Network Access Protection (NAP)

Latest news from the Network Access Protection (NAP) team at Microsoft.

NAP 802.1X Configuration Walkthrough – Part 3

NAP 802.1X Configuration Walkthrough – Part 3

  • Comments 5
  • Likes

This is a continuation from Part 1 and Part 2.

Step 3 – NAP Clients, it’s just too easy

NAP can be configured from the command-line, the MMC (except on XP SP3) and of course Group Policy (GP). Since this is a workgroup scenario, I am going to skip GP – but the principles below are the same.

·         Start the services snap-in and locate these two services – “Network Access Protection Agent” (NAPAgent) and “Wired AutoConfig” (dot3svc).

·         Start NAPAgent and Dot3svc; set both to “Automatic” startup.

sc config NAPAgent start= auto
net start NAPAgent
sc config Dot3Svc start= auto
net start Dot3Svc

·         Start the NAP Client Configuration snap-in; click on the “Enforcement Clients” link.

·         Enable the “EAP Quarantine Enforcement Client” by double-clicking on it and selecting “Enable this enforcement client”.

netsh NAP client set enforcement ID = "79623" ADMIN = "ENABLE"

·         Click on the “User Interface Settings” link; double-click on the “User Interface Settings” entry to configure text to be displayed to users when NAP is unable to (or in progress of) auto-remediate a problem on the computer.

netsh NAP client set userinterface TITLE = "I regret to inform you that you have been NAP'd!!" TEXT = "Please logoff and go home, do not collect $200"

·         You may export / import these settings if you wish.

netsh NAP client export FILENAME = "c:\NapCfg.xml"
netsh NAP client import FILENAME = "c:\NapCfg.xml"

·         Start the Network Connections folder; right-click on your network interface and select “Properties”.

·         Since you started the “Dot3Svc”, you will now see the “Authentication” tab; Enable 802.1X and caching; Make sure PEAP is selected; Clicks “Settings”.

·         In the “Protected EAP Properties” dialog, un-check “Validate server certificate”; Select MS-CHAPv2; Check “Enable Quarantine checks”; Click “Configure”.

·         In the “EAP MSCHAPv2 Properties” dialog, un-check the auto-use credentials setting – this is because we are in a workgroup – if you were in a domain you would want to leave this enabled so the domain user would automatically use his domain credentials.

·         After you “OK” all of those dialogs, the 802.1X client should now attempt to authenticate to the switch port; if not, simply enable/disable or unplug/plug the NIC; you should get prompted for credentials; type the user / password.

·         If everything works you should see something like this; any failures usually show “authentication failed”.

·         Thankfully, you can also use the command-line to export/import these settings too.

netsh lan export profile FOLDER = "c:\\"
netsh lan add profile FILENAME = "c:\LANProfile.xml"

Hopefully you now have end-to-end NAP 802.1X working. If not, my next installment includes troubleshooting! :->

Jeff

Comments
  • <p>Ask the Directory Services Team : Custom Certificate Request in Windows Vista Microsoft Security Development</p>

  • <p>Hi Jeff - How would you setup NAP on a XP SP3 client?</p> <p>Thanks!.../pat</p>

  • <p>Hey Pat - command-line is the best way to get it done on XP SP3 (if you aren't using GP). I ported the &quot;netsh.exe NAP&quot; commands over to XP and they work great. I believe we also supplied the &quot;netsh lan&quot; command there as well.</p> <p>Jeff</p>

  • <p>Hi,</p> <p>We have another issue, we have different users assigned to different VLANs, and network filtering today. </p> <p>What we want is what we understood NAC to be from the beginning:</p> <p>Unauthenticated devices stays in a guest LAN. Machine authenticated devices goes to a remediation VLAN, and when a user logs on, the VLAN is changed to the user VLAN.</p> <p>How would we do this ? From what I can see on the Internet, XP does not support this &quot;Dynamic VLAN&quot;, and Vista implements it badly. Can we get some of the same effect using NAP ? Possible together with something else ?</p>

  • <p>It's all about the switch in my experience. Take a Cisco Catalyst - 3550. It has a notion of a &quot;guest VLAN&quot;. It can dump people who aren't able to auth at all (i.e. guests) into a VLAN. For people who can auth, you can create policies within our Network Policy Server (NPS on Server 2008 – aka our RADIUS server) which puts &quot;machines&quot; in a VLAN and users in another (however you like). It is based on Active Directory groups. Try this out in a lab (using this walkthrough) and feel free to jump on our forums if you have any troubles - we will help ya!</p> <p><a rel="nofollow" target="_new" href="http://forums.technet.microsoft.com/en-US/winserverNAP/threads">http://forums.technet.microsoft.com/en-US/winserverNAP/threads</a></p> <p>Jeff</p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment