Network Access Protection (NAP)

Latest news from the Network Access Protection (NAP) team at Microsoft.

NAP demystified (hopefully)

NAP demystified (hopefully)

  • Comments 7
  • Likes

As I learned at Tech Ed 2007, Microsoft NAP still has two large misconceptions out in the world:

1.    NAP is solely based on DHCP technology - 100% FALSE

2.    Deploying NAP requires a complete "rip and replace" of your existing AD/Server infrastructure - 100% FALSE

 

I created the table below to demystify which options are available for the NAP Client across three platforms.

The table doesn’t discuss the NAP Server, but I think it is worth discussing briefly. Our NAP Server "role", contained in Windows Server 2008, is named "Network Policy and Access Services". The heart of the NAP Server is named "Network Policy Server" or "NPS" for short. To deploy NAP in your environment, you must have at least one Windows Server 2008 computer running NPS. That’s it! It doesn’t need to be a domain controller, nor even joined to a domain in most cases.

On to the table:

NAP Client Feature

Windows XP

Windows Vista

Windows Server 2008
(acting as a client)

Notes

Installed by default

x

þ

þ

The NAP Client for Windows XP will be available publicly within Windows XP Service Pack 3, releasing in the Windows Server 2008 timeframe.

Turned "OFF" by default

þ

þ

þ

You can enable NAP via Group Policy (GP), command-line, registry or MMC.

Public APIs

þ

þ

þ

 

DHCP Enforcement

þ

þ

þ

 

VPN Enforcement

þ

þ

þ

 

IPsec Enforcement

þ

þ

þ

Windows XP supports only IKE based IPsec (no AuthIP support).

802.1x Wireless Enforcement

þ

þ

þ

 

802.1x Wired Enforcement

þ

þ

þ

 

Windows System Health Agent (WSHA)

þ

þ

x

Windows Security Center integration with the NAP Client. This is not available on the Server (acting as a NAP Client).

MMC Configuration

x

þ

þ

 The .Net Managed MMC Snap-in is not available on Windows XP.

Command-line Configuration

þ

þ

þ

 

Local Configuration

þ

þ

þ

 

Group Policy (GP) Configuration

þ

þ

þ

 

 

I hope this clears up some things about NAP for you. Please feel free to comment on this post -or- email me -or- post to our public web forum!

 

NAP the WORLD in 2007,

 

Jeff Sigman
NAP Release Manager
Jeff.Sigman@online.microsoft.com *
- http://blogs.technet.com/nap
- http://microsoft.com/nap
- http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17

* Remove the "online" to actually email me.
** This posting is provided "AS IS" with no warranties, and confers no rights.

Comments
  • How can we enable NAC client on Win XP SP2 if the NAC Snap in is not present ?

    On a Video I can see a NAP Status icon, where we can get this icon ?

  • Hey Charles, you can enable NAP on XP with:

    1.) Group Policy (GP) - running NAP MMC against a GPO on Vista or 2008 Server.

    2.) Command-line (script) - "netsh nap client ..."

    3.) Registry - see forum:

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1744957&SiteID=17

    - Jeff

  • Thank you Jeff.

  • My pleasure!

    - Jeff

  • NAP: Network Access Protection

  • Since I spend nearly 1/3 of my week answering (or ignoring :->) emails about the XP NAP Client, I

  • NAP Team's Jeff Sigman (Senior Program Manager) has posted on the NAP Blog some Q&A regarding

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment