Checklist: Configure NPS for NAP-NAC Enforcement

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This checklist contains links to procedures to configure Network Policy Server (NPS) for NAP-NAC. Complete all tasks in this checklist in order.

Checklist: Configure NPS for NAP-NAC

  Task Reference

Install a server certificate for Secure Sockets Layer (SSL).

Obtain a computer certificate for SSL

Install Host Credentials Authorization Protocol (HCAP), NPS, and Internet Information Services (IIS).

Install server roles for NAP-NAC

Install Group Policy Management.

Install the Group Policy Management Feature

Configure connection request policy.

Configure connection request policy for NAP-NAC

Configure system health validators (SHVs).

Configure SHVs

Configure health policies.

Configure health policies

Configure network policies for NAP-NAC.

Configure network policies for NAP-NAC

Membership in the local Domain Admins group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Obtain a computer certificate for SSL

To provide SSL authentication for HCAP, the server running NPS uses a computer certificate that is stored in its local computer certificate store. Certificate Manager will be used to obtain a computer certificate. Do not perform this procedure if your server already has a certificate for SSL encryption.

Important

To request an SSL certificate using the following procedure, the server must be joined to a domain with an available enterprise certification authority (CA).

To obtain a computer certificate for SSL

  1. Click Start, click Run, in Open, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.

  4. Click OK to close the Add or Remove Snap-ins dialog box.

  5. In the left pane, double-click Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.

  6. The Certificate Enrollment dialog box opens. Click Next.

  7. Select the Computer check box, and then click Enroll. See the following example.

  8. Verify that Succeeded is displayed to indicate the status of certificate installation, and then click Finish.

  9. Close the Console1 window.

  10. Click No when prompted to save console settings.

Install server roles for NAP-NAC

To install server roles for NAP-NAC

  1. Click Server Manager.

  2. In the details pane, under Roles Summary, click Add Roles, and then click Next.

  3. Select the Network Policy and Access Services check box, and then click Next twice.

  4. Select the Host Credential Authorization Protocol check box.

  5. In the Add role services and features required for Host Credential Authorization Protocol window that appears, click Add Required Role Services, and then click Next.

    On the Choose a Server Authentication Certificate for SSL Encryption page, choose Choose an existing certificate for SSL encryption (recommended), click the certificate displayed under this option, and then click Next.

Important

Your server might have more than one certificate in the local certificate store. Before choosing an SSL certificate, you can view the properties of these certificates by clicking a certificate in the list, clicking Properties, and then clicking the Details tab. A certificate used for SSL authentication must have a Subject field value that corresponds to the fully qualified domain name (FQDN) of the HCAP server (for example, NPS.Contoso.com) and an Enhanced Key Usage (EKU) field value of Server Authentication. The certificate must also be issued from a root CA that is trusted by the client computer. The computer certificate provisioned in this procedure meets these requirements.

  1. Click Next twice to accept the default Web server and role services settings, and then click Install.

  2. Verify the installation was successful, and then click Close to close the Add Roles Wizard dialog box.

  3. Leave Server Manager open for the following procedure.

Install the Group Policy Management Feature

Group Policy can be used to configure NAP-NAC client settings in a domain environment. To access these settings, the Group Policy Management feature must be installed on a computer running Windows Server 2008.

To install the Group Policy Management feature

  1. In Server Manager, in the details pane, under Features Summary, click Add Features.

  2. Select the Group Policy Management check box, click Next, and then click Install.

  3. Verify the installation was successful, and then click Close to close the Add Features Wizard dialog box.

  4. Close Server Manager.

Configure connection request policy for NAP-NAC

Connection request policies are conditions and settings that validate requests for network access and govern where this validation is performed. For NAP-NAC, you must configure a connection request policy that uses HCAP as the network access server for client authentication.

To configure connection request policy for NAP-NAC

  1. Click Start, click Run, type nps.msc, and then press ENTER.

  2. In the Network Policy Server console tree, open Policies, right-click Connection Request Policy, and then click New.

  3. Under Policy name, type a name for the connection request policy (for example, HCAP).

  4. Under Type of network access server, select HCAP Server, and then click Next.

  5. On the Specify Conditions page, click Add, click Location Groups, and then click Add.

  6. In the Location Groups window, type the name of the endpoint location that is configured on your server running ACS under the SoH posture validation rule for NAC-802.1X (for example, NAC-NAP-IA).

  7. Click OK, and then click Next.

  8. On the Specify Connection Request Forwarding page, select Authenticate requests on this server, and then click Next.

Note

This HCAP server can also be configured as a RADIUS proxy to forward connection requests to another server running NPS for evaluation. For more information, see Configure a remote RADIUS server group.

  1. On the Specify Authentication Methods page, verify that Override network policy authentication settings is cleared, and then click Next. Authentication methods will be configured in network policy.

  2. On the Configure Settings page, click Next, and then click Finish.

Configure SHVs

SHVs define configuration requirements for computers that attempt to connect to your network. In the following example, the Windows System Health Validator (WSHV) will be configured to require that Windows Firewall is enabled.

