Network Access Protection (NAP) : configuration

Example of using the new NPS templates feature in Windows Server 2008 R2

MS NAP Team — Thu, 26 Feb 2009 23:16:00 GMT

In a previous NAP blog entry, we described the new NPS templates feature in Windows Server 2008 R2. In this blog entry, we show an example of using a template for a RADIUS shared secret.

Templates for RADIUS shared secrets allow users to specify a shared secret that can be reused when configuring RADIUS clients and remote RADIUS servers in the Network Policy Server snap-in. To create and use a RADIUS shared secret template, do the following:

1. From the Network Policy Server snap-in, open the Templates Management node.

2. In the console tree, right-click Shared Secrets, and then click New.

3. In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.

4. Click OK to save changes.

To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. The following figure shows an example.

To view which RADIUS clients, remote RADIUS servers, and remote RADIUS server templates use a specific RADIUS shared secret template, right click the name of the RADIUS shared secret template, and then click View Usage.

NAP Product Team

NPS templates in Windows Server 2008 R2

MS NAP Team — Tue, 17 Feb 2009 21:45:00 GMT

NPS templates, the flagship feature of NPS in Windows Server 2008 R2, provides a huge reduction in cost of ownership and deployment for all NPS environments. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets and RADIUS clients from the configuration running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is referenced.

You can also use NPS templates to assist in configuration with referencing them. For example, you can create a RADIUS client template that contains common settings (such as the vendor type or shared secret) for a specific group of RADIUS clients (such as all wireless APs from a specific vendor). When you create a new RADIUS client, you can select the RADIUS client template to obtain the common settings. When you unselect the template, the inherited settings remain and you can configure individual settings, such as the RADIUS client’s IP address.

Note Template settings are not supported by commands in the netsh nps context. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.

NPS template settings can also be easily migrated and synchronized across multiple NPS servers.

The following types of configuration elements use templates:

· RADIUS shared secret

· RADIUS clients

· Remote RADIUS servers

· IP filters

· Health policies

· Remediation server groups

You can configure templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in. The following figure shows an example.

For a larger version of this figure, click here.

Individual templates can be added, edited, duplicated, or deleted. After they are configured, they can be referenced and de-referenced in the appropriate dialog boxes in the Network Policy Server snap-in.

The following table lists the different types of templates and where they are used in the Network Policy Server snap-in.

Template	Where it is used
RADIUS shared secret	When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates
RADIUS clients	When creating or configuring RADIUS clients
Remote RADIUS servers	When creating or configuring remote RADIUS server group members
IP filters	When configuring IP Filters settings for a network policy
Health policies	When creating or configuring health policies
Remediation server groups	When creating or configuring remediation server groups

NAP Product Team

Changes to the NAP user experience in Windows 7

MS NAP Team — Mon, 09 Feb 2009 20:42:00 GMT

Windows 7 and Windows Server 2008 R2 are now available as public betas. In Windows 7, the NAP client user interface (UI) has been integrated into the Windows Action Center (previously known as the Windows Security Center). For example, Network Access Protection notifications appear in the list of messages when you click the Action Center message in the notification area of the Windows 7 desktop.

The following figure shows an example of how a noncompliant NAP client running Windows 7 displays its status in the Windows Action Center.

For a larger version of this figure, click here.

When you click View Solution, Windows 7 displays the Network Access Protection status dialog box (also known as the Napstat UI).

NAP Product Team

Network Access Protection Deployment Guide is live!

MS NAP Team — Thu, 04 Dec 2008 02:18:00 GMT

Greetings NAP fans!

The Network Access Protection Deployment Guide, authored by our very own technical writer and NAP Forum hero Greg Lindsay, is now live!

http://technet.microsoft.com/en-us/library/dd314175.aspx

The NAP Deployment Guide provides detailed guidance for deploying a specific NAP design that has been determined through your use of the Network Access Protection Design Guide. The NAP Deployment Guide contains checklists and step-by-step procedures for deploying NAP health policy servers, NAP enforcement points, IPsec policies with NAP, NAP certification authorities, and NAP client settings.

You can provide feedback on individual pages of the NAP Deployment Guide by clicking “Click to Rate and Give Feedback” just above the content pane.

A big thanks to Greg.

Enjoy!

Joe Davies

"How Windows Update Client and NAP Client View Important Updates" post

MS NAP Team — Thu, 13 Nov 2008 03:02:00 GMT

In a previous blog entry, I talked about the very cool blog written by the Microsoft Enterprise Networking Team in Customer Service and Support (CSS).

Louis Hardy, a Senior Support Escalation Engineer and member of a virtual team of CSS engineers that specialize in NAP, recently published the following post in the Enterprise Networking Team blog:

How Windows Update Client and NAP Client View Important Updates

In this post, Louis describes how the Windows Security Health Validator (WSHV) behaves with respect to important updates and a best-practice client configuration to avoid confusion.

Thanks Louis!

Joe Davies

Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) - Update

MS NAP Team — Mon, 06 Oct 2008 19:04:00 GMT

We have had several questions lately about the WSHA/WSHV so we figured it was time to provide an update to what we previously posted last year.

