The latest version of the Microsoft Assessment and Planning Toolkit 3.1 (aka MAP) was released today from the Solution Accelerators team which contains a cool new feature that just might assist you in your NAP deployment planning.

If you’ve never heard of MAP, it is quite cool. I installed it and played around with it for the first time today. It was quite simple to use, once I overcame the installation pre-requisite hurdles (you need Word + Excel + two shared components of Office installed). Here is Baldwin Ng’s summary of what the tool is all about:

... in a nutshell, MAP is basically a network-wide agent-less tool that can help you quickly find out where your desktops and servers are and then it would auto-generate upgrade recommendations for multiple products and technologies including server, desktop and virtualization migration scenarios covering:

·         Windows Vista hardware and device compatibility assessment

·         Office 2007 hardware compatibility assessment

·         Windows Server 2008 hardware and device compatibility assessment

·         Microsoft Application Virtualization hardware compatibility assessment

·         SNMP inventory reporting

[... and new to version 3.1]

·         Hyper-V virtualization candidates assessment (+ improved virtual machines inventory)

·         SQL server discovery and assessment

·         64-bit installation support

·         Desktop Windows Security Center assessment

The last one in red is where NAP comes in. NAP out of the box in XP SP3, Vista and Server 2008 tracks compliance around the Windows Security Center. As you probably know, NAP can be extended by 3^rd parties quite easily to extend the compliance checking, but the items in Security Center are a great place to start! MAP is able to inventory your entire network and actually give you a glimpse of you NAP “compliance” without having to deploy it first to find out! Pretty cool!

I ran a short wizard to tell MAP to enumerate all the computers in my AD and to scan them for “Vista compatibility”. It found my only domain-joined computer:

The cool thing about the results is that they are available right through Excel. It showed me that if I enabled NAP today, this machine would probably need some remediation! :->

I encourage you to play around with this awesome update to a very rich tool!

Main download page –or- directly from x86 / x64

Jeff

Would you like help selecting the best NAP enforcement method to accomplish your goals? Well, you’re in luck. The fine folks on the Solution Accelerators team have created guidance on just that topic!

The document is entitled “Selecting the Right NAP Architecture”. Here is the main page which lists the available Infrastructure Planning and Design Guides.

Solution Accelerators are free, scenario-based guides and automations designed to help IT professionals who are proactively planning, deploying, and operating IT systems using Microsoft products and technologies. Solution Accelerator scenarios focus on security and compliance, management and infrastructure, and communication and collaboration.

NAP the WORLD baby,

Jeff

This is a continuation from Part 1 and Part 2.

NAP can be configured from the command-line, the MMC (except on XP SP3) and of course Group Policy (GP). Since this is a workgroup scenario, I am going to skip GP – but the principles below are the same.

·         Start the services snap-in and locate these two services – “Network Access Protection Agent” (NAPAgent) and “Wired AutoConfig” (dot3svc).

·         Start NAPAgent and Dot3svc; set both to “Automatic” startup.

sc config NAPAgent start= auto
net start NAPAgent
sc config Dot3Svc start= auto
net start Dot3Svc

·         Start the NAP Client Configuration snap-in; click on the “Enforcement Clients” link.

·         Enable the “EAP Quarantine Enforcement Client” by double-clicking on it and selecting “Enable this enforcement client”.

netsh NAP client set enforcement ID = "79623" ADMIN = "ENABLE"

·         Click on the “User Interface Settings” link; double-click on the “User Interface Settings” entry to configure text to be displayed to users when NAP is unable to (or in progress of) auto-remediate a problem on the computer.

netsh NAP client set userinterface TITLE = "I regret to inform you that you have been NAP'd!!" TEXT = "Please logoff and go home, do not collect $200"

·         You may export / import these settings if you wish.

netsh NAP client export FILENAME = "c:\NapCfg.xml"
netsh NAP client import FILENAME = "c:\NapCfg.xml"

·         Start the Network Connections folder; right-click on your network interface and select “Properties”.

·         Since you started the “Dot3Svc”, you will now see the “Authentication” tab; Enable 802.1X and caching; Make sure PEAP is selected; Clicks “Settings”.

·         In the “Protected EAP Properties” dialog, un-check “Validate server certificate”; Select MS-CHAPv2; Check “Enable Quarantine checks”; Click “Configure”.

