Enforce network access policies for client health by configuring DHCP with Network Access Protection

Applies To: Windows Server 2008

Network Access Protection (NAP) is a platform that provides policy enforcement components that help ensure that computers connecting to or communicating on a network comply with administrator-defined requirements for system health. Using DHCP NAP, you can choose to limit the access of computers that do not meet requirements to a restricted network. The restricted network contains resources needed to update computers so that they meet the health requirements for unlimited network access and normal communication.

With DHCP enforcement, a computer must be compliant to obtain an unlimited access IP address configuration from a DHCP server. For noncompliant computers, network access is limited by an IP address configuration that allows access only to the restricted network. DHCP enforcement enforces health policy requirements every time a DHCP client attempts to lease or renew an IP address configuration. DHCP enforcement also actively monitors the health status of the NAP client and renews the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant.

How DHCP Enforcement Works

The following process describes how DHCP enforcement works for a NAP client that is attempting an initial DHCP configuration:

  1. The NAP client sends a DHCP request message containing its health state information to the DHCP server.

  2. The DHCP server sends the health state information of the NAP client to the NAP health policy server.

  3. The NAP health policy server evaluates the health state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the DHCP server. If the NAP client is not compliant, the results include a limited access configuration for the DHCP server and health remediation instructions for the NAP client.

  4. If the health state is compliant, the DHCP server assigns an IP address configuration for unlimited access to the NAP client and completes the DHCP message exchange.

  5. If the health state is not compliant, the DHCP server assigns an IPv4 address configuration for limited access to the restricted network to the NAP client and completes the DHCP message exchange. The NAP client can send traffic only to the remediation servers on the restricted network.

  6. The NAP client sends update requests to the remediation servers.

  7. The remediation servers provision the NAP client with the required updates for compliance with health policy. The NAP client updates its health state information.

  8. The NAP client sends a new DHCP request message containing its updated health state information to the DHCP server.

  9. The DHCP server sends the updated health state information of the NAP client to the NAP health policy server.

  10. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the DHCP server to assign an IPv4 address configuration for unlimited access to the intranet.

  11. The DHCP server assigns an IP address configuration for unlimited access to the NAP client and completes the DHCP message exchange.

Additional Resources

For updated detailed IT pro information about DHCP, see the Windows Server® 2008 documentation on the Microsoft TechNet Web site.