NAP Enforcement for 802.1X

  • Article

Applies To: Windows Server 2008

NAP enforcement for 802.1X

Network Access Protection (NAP) enforcement for 802.1X port-based network access control is deployed with a server running Network Policy Server (NPS) and an EAP host enforcement client component. With 802.1X port-based enforcement, the NPS server instructs an 802.1X authenticating switch or an 802.1X compliant wireless access point to place noncompliant 802.1X clients on a remediation network. The NPS server limits the client's network access to the remediation network by applying IP filters or a virtual LAN identifier to the connection. 802.1X enforcement provides strong network restriction for all computers accessing the network through 802.1X-capable network access servers.

Requirements for 802.1X wired

To deploy NAP with 802.1X wired, you must configure the following:

  • In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually using the NPS console, or you can use the New Network Access Protection wizard.

  • Install and configure 802.1X authenticating switches.

  • Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

  • If you are using PEAP-TLS or EAP-TLS with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory® Certificate Services (AD CS).

  • If you are using PEAP-MS-CHAP v2, issue server certificates with either AD CS or purchase server certificates from another trusted root certification authority (CA).

Requirements for 802.1X wireless

To deploy NAP with 802.1X wireless, you must configure the following:

  • In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually using the NPS console, or you can use the New Network Access Protection wizard.

  • Install and configure 802.1X wireless access points.

  • Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.

  • Configure the WSHV or install and configure other SHAs and SHVs, depending on your NAP deployment.