

Task Reference

Install and configure 802.1X wireless access points on your network.

RADIUS Server for 802.1X Wireless or Wired Connections and your hardware documentation.

Determine whether you want to use PEAP-MS-CHAP v2 or PEAP-TLS as the authentication method.

RADIUS Server for 802.1X Wireless or Wired Connections; Certificate Requirements for PEAP and EAP; PEAP Overview; and your hardware documentation.

Autoenroll a server certificate to NPS servers or, if you are using PEAP-MS-CHAP v2, optionally purchase a server certificate rather than deploying your own CA.

Deploy a CA and NPS Server Certificate and Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication (

If you are using PEAP-TLS without smart cards, autoenroll user certificates, computer certificates, or both user and computer certificates, to domain member client computers.

Deploy Client Computer Certificates and Deploy User Certificates

Configure 802.1X wireless clients using Group Policy.

Configure 802.1X Wireless Clients Running Windows Vista with Group Policy

Create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through the wireless access points.

Create a Group for a Network Policy

On NAP-capable client computers, enable the Network Access Protection service and change the startup type to automatic.

Enable the Network Access Protection Service on Clients

On NAP-capable client computers, enable the EAP enforcement client.

Enable and Disable NAP Enforcement Clients

If you are using the Windows Security Health Validator (WSHV) in your NAP deployment, enable Security Center on NAP-capable clients using Group Policy.

Enable Security Center in Group Policy

In NPS, configure 802.1X wireless access points as RADIUS clients.

Add a New RADIUS Client and RADIUS Clients

In NPS, configure the WSHV or install and configure other system health agents (SHAs) and system health validators (SHVs).

System Health Validators and Windows Security Health Validator

In NPS, configure health policies, connection request policies, and network policies that enforce NAP for 802.1X wireless access.

Create a Health Policy and Create NAP Policies with a Wizard

In NPS, if you are deploying remediation servers so that clients can automatically update their configuration in compliance with health policy, configure Remediation Server Groups.

Configure Remediation Server Groups