NAP Enforcement for DHCP

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Dynamic Host Configuration Protocol (DHCP) enforcement is deployed with a DHCP Network Access Protection (NAP) enforcement server component, a DHCP enforcement client component, and Network Policy Server (NPS). By using DHCP NAP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IP version 4 (IPv4) address. However, if client computers are configured with a static IP address or are otherwise configured to circumvent the use of DHCP, this enforcement method is not effective.

Note

Health validation data that is stored in DHCP is visible to other computers. However, the DHCP enforcement client sends a statement of health (SoH) only if the SoH is requested by the DHCP server.

Requirements

To deploy NAP with DHCP, you must configure the following:

  • In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the New Network Access Protection wizard.

  • Enable the NAP DHCP enforcement client and the NAP service on NAP-capable client computers.

  • Install DHCP on the local computer or on a remote computer.

  • In the DHCP Microsoft Management Console (MMC) snap-in, enable NAP for individual scopes or for all scopes configured on the DHCP server.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

If DHCP is not installed on the local computer, you must also configure the following:

  • Install NPS on the computer that is running DHCP.

  • Configure NPS on the remote DHCP NPS server as a RADIUS proxy to forward connection requests to the local NPS server.