·         In the “EAP MSCHAPv2 Properties” dialog, un-check the auto-use credentials setting – this is because we are in a workgroup – if you were in a domain you would want to leave this enabled so the domain user would automatically use his domain credentials.

·         After you “OK” all of those dialogs, the 802.1X client should now attempt to authenticate to the switch port; if not, simply enable/disable or unplug/plug the NIC; you should get prompted for credentials; type the user / password.

·         If everything works you should see something like this; any failures usually show “authentication failed”.

·         Thankfully, you can also use the command-line to export/import these settings too.

netsh lan export profile FOLDER = "c:\\"
netsh lan add profile FILENAME = "c:\LANProfile.xml"

Hopefully you now have end-to-end NAP 802.1X working. If not, my next installment includes troubleshooting! :->

Jeff

NAP 802.1X Configuration Walkthrough – Part 2

This is a continuation from Part 1.

I am going to take a slightly different approach than the 802.1X step-by-step guide. Feel free to follow either method, whatever gets it done for you!

My configuration assumes a “WORKGROUP”, not domain joined. Again, for simplicity of building a demonstration, I prefer to remove the AD component.

·         Open “Server Manager”, just in case it didn’t open for you on logon. :->

·          Add our NAP role – “Network Policy and Access Services”.

·         Add our role service – “Network Policy Server (NPS)”.

*Tip* - if you also install the “Health Registration Authority (HRA)”, this is used only if you are doing NAP + IPsec, it may save you a bit of pain getting 802.1X to work. It has an option to create a “self-signed certificate” for the server. NPS / EAP require a server certificate to do 802.1X NAP.

·         This is an important step, in case you are skipping the previous steps on installing the stuff. You should clear ALL EXISTING CONFIGURATION. Even on a default install, I clear it all out for my own sanity. Clean slate baby; easier to debug.

The four nodes to clear are 1.) RADIUS Clients 2.) Connection Request Policies 3.) Network Policies 4.) Health Policies.

·         Now that we have a clean configuration, let’s run the spiffy wizard. Click on the top “NPS” node within the tree-view. You should then see a “Configure NAP” link on the “Getting Started” page.

·         The first page of the wizard is figuring out which scenario of NAP enforcement you want to configure. For this walkthrough, I am discussing “IEEE 802.1X (Wired)”.

·         Time to configure a RADIUS client (i.e. 802.1X switch). You will have to remember the IP address and shared secret that you configured on the switch itself in Part 1. Click the “Add” button. Fill in a nice friendly name for the switch (maybe a model# and physical location and such – it will be displayed in the logs later), the IP address of the switch (use the management VLAN 1 IP interface) and the shared secret.

·         Since this is a workgroup, the next page can be skipped. This is where you can specify what machines and users should be included in your NAP deployment. This is pretty cool in that you can roll out NAP at your own pace throughout a domain.

·         As I mentioned in the *tip* above, NAP + 802.1X needs a certificate on the server-side to function. A self-signed cert is a quick and easy way to get this going for a workgroup.

I am going to be discussing user-based NAP 802.1X – thus you only need to enable PEAP-MS-CHAPv2. If you were in an AD, you could deploy auto-enrolled machine certificates and get 802.1X machine authentication working. It is pretty slick.

·         Alrighty then, this is the fun bit – configuring the VLANs. It is relatively painless. This can sometimes vary depending on the switch. I will say that all seven of the switches I configured for RSA needed the same exact settings in here.

The “Organization network VLAN” is what I am calling the Compliant VLAN. Obviously the “Restricted network VLAN” is the Non-Compliant VLAN.

Compliant VLAN settings:
Tunnel-Type             = Virtual LANs (VLAN)
Tunnel-Medium-Type = 802 (includes all 802 media ...)
Tunnel-Pvt-Group   = 2

Non-Compliant VLAN settings:
Tunnel-Type             = Virtual LANs (VLAN)
Tunnel-Medium-Type = 802 (includes all 802 media ...)
Tunnel-Pvt-Group   = 3

·         The “Health” settings that are available to you without any additional software are around the Windows Security Center. In NAP, this component is called on the NAP client “Windows Security System Health Agent” – and on the NAP server “Windows Security System Health Validator”.

You will notice in my screenshot that I have other stuff in there. These are plug-ins to NAP I was showing off at TechEd 2008 Orlando. You should be able to accept the defaults on this page and party on.

·         The wizard is done!

