NAP 802.1X Configuration Walkthrough – Part 2
This is a continuation from Part 1.
Step 2 – Windows Server 2008 NPS, the heart of NAP
I am going to take a slightly different approach than the 802.1X step-by-step guide. Feel free to follow either method, whatever gets it done for you!
My configuration assumes a “WORKGROUP”, not domain joined. Again, for simplicity of building a demonstration, I prefer to remove the AD component.
· Open “Server Manager”, just in case it didn’t open for you on logon. :->
· Add our NAP role – “Network Policy and Access Services”.
· Add our role service – “Network Policy Server (NPS)”.*Tip* - if you also install the “Health Registration Authority (HRA)”, this is used only if you are doing NAP + IPsec, it may save you a bit of pain getting 802.1X to work. It has an option to create a “self-signed certificate” for the server. NPS / EAP require a server certificate to do 802.1X NAP.
· This is an important step, in case you are skipping the previous steps on installing the stuff. You should clear ALL EXISTING CONFIGURATION. Even on a default install, I clear it all out for my own sanity. Clean slate baby; easier to debug.The four nodes to clear are 1.) RADIUS Clients 2.) Connection Request Policies 3.) Network Policies 4.) Health Policies.
· Now that we have a clean configuration, let’s run the spiffy wizard. Click on the top “NPS” node within the tree-view. You should then see a “Configure NAP” link on the “Getting Started” page.
· The first page of the wizard is figuring out which scenario of NAP enforcement you want to configure. For this walkthrough, I am discussing “IEEE 802.1X (Wired)”.
· Time to configure a RADIUS client (i.e. 802.1X switch). You will have to remember the IP address and shared secret that you configured on the switch itself in Part 1. Click the “Add” button. Fill in a nice friendly name for the switch (maybe a model# and physical location and such – it will be displayed in the logs later), the IP address of the switch (use the management VLAN 1 IP interface) and the shared secret.
· Since this is a workgroup, the next page can be skipped. This is where you can specify what machines and users should be included in your NAP deployment. This is pretty cool in that you can roll out NAP at your own pace throughout a domain.
· As I mentioned in the *tip* above, NAP + 802.1X needs a certificate on the server-side to function. A self-signed cert is a quick and easy way to get this going for a workgroup.I am going to be discussing user-based NAP 802.1X – thus you only need to enable PEAP-MS-CHAPv2. If you were in an AD, you could deploy auto-enrolled machine certificates and get 802.1X machine authentication working. It is pretty slick.
· Alrighty then, this is the fun bit – configuring the VLANs. It is relatively painless. This can sometimes vary depending on the switch. I will say that all seven of the switches I configured for RSA needed the same exact settings in here.The “Organization network VLAN” is what I am calling the Compliant VLAN. Obviously the “Restricted network VLAN” is the Non-Compliant VLAN.Compliant VLAN settings:Tunnel-Type = Virtual LANs (VLAN)Tunnel-Medium-Type = 802 (includes all 802 media ...)Tunnel-Pvt-Group = 2Non-Compliant VLAN settings:Tunnel-Type = Virtual LANs (VLAN)Tunnel-Medium-Type = 802 (includes all 802 media ...)Tunnel-Pvt-Group = 3
· The “Health” settings that are available to you without any additional software are around the Windows Security Center. In NAP, this component is called on the NAP client “Windows Security System Health Agent” – and on the NAP server “Windows Security System Health Validator”.You will notice in my screenshot that I have other stuff in there. These are plug-ins to NAP I was showing off at TechEd 2008 Orlando. You should be able to accept the defaults on this page and party on.
· The wizard is done!
· You should verify that the wizard added the configuration in the following nodes - 1.) RADIUS Clients 2.) Connection Request Policies 3.) Network Policies 4.) Health Policies.
· Navigate to the “System Health Validators” node in the tree and double-click the “Windows Security Health Validator”. Click the “Configure” button. I recommend starting small and just check for the Windows Firewall at first.
Nicely done! On to the client in the next installment!