Share via


NAP Enforcement for 802.1X

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Network Access Protection (NAP) enforcement for 802.1X port-based network access control is deployed by using a server running Network Policy Server (NPS) and an Extensible Authentication Protocol (EAP) host enforcement client component. With 802.1X port-based enforcement, the NPS server instructs an 802.1X authenticating switch or an 802.1X-compliant wireless access point to place noncompliant 802.1X clients on a remediation network. The NPS server limits network access by the client to the remediation network by applying IP filters or a virtual LAN identifier to the connection. 802.1X enforcement provides strong network restriction for all computers accessing the network by using 802.1X-capable network access servers.

Requirements for 802.1X wired

To deploy NAP with 802.1X wired, you must configure the following:

  • In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the New Network Access Protection wizard.

  • Install and configure 802.1X authenticating switches.

  • Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

  • If you are using Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) or EAP-TLS with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory┬« Certificate Services (AD CS).

  • If you are using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), issue server certificates with either AD CS or purchase server certificates from another trusted root certification authority (CA).

Requirements for 802.1X wireless

To deploy NAP with 802.1X wireless, you must configure the following:

  • In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the New Network Access Protection wizard.

  • Install and configure 802.1X wireless access points.

  • Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.

  • Configure the WSHV or install and configure other SHAs and SHVs, depending on your NAP deployment.