The WSHA is the SHA delivered with Windows Vista and Windows XP SP3. The WSHV is the SHV delivered with Windows Server 2008. They provide the ability to make network access decisions based on the following criteria:

· Firewall is enabled

· Antivirus is enabled and up-to-date

· Antispyware is enabled and up-to-date

· Automatic Updates is enabled

· Security updates are up-to-date

Firewall, antivirus, and antispyware detection is available for both Microsoft and non-Microsoft applications. The WSHA detects any application that reports its status through Windows Security Center.

The WSHA will perform automatic remediation as follows, regardless of which firewall, antivirus, and antispyware products are present on the client:

· Firewall turned off: Turn on Windows Firewall

· Antivirus off or out of date: No automatic remediation is available

· Antispyware off or out of date: Turn on and update Windows Defender

The WSHA/WSHV also detects security update status and can remediate with Windows Server Update Services (WSUS), Windows Update, and Microsoft Update. This is discussed in more detail in a previous blog posting.

More information about the WSHA and WSHV can be found at http://technet.microsoft.com/en-us/library/cc731260.aspx.

Mike Burk
WSHA/WSHV Program Manager

Selecting PEAP-TLS and other PEAP methods in Windows Vista and Windows Server 2008

MS NAP Team — Tue, 30 Sep 2008 02:52:00 GMT

Windows Vista and Windows Server 2008 support the Protected Extensible Authentication Protocol (PEAP) and the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) and Transport Layer Security (TLS) authentication methods for PEAP. PEAP can be used in Windows Vista and Windows Server 2008 for remote access VPN connections, 802.1X-authenticated wired connections, and for wireless connections that use the 802.1X, WPA-Enterprise, or WPA2-Enterprise security types. By default, PEAP uses PEAP-MS-CHAP v2. The use of PEAP and a PEAP authentication method is required for the 802.1X and VPN NAP enforcement methods.

For VPN and wireless connections in the Network Connections folder, the list of installed PEAP methods is displayed as a normal drop-down list box from the properties of the Microsoft: Protected EAP (PEAP) network authentication method. There is a different procedure when selecting PEAP types from the following locations:

· The Authentication tab of a wired network connection in the Network Connections folder.

· The Security tab of a Wired Network (IEEE 802.3) Policies policy in Group Policy.

· The Security tab of a Wireless Network (IEEE 802.11) Policies policy in Group Policy.

To select PEAP-TLS or additional PEAP authentication methods from these locations, you must first obtain the properties of the Microsoft: Protected EAP (PEAP) network authentication method. In the Protected EAP Properties dialog box, you must click the down arrow for Select Authentication Method, and then click the small up and down arrows just below the larger down arrow to display the installed PEAP authentication methods. Here is an example.

After the desired PEAP authentication type is displayed, click on its name to select it.

For example, the following procedure selects the PEAP-TLS authentication method:

1. In Select Authentication Method, click the down arrow.

2. For PEAP-TLS, in the drop down list, directly below the down arrow, click the small down arrow to display Smart Card or other certificate, and then click Smart Card or other certificate.

Joe Davies
Senior Program Manager

General NAP policy design considerations

MS NAP Team — Wed, 17 Sep 2008 00:24:00 GMT

Greetings, citizens of NAPville!

Here is some information to take into account when designing your policies for NAP, adapted from a section in the upcoming Network Access Protection Design Guide and written by our own Greg Lindsay:

Consider the following rules when configuring connection request policies and network policies in the Network Policy Server (NPS) snap-in:

· A RADIUS client access request can only match one connection request policy and one network policy. When the access request successfully matches a policy, no other policies are used to evaluate the access request.

· Policies are evaluated based on processing order and source:

o RADIUS access requests from Windows-based RADIUS clients can contain the MS-Network-Access-Server-Type RADIUS attribute, which specifies the source of the request. For example, access requests from a Windows Server 2008-based VPN server specify the source of Remote Access Server (VPN-Dial up).

o Access requests are evaluated against policies with the same source.

o If the source is not specified in the access request, the NPS service will evaluate it against the policies with a source of Unspecified.

o If there are no policies with the same source as the access request, the NPS service will evaluate it against the policies with a source of Unspecified.

o If there are multiple policies with the same source as the access request, the NPS service will evaluate it against the policy with the same source that is highest in the processing order (that is, the policy with the lowest Processing Order number). If the access request does not match the conditions of the policy, the NPS service evaluates the policy next highest in the processing order with the same source. This continues until the access request matches a policy or all policies with the same source have been evaluated.

The following table lists the NAP enforcement methods and their corresponding source.

NAP enforcement method	Source
IPsec	Health Registration Authority
802.1X	Unspecified
VPN	Remote Access Server (VPN-Dial up)
DHCP	DHCP Server
Terminal Server (TS) Gateway	Terminal Server Gateway

You can select a source from Type of network access server on the Overview tab in the properties of the policy.

Thanks Greg!

