General Policy Design Considerations

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

Consider the following rules when configuring connection request policies and network policies.

  • A client access request can match only one connection request policy and one network policy. When the request matches a policy, no other policies are used to evaluate the client request.

  • Policies are evaluated based on processing order and source.

    • RADIUS access request messages from RADIUS clients can contain the MS-Network-Access-Server-Type RADIUS attribute, which specifies the source of the request. For example, access requests from a Windows Server 2008-based VPN server specify the source of Remote Access Server (VPN-Dial up).

    • If one or more policies specify a source, then client access requests that are sent from a matching source will only be evaluated against these policies. This is true even if the client access request does not match any of these policies.

    • If no policies specify a source that matches a client request, the client will attempt to match policies with a source of Unspecified.

    • If the same source is specified in two or more policies that match the client source, the policy that is highest in the processing order will be used first in an attempt to match the client access request. If this policy fails to match the access request, the policy next highest in the processing order will be used. This continues until the client request matches a policy or until all policies with the same source have been tried.

You can use the following settings to specify a source for the NAP enforcement methods. A source is selected by choosing Type of network access server on the Overview tab in policy properties.

NAP enforcement method Source

IPsec

Health Registration Authority

802.1X

Unspecified

VPN

Remote Access Server (VPN-Dial up)

DHCP

DHCP Server

Enable the required policies and make sure that Access Permission for both compliant and noncompliant computers is set to Grant access.