Updated: October 21, 2008
Applies To: Windows Server 2008, Windows Server 2008 R2
NPS applies the settings that are configured in the network policy to the connection if all of the conditions and constraints that are configured in the policy match the properties of the connection request.
The available groups of settings that you can configure are:
Network Access Protection
Routing and Remote Access
You can configure both RADIUS standard attributes and vendor-specific attributes (VSAs) as settings in network policy.
If you plan to return to RADIUS clients any additional RADIUS attributes or VSAs with the responses to RADIUS requests, you must add the RADIUS attributes or VSAs to the appropriate network policy.
RADIUS attributes are described in Request for Comments (RFC) 2865, RFC 2866, RFC 2867, RFC 2868, RFC 2869, and RFC 3162. RFCs and Internet drafts for VSAs define additional RADIUS attributes.
Network Access Protection
You can specify how you want to enforce NAP, remediation server groups, troubleshooting URL, and autoremediation.
You can use the following settings to designate how you want to enforce NAP:
Network Access Type
If you select Allow full network access, NAP is not enforced for the network policy. All clients, including non-NAP capable clients and NAP-capable clients that are not compliant with health policy, can connect when the connection request matches the conditions and constraints of the policy.
If you select Allow full network access for a limited time, you can defer enforcement of health policy until the day and time that you specify. In the time period before the expiration date that you specify, all clients can connect when the connection request matches the conditions and constraints of the network policy. After the expiration date, compliant clients are allowed full network access; and non-compliant NAP clients are allowed access only to a restricted network, where remediation servers can provide clients with the updates they need in order to become compliant with health policy.
If you select Allow limited access, NAP is enforced. Compliant clients are allowed full network access, and non-compliant NAP clients are allowed access only to a restricted network, where remediation servers can provide clients with the updates they need in order to become compliant with health policy.
If you deploy the NAP VPN enforcement method and you have configured NAP enforcement with the Allow full network access for a limited time option, VPN clients that are connected to the network when the expiration time is reached are automatically disconnected whether they are compliant or noncompliant with health policy. After the expiration date and time, VPN clients that attempt to connect to the network are placed on a restricted network if they are noncompliant with health policy, while compliant clients are allowed full network access.
Remediation Server Group and Troubleshooting URL
If you enable autoremediation in NAP enforcement and you have configured one or more remediation server groups in NPS Network Access Protection settings, you can specify the remediation server group that clients can access for software updates.
When you deploy and enforce NAP, you can provide technical assistance and other information to users on a Web site that is located on the remediation network. If users have restricted access because their computers do not comply with health policy, Web resources can assist them in bringing their computers into compliance with policy. If you have deployed a Web server with Help content, you can supply users with the Web page URL by using this network policy setting.
You can configure autoremediation for client computers on the NAP enforcement page. When you configure autoremediation, clients that are not compliant with health policy are automatically updated and brought into compliance.
For example, if your Windows Security Health Validator (WSHV) designates that the client computer must have a firewall installed and enabled, and must have antivirus software installed, enabled, and configured with the latest signature updates, autoremediation causes the NAP agent on the client to enable the firewall if it is turned off and to download the most recent antivirus signature updates if they are not already installed on the client. If you enable autoremediation, be sure to also configure a remediation server group so that client computers know where to find the updates they need when they are not in compliance with health policy.
The NAP Extended State setting, along with a Host Credentials Authorization Protocol (HCAP) server, allows you to integrate your NAP solution with Cisco Network Admission Control. Do not configure the NAP Extended State setting in network policy unless you have also deployed Cisco Network Admission Control and an HCAP server.
Following are the timeout settings that you can configure in network policies.
Idle Timeout allows you to specify the maximum time, in minutes, that the network access server can remain idle before the connection is disconnected.
Session Timeout allows you to specify the maximum amount of time, in minutes, that a user can be connected to the network.
Routing and Remote Access
Following are the Routing and Remote Access settings that you can configure in network policies.
Multilink and Bandwidth Allocation Protocol (BAP) allows you to configure how multiple dial-up connections from one computer are managed and whether the number of connections should be reduced based on capacity.
IP Filters allows you to create IPv4 and IPv6 filters to control the IP traffic that the client computer can send or receive.
Encryption allows you to specify the encryption level required between the client computer and the server running Routing and Remote Access service. If you use non-Microsoft network access servers for VPN and dial-up connections, ensure that the encryption settings you select are supported by your servers.
IP Settings allows you to specify the client IP address assignment rules for the network policy.