Checklist: Configure NAP Enforcement for DHCP

Applies To: Windows Server 2008

Configure NAP enforcement for DHCP

This checklist provides the steps required to deploy DHCP servers with Network Policy Server (NPS) and Network Access Protection (NAP).

Task Reference

Install the DHCP server role on the local or a remote computer.

NAP Enforcement for DHCP and DHCP documentation

If DHCP is installed on a remote computer with NPS, configure NPS as a RADIUS proxy. Use the New Remote RADIUS Server Group Wizard to create a remote server group with one or more RADIUS servers to which RADIUS messages are forwarded. Configure RADIUS ports and shared secrets that are common to both the NPS proxy server and the RADIUS servers (to which requests are forwarded).

Add a Remote RADIUS Server Group and Remote RADIUS Server Groups

In the DHCP MMC snap-in, enable NAP for individual scopes or for all scopes configured on the DHCP server.

Enable DHCP Scopes for NAP

On the DHCP-NPS proxy server, use the New Connection Request Policy Wizard to create a connection request policy to forward connection requests and accounting information to the remote RADIUS server group.

Add a Connection Request Policy and Connection Request Policies

Configure the DHCP-NPS proxy servers as RADIUS clients on the local RADIUS server (to which requests are forwarded).

Add a New RADIUS Client

If you want to perform authorization by group, create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to obtain an IP address from DHCP servers.

Create a Group for a Network Policy

On NAP-capable client computers, enable the Network Access Protection service and change the startup type to automatic.

Enable the Network Access Protection Service on Clients

On NAP-capable client computers, enable the DHCP enforcement client.

Enable and Disable NAP Enforcement Clients

If you are using the Windows Security Health Validator (WSHV) in your NAP deployment, enable Security Center on NAP-capable clients using Group Policy.

Enable Security Center in Group Policy

In NPS, if you are deploying remediation servers so that clients can automatically update their configuration in compliance with health policy, configure Remediation Server Groups.

Configure Remediation Server Groups

In NPS, configure the WSHV or install and configure other system health agents (SHAs) and system health validators (SHVs).

System Health Validators and Windows Security Health Validator

In NPS, configure health policies, connection request policies, and network policies that enforce NAP for DHCP.

Create a Health Policy and Create NAP Policies with a Wizard

Ensure that NPS network policy constraints allow computer health checks.

Enable Client Health Checks for DHCP and IPsec NAP Deployments