Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Network Access Protection (NAP) enforcement for 802.1X
port-based network access control is deployed by using a server running
Network Policy Server (NPS) and an Extensible Authentication Protocol
(EAP) host enforcement client component. With 802.1X port-based
enforcement, the NPS server instructs an 802.1X authenticating switch or
an 802.1X-compliant wireless access point to place noncompliant 802.1X
clients on a remediation network. The NPS server limits network access
by the client to the remediation network by applying IP filters or a
virtual LAN identifier to the connection. 802.1X enforcement provides
strong network restriction for all computers accessing the network by
using 802.1X-capable network access servers.
Requirements for 802.1X wired
To deploy NAP with 802.1X wired, you must configure the following:
-
In NPS, configure connection request policy, network policy, and NAP
health policy. You can configure these policies individually by using
the NPS console, or you can use the
New Network Access Protection
wizard.
-
Install and configure 802.1X authenticating switches.
-
Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.
-
Configure the Windows Security Health Validator (WSHV) or install and
configure other system health agents (SHAs) and system health validators
(SHVs), depending on your NAP deployment.
-
If you are using Protected Extensible Authentication Protocol-Transport
Layer Security (PEAP-TLS) or EAP-TLS with smart cards or certificates,
deploy a public key infrastructure (PKI) with Active Directory®
Certificate Services (AD CS).
-
If you are using Protected Extensible Authentication Protocol-Microsoft
Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2),
issue server certificates with either AD CS or purchase server
certificates from another trusted root certification authority (CA).
Requirements for 802.1X wireless
To deploy NAP with 802.1X wireless, you must configure the following:
-
In NPS, configure connection request policy, network policy, and NAP
health policy. You can configure these policies individually by using
the NPS console, or you can use the
New Network Access Protection
wizard.
-
Install and configure 802.1X wireless access points.
-
Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.
- Configure the WSHV or install and configure other SHAs and SHVs, depending on your NAP deployment.
No comments:
Post a Comment