Important

Some SHVs might require additional configuration on a NAP health requirement server. For example, client requirements for the Configuration Manager SHV are configured on a System Center Configuration Manager management point using the System Center Configuration Manager management console.

To configure system health validators

  1. In the Network Policy Server console tree, open Network Access Protection, and then click System Health Validators.

  2. In the details pane, under Name, double-click the name of the SHV you want to configure. The Windows Security Health Validator is displayed in this example.

  3. In the Windows Security Health Validator Properties dialog box, click Configure.

  4. If the SHV has multiple conditions, clear check boxes for conditions that are not requirements for client health. In the following example, A firewall is enabled for all network connections is the only condition required for a client computer to be considered compliant.

  5. Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.

  6. Leave the Network Policy Server console open for the following procedure.

Configure health policies

Health policies define which SHVs are evaluated, and how they are used in the validation of the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. Two health policies will be configured: one that corresponds to a compliant health state and one that corresponds to a noncompliant health state.

Important

When more than one SHV is used, you must create additional health policies to match conditions where the client fails health checks for some, but not all, SHVs. For more information, see Choose a compliance strategy.

To configure health policies

  1. In the NPS console tree, open Polices, right-click Health Policies, and then click New.

  2. In the Create New Health Policy dialog box, under Policy Name, type Compliant.

  3. Under Client SHV checks, verify that Client passes all SHV checks is selected.

  4. Under SHVs used in this health policy, select the check boxes next to the SHVs you want to use in this health policy, and then click OK. See the following example.

  5. Right-click Health Policies, and then click New.

  6. In the Create New Health Policy dialog box, under Policy name, type Noncompliant.

  7. Under Client SHV checks, choose Client fails one or more SHV checks.

  8. Under SHVs used in this health policy, select the check boxes next to the SHVs you want to use in this health policy, and then click OK. This completes the configuration of your NAP health policies.

  9. Leave the Network Policy Server console open for the following procedure.

Configure network policies for NAP-NAC

Network policies evaluate information contained in client authorization requests and grant network access based on the results. Network policy will determine whether client is compliant with health policy and return the appropriate posture token back to ACS using HCAP. If the client is determined to be noncompliant with health policy, then quarantine state is sent back to ACS and the client computer will be optionally updated to a compliant state.

Important

When more than one SHV is used, you must create additional network policies to match conditions in which the client fails health checks for some, but not all, SHVs. For more information, see Choose a compliance strategy.

Configure a network policy for noncompliant client computers

First, create a network policy to match network access requests made by noncompliant client computers.

To configure a network policy for noncompliant client computers

  1. In the NPS console tree, right-click Network Policies, and then click New.

  2. On the Specify Network Policy Name and Connection Type page, under Policy name, type Noncompliant-Restricted.

  3. Under Type of network access server, select HCAP Server, and then click Next.

  4. On the Specify Conditions page, click Add.

  5. In the Select condition dialog box, double-click Health Polices.

  6. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. See the following example.

  7. On the Specify Conditions page, under Conditions, verify that Health Policy is specified with a value of Noncompliant, and then click Next.

  8. On the Specify Access Permission page, verify that Access granted is selected, and then click Next.

Important

A setting of Access granted does not mean that noncompliant clients are granted full network access. It means that clients matching these conditions should continue to be evaluated by the policy.

  1. On the Configure Authentication Methods page, clear all check boxes except Perform machine health check only, and then click Next twice.

  2. On the Configure Settings page, under RADIUS Attributes, click Standard.

  3. In the details pane, click Framed-Protocol, click Remove, click Service-Type, and then click Remove. Because NPS communicates with ACS using HCAP, no RADIUS attributes are required.

  4. Click NAP Enforcement. Choose Allow limited access, select Enable auto-remediation of client computers, and then click Next.

  5. Click Finish to complete configuration of your noncompliant network policy.

Configure a network policy for compliant client computers

Next, create a network policy to match network access requests made by compliant client computers.

To configure a network policy for compliant client computers

  1. In the NPS console tree, right-click Network Policies, and then click New.

  2. On the Specify Network Policy Name and Connection Type page, under Policy name, type Compliant-Full-Access.

  3. Under Type of network access server, select HCAP Server, and then click Next.

  4. On the Specify Conditions page, click Add.

  5. In the Select condition dialog box, double-click Health Polices.

  6. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.

  7. On the Specify Conditions page, under Conditions, verify that Health Policy is specified with a value of Compliant, and then click Next.

  8. On the Specify Access Permission page, verify that Access granted is selected, and then click Next.

  9. On the Configure Authentication Methods page, clear all check boxes except Perform machine health check only, and then click Next twice.

  10. On the Configure Settings page, under RADIUS Attributes, click Standard.

  11. In the details pane, click Framed-Protocol, click Remove, click Service-Type, and then click Remove. Because NPS communicates to ACS using HCAP, no RADIUS attributes are required.

  12. Click NAP Enforcement. Verify that Allow full network access is selected, and then click Next.

  13. Click Finish to complete configuration of your compliant network policy.

See Also

Concepts

Planning the Placement of a NAP Health Policy Server