Configure an 802.1X Enforcement Point for NAP
Updated: February 29, 2012
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
NAP 802.1X enforcement points are not servers running the Windows operating system. Because their configuration varies widely, depending on the manufacturer, the following general configuration procedures describe the essential requirements of a NAP 802.1X enforcement point only. For configuration instructions, consult your hardware vendor documentation. Procedures required to configure an 802.1X compliant device for a NAP with 802.1X enforcement design include:
- Enable 802.1X authentication
- Configure RADIUS authentication
- Configure VLANs and access control lists (ACLs)
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To deploy NAP with 802.1X enforcement, you must enable 802.1X authentication on ports that connect NAP client computers to the network.
When you use NAP with 802.1X enforcement, the 802.1X enforcement point is configured as a RADIUS client on Network Policy Server (NPS). A corresponding RADIUS server entry must be configured on the 802.1X enforcement point so that it can forward connection requests to the NAP health policy server for evaluation.
To restrict the network access of noncompliant NAP client computers, an 802.1X enforcement point receives RADIUS tunnel attributes that instruct the enforcement point to apply VLANs, ACLs, or other properties to the client connection based on evaluation of its health status. These VLANs and ACLs are typically configured on the network access device and then dynamically assigned to NAP clients using RADIUS attributes.