Configure Policies for VPN Enforcement
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
The NAP health policy server uses the Network Policy Server (NPS) role service with configured network policies, health policies, and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. Based on the results of this evaluation, NPS instructs the virtual private network (VPN) server to provide full access to compliant NAP client computers and to restrict access to noncompliant client computers when NAP is deployed using full enforcement mode.
Before performing this procedure, you must install a certificate for Protected Extensible Authentication Protocol (PEAP) authentication. For more information, see Install a Computer Certificate for PEAP.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Configure NAP policies for VPN enforcement with the NAP configuration wizard
The NAP configuration wizard helps you to set up NPS as a NAP health policy server. The wizard provides commonly used settings for each NAP enforcement method, and automatically creates customized NAP policies for use with your network design. You can access the NAP configuration wizard from the NPS console.
By default, the NAP configuration wizard creates a noncompliant network policy configured for full enforcement. To change the NAP enforcement mode, see Configure Network Policy for Deferred Enforcement and Configure Network Policy for Reporting Mode.
To configure NPS using the NAP configuration wizard
Click Start, click Run, type nps.msc, and then press ENTER.
In the Network Policy Server console tree, click NPS (Local).
In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. See the following example.
On the Select Network Connection Method for Use with NAP page, under Network connection method, select Virtual Private Network (VPN), and then click Next.
On the Specify NAP Enforcement Servers Running VPN Server page, under RADIUS clients, click Next. RADIUS clients will be configured in another procedure.
On the Configure User Groups and Machine Groups page, click Next. User and machine group requirements will be configured in another procedure.
On the Configure an Authentication Method page, choose the authentication method to use with PEAP by selecting the check box next to one or both of the available EAP types. By default, the Secure Password (PEAP-MS-CHAP v2) method is selected. You can also select the Smart Card or other certificate (EAP-TLS) method. After selecting one or more EAP types, click Next.
If you have not previously selected a server certificate to use for PEAP authentication, or if you want to select a different certificate, click Choose. To view properties of this certificate, click View.
On the Specify a NAP Remediation Server Group and URL page, click Next. Remediation server groups and a troubleshooting URL will be configured in another procedure.
On the Define NAP Health Policy page, select the check box next to each SHV that will be used to evaluate the health status of NAP client computers. To enable automatic remediation of noncompliant client computers, select the Enable auto-remediation of client computers check box. Under Network access restrictions for NAP-ineligible client computers, you can choose the level of network access granted to computers that do not provide their health status during network authentication. By default, these computers are placed on the restricted network. Click Next to continue.
On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.