The no enforcement design for NAP

  • Article

Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.

The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.

To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.

Note For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.

For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.

Joe Davies