802.1X Enforcement Design

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

With 802.1X port-based enforcement, a server running NPS instructs an 802.1X authenticating switch or an 802.1X compliant wireless access point to place noncompliant NAP clients on a restricted network. The server running NPS limits the client's network access to the restricted network by instructing the access point to apply IP filters or a VLAN identifier to the connection. 802.1X enforcement provides strong network restriction for all computers accessing the network through 802.1X-capable network access devices.

Reasons to choose 802.1X enforcement

The following are the benefits of the 802.1X enforcement design.

  • Supported devices: Works with a variety of 802.1X-compliant switches and wireless access points. This is a significant benefit if you have already deployed an 802.1X authenticating infrastructure because the chances are good that your network infrastructure already supports this enforcement method. If you are planning to deploy 802.1X with NAP, you have your choice of vendors and equipment.

  • Trusted communications: Allows connections only after identity is authenticated and health is validated.

  • Enhanced security: Provides more security to your network than the DHCP enforcement design.

Components of an 802.1X enforcement design

NAP with 802.1X enforcement requires that the following components are deployed on your network:

  • A NAP health policy server running Windows Server 2008 R2 or Windows Server 2008 with the Network Policy Server (NPS) role service installed.

  • An 802.1X authenticating switch or wireless access point that supports VLAN or ACL specification through RADIUS tunnel attributes.

  • 802.1X NAP-enabled client computers running Windows 7, Windows Vista, Windows Vista with Service Pack 1 (SP1), Windows XP with SP3, Windows Server 2008, or Windows Server 2008 R2.

Depending on the needs of your organization, additional servers might also be required. For more information, see Appendix B: Reviewing Key NAP Concepts.

The following illustration shows a typical NAP with 802.1X deployment:

Elements of a NAP with 802.1X enforcement design

For more information, see 802.1X Enforcement Example and 802.1X Enforcement Configuration.