·         You should verify that the wizard added the configuration in the following nodes - 1.) RADIUS Clients 2.) Connection Request Policies 3.) Network Policies 4.) Health Policies.

·         Navigate to the “System Health Validators” node in the tree and double-click the “Windows Security Health Validator”. Click the “Configure” button. I recommend starting small and just check for the Windows Firewall at first.

Nicely done! On to the client in the next installment!

Jeff

I just got back from TechEd 2008 North America (Orlando) where I presented two “breakout” sessions on NAP. It went off with a bang and most people really loved the sessions / demos. I have blogged a couple times in the past that I would document exactly how I made it all work and now I want to come through on that promise.

Back in April of this year I created a cool 802.1X NAP Interoperability Showcase for the RSA show – it was two mobile racks (guitar racks actually) full of vendor 802.1X wired gear. I had devices from Cisco, D-Link, Enterasys, Extreme, Foundry, HP ProCurve and Nortel. I got it all working flawlessly with NAP / NPS / Server 2008! It was quite a thing to get working being a guy who deals chiefly in Windows OS’s (and not much networking hardware). After getting it all working I felt some serious love for the scenario – it is definitely my favorite flavor of the 6 NAP enforcement methods we support (DHCP, IPsec, 802.1X, VPN, TSG and Cisco NAC).

Before I head to Windows configuration, we need to talk GEAR. Here are the devices I got working in the showcase rack. I included links to my configuration files from the first five (I need to dig up the other guys too):

1.    HP ProCurve 2626

2.    Cisco Catalyst 3550

3.    D-Link xStack DES-3828

4.    Extreme Summit X450-24t

5.    Foundry FastIron Edge 4802-POE

6.    Enterasys 2G4072-52

7.    Nortel BayStack 5520-24T-PWR

I also saved off a copy of the Network Policy Server (NPS) XML configuration file if you want to refer to it. Use caution when using these files. I don’t want you to frakk your switch! For the purposes of this walkthrough, I am going to discuss the specifics of the HP ProCurve 2626. It is a switch that is near and dear to my heart as it is the first one I ever got working. :-> Some things may vary on your brand / model.

This step caused me some serious pain for a number of reasons. I was handed 7 switches with NO power cables, NO terminal cables NOR any instruction manuals. Whoa ho! “Good luck” was something I was thinking at the time. I hope you aren’t in the same boat here. :->

The ProCurve wasn’t bad at all once I found a female-to-female DB9 cable (i.e. Radio Shack). Being a Microsoft guy, I felt obligated to use Hyper Terminal (some Linux guys later informed me about PuTTY, which is pretty cool). Since Hypertrm disappeared from Vista (huh?!?), I went to my XP SP3 box and copied the required files to my memory stick (hypertrm.chm, hypertrm.dll, hypertrm.exe, hypertrm.hlp).

To get connected to the ProCurve I used 8-N-1 @ 115,200 with Xon/Xoff and VT100 emulation. Boy, this brought me back to my modem days. After hitting “connect” and enter a couple times, you should be presented with this.

By the way, you can use HP’s web based configuration interface for some stuff, like configuring VLANs, but it isn’t able to handle RADIUS configuration – which made me move right over to terminal for everything.

Here is a simple diagram of what every switch looked like. 3 VLANs total:

·         VLAN 1: Management VLAN. Each of the seven switches had an IP address on the 10.x network. This is so they could do two things – authenticate to the NPS via RADIUS + relay the DHCP/BOOTP traffic to the DHCP server running on Windows Server 2008.

·         VLAN 2: Compliant VLAN. AKA – the “healthy network”. Clients on this network are compliant with your policy.

·         VLAN 3: Non-Compliant VLAN – AKA – the “unhealthy network”. Clients on this network are not compliant with your policy. They should not be able to contact clients in Compliant VLAN. It is also advisable to restrict what they can reach on the Management VLAN – only resources required to get them fixed up as well as infrastructure (e.g. AD).

