You
need to deploy the Network Policy and Access Services role and add the
Network Policy Server (NPS) role service to validate health policies in
your network. Then you can configure Network Policy Server (NPS) to
create and enforce those health policies on clients.
Clients
that connect to a NAP server and do not meet the health requirements
are placed in a restricted network until updates are performed and the
machine meets the health requirements.
Install the Network Policy Server
To install the NPS role service and configure NAP, perform the following steps:
1. | In Server Manager, select Add Roles.
| 2. | Choose the Network Policy and Access Services role and then click Next.
| 3. | On
the next screen, which has the sections Introduction to Network Policy
and Access Services, Things to Note, and Links to Additional
Information, click Next.
| 4. | Choose the role services for Network Policy and Access Services:
- Network Policy Server (NPS):
Creates and enforces network access policies for clients and sets
organizationwide policies for client health and for connection request
authentication and authorization. Also enables you to deploy NAP in
your organization.
- Routing and Remote Access Services:
Provides users access to resources over a VPN connection. It is made up
of two parts: Remote Access Service provides access to the internal
network through a VPN, and the Routing portion provides support for
NAT, RIP, and multicast routers.
- Health Registration Adding Authority (HRA):
Validates requests from clients and issues health certificates for
connectivity to resources for clients that meet the health criteria.
Adding HRA requires the additional step of selecting a valid CA before
HRA is functional.
- Host Credential Authorization Protocol (HCAP): Allows
you to integrate Microsoft’s NAP solution with Cisco’s NAP solution.
Deploying HCAP, NPS, and NAP allows NPS to perform authorization of
Cisco Network Access Control clients. Adding HCAP requires that you
assign a CA-issued SSL certificate before HCAP is functional.
Note
Routing
and Remote Access Services is part of access services but does not fall
under the category of an NPS or NAP server role. Rather, NPS and NAP
are used to validate the health of clients before they connect to a VPN
through Routing and Remote Access clients.
| 5. | When prompted to choose the network policy and access services you want to add, select NPS, HRA, and HCAP. Click Next.
| 6. | On
the next screen, where you can choose to install a local CA, choose a
remote CA, or select a CA later, select your choice for a CA and click
Next.
| 7. | Choose
the authentication requirements. You can choose to require that
requestors be authenticated as domain members (recommended) or allow
anonymous requests for health certificates. Click Next.
| 8. | Select
an SSL server certificate for HRA and HCAP. You can choose an existing
certificate (recommended), create a self-signed certificate, or choose
to not use an SSL certificate or to assign one later. Click Next.
| 9. | Confirm your installation selections and click Install.
|
When Network Policy and Access Services is installed, restart your server, and you can then configure NAP.
Configure NAP Health Policies
When
NPS is installed, you still need to configure NAP to create and enforce
health policies. So let’s take a look at finishing up the configuration
of NAP. To finish configuring NAP, perform the following steps:
1. | In Server Manager, expand the Network Policy and Access Services console tree.
| 2. | Highlight NPS (Local), and NAP is selected as the default standard configuration. Click Configure NAP.
| 3. | When the Configure NAP Wizard begins, choose the network access server. The following connection methods are available:
Dynamic Host Configuration Protocol (DHCP) IPsec with Host Registration Authority (HRA) IEEE 802.1X (Wired) IEEE 802.1X (Wireless) Virtual Private Network (VPN) Terminal Service Gateway (TS Gateway)
Note
It
is important to pay attention to the additional requirements below your
choice of connection method. Each connection method requires additional
steps to finish the installation of NAP. The steps depend on the
connection method you choose.
To deploy NAP with IPsec and HRA, configure the following:
In
NPS, configure the connection request policy, the network policy, and
the NAP health policy. You can configure these policies individually,
using the NPS console, or you can use the New Network Access Protection
Wizard. Enable the NAP IPsec enforcement client and the NAP service on NAP-capable client computers. Install HRA on the local computer or on a remote computer. Install and configure Active Directory Certificate Services (AD CS) and certificate templates. Configure Group Policy and any other settings required for your deployment. Configure
the Windows Security Health Validator (WSHV) or install and configure
other system health agents (SHAs) and system health validators (SHVs),
depending on your NAP deployment.
