Appendix A: Deploying NAP-NAC

Updated: February 29, 2012

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

The NAP-NAC interoperability architecture allows customers to deploy both Network Policy Server (NPS) in Windows Server® 2008 and the Cisco Secure Access Control Server (ACS) version 4.2, a component of Cisco Network Admission Control (NAC), in a configuration in which the NPS server manages health policy and ACS manages network policy. NAP-NAC does not offer interoperability between the Microsoft NAP platform and the Cisco NAC Appliance, formerly known as Clean Access.

The way in which you deploy NAP-NAC depends on your network design and requirements for client health validation. You might deploy NAP-NAC in the following situations:

  • You are extending an existing NAC deployment. You can choose to deploy NAP-NAC to integrate computers running Windows Vista® and Windows Server® 2008 on your network.

  • You are extending an existing NAP deployment. When you deploy NAC-compatible network access devices on your network, you can choose to integrate NAP-NAC with your existing NAP deployment.

  • You have not previously deployed NAP or NAC. You can choose to deploy a single interoperable solution that provides you with a choice of components and allows you to make infrastructure and technology choices that best serve your needs.

Whether you are deploying a client health enforcement technology for the first time, or extending your existing deployment, you should take steps to ensure that the NAP-NAC solution you deploy meets your needs. These steps include identifying your goals, evaluating different design plans, planning a deployment strategy, and documenting your NAP-NAC deployment. For step-by-step instructions for deploying NAP-NAC, see Checklist: Implementing a NAP-NAC Design.

The following are some considerations when developing your NAP-NAC deployment plan. For more information, see Planning a NAP Deployment Strategy.

  • Administration: Are separate groups responsible for deployment or maintenance of various components of your NAP-NAC infrastructure? How will you coordinate communications between these groups?

  • Active Directory: Have you already deployed an Active Directory infrastructure to support NAP-NAC? Will your existing installation scale to support the additional load?

  • Authentication infrastructure: Have you already deployed RADIUS on your network? Does your existing RADIUS design support the needs of the new deployment? Can your infrastructure scale to support your deployment plan?

  • Public key infrastructure (PKI): Have you deployed an enterprise PKI to support network authentication? Can your PKI support NAP-NAC?

  • Documentation: Which part of your deployment plan should you document? Which topics should be included?

  • Compliance strategy: Which network health requirements will you implement for client computers? How will you design network policies to protect or segment the network? Which requirements will you implement first and which will be added later?

  • Deployment strategy: What kind of phased approach will you use to deploy NAP-NAC? Is there a section of the network that can be used for a pilot deployment?

  • Exemption strategy: Which users or devices should be exempt from health checks? Are there any risks associated with these exemptions?

  • Remediation services: Which services must be accessible to client computers regardless of health status? Which services are required by noncompliant computers so that they can remediate their health?

  • Network access devices: Does your existing hardware support NAP-NAC? Is a hardware or operating system update required?

  • Client systems: Do all client systems support NAP-NAC? What is your strategy to manage access for computers and other network attached devices that do not support NAP-NAC?

  • Capacity planning: Will you implement load balancing for NAP-NAC servers? Do you have a plan to scale your NAP-NAC deployment?

  • Redundancy: Have you addressed server and network failover in your NAP-NAC design?

  • Monitoring and reporting: How will you monitor compliance with network health policies? What kind of logging methods do you use? How will you use NAP-NAC logs to generate reports?

  • Support: Is your support staff trained to troubleshoot NAP-NAC issues?

To implement your NAP-NAC design, you must determine in what order each of the deployment tasks must be performed. This guide uses checklists to help you walk through the required server and application deployment tasks. Parent and child checklists are used as necessary to represent the order in which tasks for a specific NAP-NAC design must be performed.

See Also

Community Additions