Let’s take a look at the ProCurve configuration I am using:

Startup configuration:

; J4900B Configuration Editor; Created on release #H.10.45

hostname "HP ProCurve 2626"

ip routing

vlan 1

   name "Management"

   untagged 2,4,6,8-26

   ip address 10.0.0.2 255.0.0.0

   no untagged 1,3,5,7

   exit

vlan 2

   name "Compliant"

   ip address 20.0.0.1 255.255.0.0

   ip helper-address 10.0.0.1

   exit

vlan 3

   name "NonCompliant"

   untagged 1,3,5,7

   ip address 30.0.0.1 255.255.0.0

   ip helper-address 10.0.0.1

   exit

aaa authentication port-access eap-radius authorized

radius-server host 10.0.0.1 key secret

primary-vlan 3

aaa port-access authenticator 1,3,5,7

aaa port-access authenticator active

aaa port-access 1,3,5,7

Since I have multiple IP segments, I needed to enable IP Routing on the switch. This line makes that happen:

ip routing

Here are the VLANs. The names are self-evident. I only wanted 4 ports available for clients to authenticate with 802.1X (ports 1,3,5,7). I am not using 802.1X’s notion of port tagging the Ethernet frames, which I won’t go into here. I was going for simplicity, so I treated all seven of the switches like a completely separate network (non-routable between each switch).

vlan 1

   name "Management"

   untagged 2,4,6,8-26

   ip address 10.0.0.2 255.0.0.0

   no untagged 1,3,5,7

   exit

vlan 2

   name "Compliant"

   ip address 20.0.0.1 255.255.0.0

   ip helper-address 10.0.0.1

   exit

vlan 3

   name "NonCompliant"

   untagged 1,3,5,7

   ip address 30.0.0.1 255.255.0.0

   ip helper-address 10.0.0.1

   exit

We need to enable 802.1X on a port by port basis, as well as tell the switch how we intend to authenticate these ports. This is where we point the switch at the Windows Server 2008 machine running Network Policy Server (NPS). The shared secret I am using in this example is complex – it is “secret”. :->

aaa authentication port-access eap-radius authorized

radius-server host 10.0.0.1 key secret

primary-vlan 3

aaa port-access authenticator 1,3,5,7

aaa port-access authenticator active

aaa port-access 1,3,5,7

Make sure you commit the configuration to memory!

HP ProCurve 2626# write memory

Got more coming at you tomorrow! Stay tuned.

Jeff

Hey NAP’ers, Rhys Ziemer coming to you from deep within the concrete jungles of Washington DC. I’ve been working with NAP for a while now, so I wanted to share something that is making my life easier!

As previously discussed on the NAP blog, the preferred method of HRA discovery is through the registration of HRA servers in DNS using SRV records. The challenge is in communicating to clients the desire to use DNS for HRA discovery instead of using the existing store of trusted HRA servers as specified through group policy. Trusted HRA servers are traditionally specified through the Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Network Access Protection node. Here a system administrator can hard code the list of HRA URL addresses that clients can contact when the IPsec NAP agent is enabled on client machines. For large NAP deployments, DNS round-robin service discovery is ideal for load balancing across HRA’s, as well as being able to easily link specific HRA’s to specific sites and domains. In these cases, the EnableDiscovery flag must be set to allow for this discovery to take place. Unfortunately, there is no group policy setting and no template that allows for this registry setting to be enabled uniformly across an enterprise. This is all detailed in Gavin’s post.

This thus requires either creative logon script processing to enable auto-discovery or HRA’s, the purchase of a 3^rd party product to create an ADMX template to provide a basis for implementing HRA auto-discovery, or a knowledgeable SA to create their own ADMX template for the setting from scratch. I personally got tired of hard coding this setting on all of my demo clients for the enablement of HRA auto-discovery and thus wrote my own ADMX template. This link provides the ADMX template and the associated ADML language file in the en-US locale.

For those that aren’t aware, one of the benefits of an ADMX template is that the strings are removed to the <Locale>\<ADMX Root Filename>.ADML location thus supporting multiple localized strings per template. Since I only speak US English fluently, I have only provided an en-US language file, appropriately name en-US\HRAAutoDiscovery.ADML to match the HRAAutoDiscovery.ADMX file. If US English isn’t your localization, feel free to create your own HRAAutoDiscover.ADML template in the appropriate localization. It should be relatively obvious as to how to hack up this ADML file to provide appropriate localized strings.

