DHCP Interoperability with NAP

Applies To: Windows Server 2008

With NAP DHCP enforcement, a computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server. For noncompliant computers, network access is limited by an IPv4 address configuration that allows access only to the restricted network. Health policy requirements are enforced every time a DHCP client attempts to lease or renew an IP address configuration. The health status of the NAP client is also actively monitored; if the client becomes noncompliant, the IPv4 address configuration will be renewed to provide access to the restricted network only.

DHCP enforcement is deployed with a DHCP NAP enforcement server component, a DHCP enforcement client component, and NPS. Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IPv4 address. However, if client computers are configured with a static IP address or are otherwise configured to circumvent the use of DHCP, this enforcement method is not effective.

Note

Health validation data that is stored in DHCP is visible to other computers. However, the DHCP enforcement client sends a statement of health (SoH) only if the SoH is requested by the DHCP server.

Requirements

To deploy NAP with DHCP, you must configure the following:

  • In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually using the NPS console, or you can use the New Network Access Protection wizard.

  • Enable the NAP DHCP enforcement client and the NAP service on NAP-compatible client computers.

  • Install DHCP on the local computer or on a remote computer.

  • In the DHCP MMC snap-in, enable NAP for individual scopes or for all scopes configured on the DHCP server.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

If DHCP is not installed on the local computer, you must also configure the following:

  • Install NPS on the computer that is running DHCP.

  • On the remote server that is running DHCP and NPS, configure NPS as a RADIUS proxy to forward connection requests to the local server running NPS.

For more information, see the Network Access Protection Design Guide.