Configure a DHCP Server for NAP

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

A NAP DHCP server is a server running Windows Server® 2008 or Windows Server 2008 R2 with the DHCP and the Network Policy Server (NPS) services installed. If it is not intended to also serve as a NAP health policy server, you must configure NPS as a RADIUS proxy. For more information, see DHCP Enforcement Configuration.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Configure a NAP-enabled DHCP server

Use this procedure to configure a DHCP server for NAP with NPS serving as a RADIUS proxy. In this procedure, the NAP health policy server is located on another computer. If you have not already installed the DHCP server role, see Install the DHCP Server Role and the NPS Role Service. If this server will also be a NAP health policy server, see Configure Policies for DHCP Enforcement.

To configure a NAP-enabled DHCP server

  1. On the DHCP server, click Start, click Run, in Open, type dhcpmgmt.smc, and then press ENTER.

  2. In the DHCP console, open <servername>\IPv4.

  3. Right-click the name of the DHCP scope that you will use for NAP client computers, and then click Properties.

  4. On the Network Access Protection tab, under Network Access Protection Settings, choose Enable for this scope, verify that Use default Network Access Protection profile is selected, and then click OK.

  5. In the DHCP console tree, under the DHCP scope that you have selected, right-click Scope Options, and then click Configure Options.

  6. On the Advanced tab, verify that Default User Class is selected next to User class.

  7. Select the 003 Router check box, and in IP Address, under Data entry, type the IP address for the default gateway used by compliant NAP client computers, and then click Add.

  8. Select the 006 DNS Servers check box, and in IP Address, under Data entry, type the IP address for each router to be used by compliant NAP client computers, and then click Add.

  9. Select the 015 DNS Domain Name check box, and in String value, under Data entry, type your organization's domain name (for example, woodgrovebank.local), and then click Apply. This domain is a full-access network assigned to compliant NAP clients.

  10. On the Advanced tab, next to User class, choose Default Network Access Protection Class.

  11. Select the 003 Router check box, and in IP Address, under Data entry, type the IP address for the default gateway used by noncompliant NAP client computers, and then click Add. This can be the same default gateway that is used by compliant NAP clients.

Note

The default gateway will not be used by noncompliant NAP client computers unless it is required to create static host routes to the DHCP server or to remediation servers.

  1. Select the 006 DNS Servers check box, and in IP Address, under Data entry, type the IP address for each DNS server to be used by noncompliant NAP client computers, and then click Add. These can be the same DNS servers used by compliant NAP clients.

  2. Select the 015 DNS Domain Name check box, and in String value, under Data entry, type a name to identify the restricted domain (for example, restricted.woodgrovebank.local), and then click OK. This domain is a restricted-access network assigned to noncompliant NAP clients.

  3. Click OK to close the Scope Options dialog box.

  4. Close the DHCP console.

See Also

Concepts

Configure RADIUS Clients for NAP
Configure Remote RADIUS Server Groups for NAP
Configure User and Machine Group Requirements