This is a continuation from Part 1 and Part 2.
Step 3 – NAP Clients, it’s just too easy
NAP can be configured from the command-line, the MMC (except on XP SP3) and of course Group Policy (GP). Since this is a workgroup scenario, I am going to skip GP – but the principles below are the same.
· Start the services snap-in and locate these two services – “Network Access Protection Agent” (NAPAgent) and “Wired AutoConfig” (dot3svc).
· Start NAPAgent and Dot3svc; set both to “Automatic” startup.sc config NAPAgent start= autonet start NAPAgentsc config Dot3Svc start= autonet start Dot3Svc
· Start the NAP Client Configuration snap-in; click on the “Enforcement Clients” link.
· Enable the “EAP Quarantine Enforcement Client” by double-clicking on it and selecting “Enable this enforcement client”.netsh NAP client set enforcement ID = "79623" ADMIN = "ENABLE"
· Click on the “User Interface Settings” link; double-click on the “User Interface Settings” entry to configure text to be displayed to users when NAP is unable to (or in progress of) auto-remediate a problem on the computer.netsh NAP client set userinterface TITLE = "I regret to inform you that you have been NAP'd!!" TEXT = "Please logoff and go home, do not collect $200"
· You may export / import these settings if you wish.netsh NAP client export FILENAME = "c:\NapCfg.xml"netsh NAP client import FILENAME = "c:\NapCfg.xml"
· Start the Network Connections folder; right-click on your network interface and select “Properties”.
· Since you started the “Dot3Svc”, you will now see the “Authentication” tab; Enable 802.1X and caching; Make sure PEAP is selected; Clicks “Settings”.
· In the “Protected EAP Properties” dialog, un-check “Validate server certificate”; Select MS-CHAPv2; Check “Enable Quarantine checks”; Click “Configure”.
· In the “EAP MSCHAPv2 Properties” dialog, un-check the auto-use credentials setting – this is because we are in a workgroup – if you were in a domain you would want to leave this enabled so the domain user would automatically use his domain credentials.
· After you “OK” all of those dialogs, the 802.1X client should now attempt to authenticate to the switch port; if not, simply enable/disable or unplug/plug the NIC; you should get prompted for credentials; type the user / password.
· If everything works you should see something like this; any failures usually show “authentication failed”.
· Thankfully, you can also use the command-line to export/import these settings too.netsh lan export profile FOLDER = "c:\\"netsh lan add profile FILENAME = "c:\LANProfile.xml"
Hopefully you now have end-to-end NAP 802.1X working. If not, my next installment includes troubleshooting! :->
Ask the Directory Services Team : Custom Certificate Request in Windows Vista Microsoft Security Development
Hi Jeff - How would you setup NAP on a XP SP3 client?
Hey Pat - command-line is the best way to get it done on XP SP3 (if you aren't using GP). I ported the "netsh.exe NAP" commands over to XP and they work great. I believe we also supplied the "netsh lan" command there as well.
We have another issue, we have different users assigned to different VLANs, and network filtering today.
What we want is what we understood NAC to be from the beginning:
Unauthenticated devices stays in a guest LAN. Machine authenticated devices goes to a remediation VLAN, and when a user logs on, the VLAN is changed to the user VLAN.
How would we do this ? From what I can see on the Internet, XP does not support this "Dynamic VLAN", and Vista implements it badly. Can we get some of the same effect using NAP ? Possible together with something else ?
It's all about the switch in my experience. Take a Cisco Catalyst - 3550. It has a notion of a "guest VLAN". It can dump people who aren't able to auth at all (i.e. guests) into a VLAN. For people who can auth, you can create policies within our Network Policy Server (NPS on Server 2008 – aka our RADIUS server) which puts "machines" in a VLAN and users in another (however you like). It is based on Active Directory groups. Try this out in a lab (using this walkthrough) and feel free to jump on our forums if you have any troubles - we will help ya!