Joe Davies
Senior Program Manager

Network policy design when using multiple system health validators

MS NAP Team — Fri, 12 Sep 2008 20:57:00 GMT

Here is a section from the upcoming Network Access Protection Design Guide on how to design network policies when you use multiple system health validators (SHVs), written by our own Greg Lindsay:

If you have deployed multiple SHVs, you can configure network policies to match clients that are compliant with some but not all health requirements. Network policies also contain NAP enforcement settings and can provide NAP clients with remediation server groups and a troubleshooting URL. The type of health requirements and troubleshooting URL that are configured in network policy also affect the NAP notification that is received by NAP client computers. By customizing network policies to the exact type of noncompliance that is evaluated, you can provide a unique troubleshooting URL to client computers. When evaluating several health conditions, you must ensure that more specific policies are evaluated before more general policies.

The following table provides an example of network policies that you can configure for a NAP deployment with three SHVs (A, B, C) where all three SHVs are required for compliance.

Policy name	Policy condition	Troubleshooting URL	Processing order
ABC Compliant	Health Policy: Pass A, B, C	N/A	1
ABC Noncompliant	Health Policy: Fail A, B, C	http://NAP/abc.html	2
AB Noncompliant	Health Policy: Fail A, B	http://NAP/ab.html	3
AC Noncompliant	Health Policy: Fail A, C	http://NAP/ac.html	4
BC Noncompliant	Health Policy: Fail B, C	http://NAP/bc.html	5
A Noncompliant	Health Policy: Fail A	http://NAP/a.html	6
B Noncompliant	Health Policy: Fail B	http://NAP/b.html	7
C Noncompliant	Health Policy: Fail C	http://NAP/c.html	8
Non NAP-capable	NAP-Capable: Non NAP-capable	N/A	9

To specify different health requirements for different segments of the network, add additional policy conditions to match client requests from these segments and configure health policies to specify health requirements.

Thanks Greg!

Joe Davies
Senior Program Manager

WinCAT blog post on NAP and 802.1X Enforcement

MS NAP Team — Mon, 25 Aug 2008 20:35:00 GMT

Check out the Windows Server Customer Advisory Team (WinCAT) post Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

Our very own Pat Fetty, whom many of you have seen presenting NAP talks at industry conferences, discusses the two ways that you can configure IEEE 802.1X-based switches and wireless access points for NAP using virtual LANs (VLANs) and access control lists (ACLs). Pat then compares the two approaches with their respective pros and cons.

This is very valuable information to review prior to beginning your 802.1X enforcement deployment.

Thanks Pat!

Joe Davies
Senior Program Manager

This posting is provided "AS IS" with no warranties, and confers no rights.

The "RADIUS client is NAP-capable" check box

MS NAP Team — Fri, 15 Aug 2008 19:59:00 GMT

When you create a new RADIUS client or modify the settings of an existing RADIUS client from the RADIUS Clients node of the Network Policy Server snap-in, there is a RADIUS client is NAP-capable check box. Here is an example.

What is this check box all about?

As I state in the Windows Server 2008 Networking and Network Access Protection (NAP) book, you should select this box if the RADIUS client is a NAP enforcement point that is running Windows Server 2008. That is, if the NAP enforcement point is one or more of the following:

· A Health Registration Authority (HRA) for IPsec enforcement

· A virtual private network (VPN) server for VPN enforcement

· A Dynamic Host Configuration Protocol (DHCP) server for DHCP enforcement

· A Terminal Server (TS) Gateway server for TS Gateway enforcement

When this check box is selected, the NPS service sends NAP-specific RADIUS vendor-specific attributes (VSAs) in the Access-Accept message. When this check box is not selected, the NPS service does not send NAP-specific RADIUS VSAs in the RADIUS Access-Accept message.

When configuring RADIUS clients for a NAP deployment, do the following:

· For RADIUS clients corresponding to Windows Server 2008-based NAP enforcement points, select the RADIUS client is NAP-capable check box. Windows Server 2008-based NAP enforcement points use the information in the NAP-specific VSAs to determine the state of the NAP client and how to limit the access of a noncompliant NAP client. Also included in these VSAs is the System Statement of Health Response (SSoHR), which the enforcement point passes to the NAP client. For a complete listing of these VSAs, click here.

· For RADIUS clients corresponding to IEEE 802.1X-capable switches and wireless access points for 802.1X enforcement, clear the RADIUS client is NAP-capable check box. Some IEEE 802.1X-capable devices automatically deny connections when the Access-Accept message contains attributes that the device is not expecting. In the case of 802.1X enforcement, the IEEE 802.1X-capable devices are instructed to limit the access of noncompliant NAP clients through standard RADIUS attributes such as Filter-ID and Tunnel-Type. With 802.1X enforcement, the NAP health policy server sends the SSoHR and other NAP-specific information directly to the NAP client using a Protected Extensible Authentication Protocol (PEAP) message.

When you create RADIUS clients from within the Configure NAP wizard, you do not have the ability to configure this check box. You must modify the RADIUS client configuration from the RADIUS Clients node of the Network Policy Server snap-in after completing the Configure NAP wizard.

Joe Davies
Senior Program Manager

This posting is provided "AS IS" with no warranties, and confers no rights.