If HRA is not installed on the local computer, also configure the following:
After configuring the additional requirements, Click Next.
| 4. | Specify
the NAP enforcement servers for HRA. If HRA is installed on this
server, you can skip this step. If it is installed on another server in
the domain, you need to specify which server will be used as a RADIUS
client. Click Next.
| 5. | In
the next screen, grant or deny access, as appropriate. You can grant
access to all users by leaving the field blank. If you want to
allow/deny access to computers, utilize machine groups. If you want to
allow/deny access to users, utilize user groups. For this example, add both machine and user groups to this policy and click Next.
| 6. | Define
the NAP policy. Choose the system health validators to use with this
policy. Also, check the box to allow the client system to be remediated
automatically. Click Next.
Note
If
the Allow Client System to be Remediated box is not selected, clients
that do not meet the health policy requirements are not updated
automatically and therefore are not able to gain full access to the
network unless you manually update the client system.
| 7. | On
the last screen, which shows an overview of the health policy,
connection request policy, and network policies you want to enforce,
ensure that everything is correct and click Finish.
|
Configure System Health Validator and Remediation Server Groups
Although
the Network Access Protection folder exists below the Polices folder in
the Network Policies and Access Services snap-in, it is actually
important to talk about the System Health Validator (SHV) and
Remediation Server Groups before we continue with the policy
configurations because the SHV allows you to specify the settings
required for NAP-capable computers, and Remediation Server Groups
defines which servers will host the updates for NAP clients.
Within the SHV is the Windows Security Health Validator (WSHV) (see Figure 1), which contains the configuration settings and the error code configurations.
If
you highlight WSHV and click properties in the Actions pane, you see
the Configure button to set client settings. Below that are the error
code configurations. You can choose to select how to resolve these
error codes by choosing either compliant or noncompliant (default) for
each of these possible errors:
SHV unable to contact required services SHA unable to contact required services SHA not responding to NAP client SHV not responding Vendor specific vendor code received
Clicking Configure brings up a Windows Security Health Validator window that has two tabs: Windows Vista and Windows XP (see Figure 2)
In this window, you define the health policy settings for the following:
Firewall: This option indicates whether Windows Firewall is enabled for all network connections. Virus Protection: These options indicate whether the antivirus application is on and whether it is up to date. Spyware Protection:
These options indicate whether the spyware application is on and
whether it is up to date. (This setting is only for Windows Vista.) Automatic Updating: This option indicates whether automatic updating is enabled. Security Update Protection:
You can choose security update levels (from Low to All), the minimum
number of hours since the client has checked for updates, and sources
for security updates.
To add remediation server groups, follow these steps:
1. | Click the Remediation Server Groups folder and select Action, New.
| 2. | Specify a group name and Click Add.
| 3. | Choose the friendly name, IP address, or DNS name for the server and click OK twice.
|
You can add additional servers to the group from the properties page in the Actions pane.
Configure Policy Properties
When
you have finished setting up your network connection method, you can
view and/or configure settings for the policies. In the NPS Management
snap-in, expand the Policies console tree, and you see three policies
configuration settings:
Within
each policy type, you can configure properties for the existing and new
policies you set up. For instance, if you click Connection Requests
Policies, you can view the NAP IPsec with HRA policy you set up. You
can also see the default Windows authentication policy. Notice that the
policy you created has a processing order of 2; if you have multiple
network access server methods, you can set the processing order for NAP
clients.
Each policy type has properties that define how NAP will behave. Let’s take a look at each policy’s configuration.
Connection Requests Policies Properties
Click the NAP IPsec with HRA policy you set up and then select Action, Properties. You see three tabs here:
Overview: On this tab, you set the policy name, policy state, and network connection method. Conditions: You use this tab to set the day and time restrictions for this policy. Settings:
On this tab, you set the authentication methods, set the forwarding
connection requests, specify a realm name, and specify RADIUS
attributes.
Network Policies Properties
Click
the NAP IPsec with HRA compliant or noncompliant policies you set up
and select Action, Properties. You see four tabs here:
Overview: This tab shows the policy name, policy state, access permission (grant/deny), and network connection method. Conditions:
On this tab, you configure the condition for this policy. The
conditions can be based on groups, HCAP, date and time, network access,
connection, RADIUS client, or gateway. Constraints:
On this tab, you set the authentication methods, idle timeout, session
timeout, called-station ID, day and time restrictions, and NAS port
type. Settings: On this tab, you set the RADIUS attributes, NAP enforcement, and routing and remote access settings.
Health Policies Properties
Click
the NAP IPsec with HRA compliant or noncompliant policies you set up
and select Action, Properties. You see a screen where you can change
the policy name, set the client SHV checks, and choose the SHVs to use
with this health policy.
|