Within this template, both the workgroup and domain policies are provided for enabling the HRA auto-discovery. In order to load these templates, place the ADMX and ADML files into c:\Windows\PolicyDefinitions for local stores and on the Domain Controller for central GP stores. Additionally, if you are taking advantage of the central ADMX template store within Windows Server 2008, you can add these templates to that store to populate them throughout your enterprise.  Once loaded, if you navigate to the Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Network Access Protection, you’ll notice that there is a new sub-directory entitled Health Registration Authority. Here both the Domain and Workgroup policies are exposed. Note that the Workgroup policy is tattooing the registry, and if a policy with the Workgroup policy is unlinked, the setting will not become disabled or unset. This is not the case for the Domain policy which is a fully managed and standard group policy setting. I included the Workgroup Policy solely for the case of loading the templates onto a local client and configuring local policy to enable HRA auto-discovery.  In an enterprise scenario, this template will most likely not be used, and the registry will simply be hard coded through a script.

Finally, my last comment on the policies is that they are based on the shipping Windows Server 2008 templates and pre-requisites. As such, this particular policy requires Windows XP SP3 or Windows Vista SP1 for proper processing; however, these requirements are not addressed by the Windows ADMX namespace since these products were not released at the time of shipping. If and when this namespace becomes updated to handle Windows XP SP3 and Windows Vista SP1 for minimum requirements, I will update these templates to reflect this base requirement. As such, right now, these templates have a Windows Vista requirement for application, and thus they will not affect Windows XP deployments.

I hope these templates make your NAP deployments just a little bit easier, and if you have any questions or issues with the templates, please feel free to follow-up and I’ll do my best to address the questions and correct problems that you encounter with the templates.

NAP the WORLD!

Rhys (rhysz at Microsoft.com)

Hey NAP bloggers; Jun Wang and Howard Lee here from the NAP engineering team! We just got back from having a great time down in Orlando, FL talking with our fellow developers about NAP. We contributed to two sessions during the TechEd Developers show:

“Ask the Expert” Session

This session was held at 9:00am on Friday 6/6/2008. The lounge was full of visitors during our session, which we were glad to see. We received valuable questions from visitors, ranging from software licensing, Linux/Mac interoperability, NAP-IPsec, to general questions about the NAP solution.

NAP Breakout Session

Our joint presentation on NAP including the NAP SDK went smoothly as planned. We thank those of you who have stayed for the last session (4:30pm) on Friday 6/6/2008, which happened to be the very last session of the Developers conference. Your enthusiasm about NAP was highly appreciated. In the future, moving our session to earlier in the week and earlier in the day should accommodate wider audience. We received valuable questions from the audience. One of the interesting questions was about NAP’s support on eXP (embedded XP) and Windows CE.

Presentation Slides

Here are our slides if you are interested!

There are a couple ways of engaging with the NAP team. First and foremost, we’d like to encourage you to use the NAP TechNet forum. This gives you access to the entire NAP engineering team. Here is a list of great resources, as well as the NAP Blog.

Thanks for helping us NAP THE WORLD!

Jun (junwa at Microsoft.com) &

Howard (howlee at Microsoft.com)

NAP - with Jeff Sigman and Others

Jeff Sigman – Microsoft
Chris Boscolo - Napera Networks, Inc.
Alex Chalmers - Ball State University
Pattabhi Attaluri - Avenda Systems

In this podcast from Tech·Ed NA 2008 IT Pro, Jeff Sigman talks about Network Access Protection (NAP). Alex Chalmers of Ball State University shares his experiences rolling out a large NAP deployment. Chris Boscolo (Napera Networks, Inc.) and Pattabhi Attaluri (Avenda Systems) talk about products their companies provide to add value to a NAP environment.

PowerPoint from the session.

Special thanks to Kevin Remde for making this podcast happen!

My NAP overview session went very well yesterday. All the demos went off perfect, and I thought {most} of the audience got a lot out of it. If you attended the session and have feedback, I’d love to hear it. I have a repeat session this Friday, so I have time to make some corrections and changes.

The show this year has followed the TechEd Europe model – one week of Dev TechEd, one week of IT Pro TechEd. Most people I have spoken to at the show appreciated the split as it lowered the crowds of having one huge show. Some folks did mention that they wear both hats – Developer and IT Pro and they wished it was still a one-stop shop. I think the split is a good thing overall as it feels like a focused event...

Virtualization is, of course, a hot topic at the show this year. Its section on the show floor is jam-packed. The interest in network security and compliance is still high though as my first session had over 400 people attend.

While I was speaking yesterday, we officially announced the availability of the “Microsoft Forefront Integration Kit for Network Access Protection” (aka FCS NAP) as a free download. I have been showing off this integration for months – I am pumped that it is now available to all!

More later from the show floor – I am typing this in the “TechEd Bloggers Lounge”. Cheers!

{