DHCP Enforcement Configuration

  • Article

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

The following sections provide a configuration summary for each component in a NAP deployment that uses the DHCP enforcement method.

NAP health policy server

The NAP health policy server uses the NPS role service with configured health policies and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. Based on results of this evaluation, NPS instructs the DHCP server to provide full access to compliant NAP client computers and to restrict access to client computers that are noncompliant with health requirements.

Configuration summary

The administrator must define the following on the NAP health policy server:

  • RADIUS clients: If DHCP is installed on a separate computer, the NAP DHCP server must be configured as a RADIUS client in NPS. You must also select RADIUS client is NAP-capable.

  • Connection request policy: Source is set to DHCP server. Policy is configured to authenticate requests on this server.

  • Network policies: Source is set to DHCP server. Compliant, noncompliant, and non-NAP-capable policies are set to grant access. Compliant network policy conditions are set to require the client to match compliant health policy. Noncompliant network policy conditions are set to require the client to match noncompliant health policy. Non-NAP-capable network policy conditions are set to require the client is not NAP-capable. Full access is granted for compliant computers. For full enforcement mode, limited access is granted for noncompliant computers. Either full or limited access is granted for non-NAP-capable computers. If policies are filtered by DHCP scope, then MS-Service Class is configured in policy conditions.

  • Health policies: Compliant health policy is set to pass selected SHVs. Noncompliant policy is set to fail selected SHVs.

  • System health validators: Error codes are configured. Depending on the SHV, health checks are configured on the NAP health policy server or the health requirement server.

  • Remediation server groups: Remediation server groups are required to provide access to resources other than the DHCP server. The NAP DHCP server should not be added to remediation server groups.

NAP DHCP server

The NAP DHCP server is a server running Windows Server 2008 or Windows Server 2008 R2 with the DHCP server role installed and running. Additionally, if this server is not also the NAP health policy server, it must have the NPS role service installed, running, and configured to forward connection requests to the NAP health policy server. The NAP DHCP server restricts noncompliant client access by providing a limited IP address configuration to computers that do not meet health requirements. A limited access configuration has a subnet mask of 255.255.255.255 and no default gateway. Static host routes are provisioned to provide access to the DHCP server and any servers that have been added to remediation server groups on the NAP health policy server.

Configuration summary

The administrator must define the following settings on the NAP DHCP server:

  • Remote RADIUS server groups: If connection requests are forwarded from the DHCP server to a NAP health policy server on another computer, you must configure the NPS service on the NAP DHCP server to forward connection requests to the NAP health policy server. This setting is not required if the NAP DHCP server is also the NAP health policy server.

  • NAP-enabled scopes: In order to use a DHCP scope with NAP, you must enable it specifically for NAP in scope properties under NAP settings.

  • Default user class: You must configure any required scope options for computers that are compliant with health requirements.

  • Default NAP class: You must configure any required scope options for computers that are noncompliant with health requirements. A default gateway is not provided to noncompliant computers regardless of whether the 003 Router option is configured here.

DHCP NAP-enabled client computer

A DHCP NAP-enabled client computer is a computer running Windows 7, Windows Vista, Windows Vista with SP1, Windows XP with SP3, Windows Server 2008 R2, or Windows Server 2008. NAP client settings can be configured using Group Policy or local computer policy. For more information about NAP client configuration, see NAP Client Computers.

Configuration summary

The administrator must define the following settings on a DHCP NAP-enabled client computer:

  • NAP Agent service: In order for the client to be considered NAP-capable, the NAP Agent service must be running. You can start the NAP Agent service using Group Policy or local policy settings.

  • IP address configuration: The client network connection must be configured to obtain an IPv4 address configuration automatically.

  • DHCP enforcement client: Can be enabled using either Group Policy or local policy settings. If both are configured, then Group Policy settings will override local policy settings.

  • System health agents: No configuration is required to use WSHA. If other SHAs are required, these must be installed and successfully initialized and registered with the NAP Agent service. WSHA is not supported if the NAP client computer is running Windows Server 2008 or Windows Server 2008 R2.