802.1X Enforcement Configuration

  • Article

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

The following sections provide a configuration summary for each component in a NAP deployment that uses the 802.1X enforcement method.

NAP health policy server

The NAP health policy server uses the NPS role service with configured network policies, health policies, and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. Based on the results of this evaluation, NPS instructs the 802.1X authenticating switch or access point to provide full access to compliant NAP client computers and to restrict access to noncompliant client computers when NAP is deployed using full enforcement mode.

Configuration summary

The administrator must define the following on the NAP health policy server:

  • RADIUS clients: The 802.1X-compatible switch or access point must be configured as a RADIUS client. Because the switch or access point is not running Windows Server 2008, it is not NAP-capable.

  • Connection request policy: Policy is configured to authenticate requests on this server. Override network policy authentication settings is enabled and Protected Extensible Authentication Protocol (PEAP) is configured to enable health checks and allow secure password- or certificate-based authentication.

  • Network policies: Compliant, noncompliant, and non-NAP-capable network policies are set to grant access. Compliant network policy conditions are set to require the client to match compliant health policy. Noncompliant network policy conditions are set to require the client to match noncompliant health policy. Non-NAP-capable network policy conditions are set to require the client is not NAP-capable. Full access is granted for compliant computers. In full enforcement mode, limited access is granted for noncompliant computers. Either full or limited access is granted for non-NAP-capable computers. RADIUS attributes are configured in compliant, noncompliant, and non-NAP-capable policy settings to provide full or limited access.

  • Health policies: Compliant health policy is set to pass selected SHVs. Noncompliant policy is set to fail selected SHVs.

  • System health validators: Error codes are configured. Depending on the SHV, health checks are configured on the NAP health policy server or the health requirement server.

  • Remediation server groups: Remediation server groups are not used in an 802.1X enforcement design.

802.1X enforcement points

Enforcement points are network access devices that can be 802.1X-compliant switches, routers, or access points. Configuration of the 802.1X enforcement point will vary depending on the vendor. See the following table for functionality that is either required or recommended to support NAP with 802.1X enforcement.

Functionality

Requirement

802.1X authentication

Required

EAP authentication pass through to RADIUS

Required

Traffic segmentation (for example, VLAN or ACL)

Required

Assignment of port characteristics based on RADIUS attributes

Required

Fallback behavior for clients that do not support 802.1X authentication

Recommended

Fallback behavior for clients that fail authentication

Recommended

Configuration summary

The administrator must define the following settings on 802.1X enforcement points:

  • RADIUS servers: The device must be configured to forward authentication requests to a RADIUS server. For NAP with 802.1X enforcement, this server is a NAP health policy server.

  • 802.1X authentication: These settings include global authentication settings and port-specific settings. NAP client ports must have 802.1X authentication enabled and can include other settings such as reauthentication period and fallback behavior.

  • Full and restricted access profiles: These are settings that are applied to ports to grant full or restricted network access. Typically, they are a set of VLAN IDs or ACLs that are applied to the client’s network connection based on results of a health evaluation.

NAP 802.1X-enabled client computer

A NAP 802.1X-enabled client computer is a computer running Windows 7, Windows Vista, Windows Vista with SP1, Windows XP with SP3, Windows Server 2008 R2, or Windows Server 2008. NAP client settings can be configured using Group Policy or local computer policy. For more information about NAP client configuration, see NAP Client Computers.

Configuration summary

The administrator must define the following settings on an 802.1X-enabled NAP client computer:

  • NAP Agent service: In order for the client to be considered NAP-capable, the NAP Agent service must be running. You can start it by using Group Policy or local computer settings.

  • 802.1X authentication services: 802.1X authentication must be enabled in wired or wireless network properties. For wired connections, verify the Wired Autoconfig service is running. For computers using a wireless connection, verify the Wireless Zero Configuration service is running on computers running Windows XP with SP3. For computers running Windows Vista, verify the WLAN AutoConfig service is running.

  • EAP enforcement client: Can be enabled using either Group Policy or local policy settings. If both are configured, Group Policy settings will override local policy settings. For NAP client computers running Windows XP with SP3, the Wireless EAPOL enforcement client must be enabled on NAP client computers using a wireless network connection.

  • Quarantine checks: When configuring client PEAP settings, you must select the Enable Quarantine checks check box displayed in the PEAP properties of wired and wireless connections.

  • System health agents: No configuration is required to use WSHA. If other SHAs are required, these must be installed and successfully initialized and registered with the NAP Agent service. WSHA is not supported if the NAP client computer is running Windows Server 2008 or Windows Server 2008 R2.