Share via


Checklist: Configure Client Computers for NAP-NAC Enforcement

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This checklist contains links to procedures to configure client computers running Windows Vista® for the NAP-NAC solution. Complete all tasks in this checklist in order.

Checklist: Configure Client Computers for NAP-NAC

  Task Reference

Create a security group for NAP-NAC clients.

Create a security group for NAP-NAC client computers

Configure Group Policy.

Configure client settings in Group Policy

Configure security filters.

Configure security filters for the NAP-NAC client settings GPO

Install the Cisco EAP-FAST (ECP) update.

Deploy the Cisco EAP-FAST (ECP) update to NAP-NAC client computers

Add NAP-NAC clients to a security group.

Add client computers to the NAP-NAC client computers security group

Membership in the local Domain Admins group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Create a security group for NAP-NAC client computers

First, create a security group for use with Group Policy security filtering. This security group will be used to apply NAP-NAC client computer settings to the computers you specify. Client computers must be added to this security group after they are joined to the domain.

To create a security group for NAP client computers

  1. On the domain controller, click Start, click Run, type dsa.msc, and then press ENTER.

  2. In the Active Directory Users and Computers console tree, right-click the name of your domain, point to New, and then click Group.

  3. In the New Object - Group dialog box, under Group name, type NAP-NAC client computers.

  4. Under Group scope, choose Global, under Group type, choose Security, and then click OK.

  5. Close the Active Directory Users and Computers console.

Configure client settings in Group Policy

Next, configure client settings in Group Policy. The following client settings will be configured in a new Group Policy object (GPO) using the Group Policy Management feature on a server running Network Policy Server (NPS):

  • NAP enforcement clients

  • NAP Agent service

  • Wired Autoconfig service

  • NAP-NAC wired network policy

Important

Before you perform this procedure, you must install EAP-FAST on the computer that is used to configure NAP-NAC client settings. When you install EAP-FAST on a server running NPS, you can select the EAP-FAST authentication method when you configure NAP-NAC wired network policy with the Group Policy Management feature. To install EAP-FAST, see Deploy the Cisco EAP-FAST (ECP) update to NAP-NAC client computers.

After these settings are configured in the GPO, security filters will be added to enforce the settings on computers you specify.

To configure NAP client settings in Group Policy

  1. On the server running NPS, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, next to the domain name, click the icon to create a new GPO, type NAP-NAC client settings for the name of the new GPO, and then click OK.

  3. The Group Policy Management Editor window will open. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services.

  4. In the details pane, double-click Network Access Protection Agent.

  5. In the Network Access Protection Agent Properties dialog box, select the Define this policy setting check box, choose Automatic, and then click OK.

  6. In the details pane, double-click Wired AutoConfig.

  7. In the Wired AutoConfig Properties dialog box, select the Define this policy setting check box, choose Automatic, and then click OK.

  8. In the console tree, open Network Access Protection\NAP Client Configuration\Enforcement Clients.

  9. In the details pane, right-click EAP Quarantine Enforcement Client, and then click Enable.

  10. In the console tree, right-click NAP Client Configuration, and then click Apply.

  11. In the console tree, right-click Wired Network (IEEE 802.3) Policies, and then click Create a New Windows Vista Policy.

  12. In the New Vista Wired Network Policy Properties window, under Policy Name, type NAP-NAC Wired Network Policy.

  13. Click the Security tab, and under Select a network authentication method, select Cisco: EAP-FAST, and then click Properties.

  14. In the EAP-FAST Properties window, on the Connection tab, select the Use anonymous outer identity check box and verify that the identity displayed is anonymous.

  15. Select the Use Protected Access Credential and Allow automatic PAC provisioning check boxes.

Note

A PAC authority is not available at this point. It will be provisioned during the initial client authentication.

  1. Select the Validate Server Certificate check box and select the appropriate trusted root CA from the list. If a valid trusted root CA is not listed, verify that the Do not prompt user to authorize new servers or trusted certification authorities check box is cleared so that the user will be prompted to provision a trusted root CA certificate upon the user’s next successful authentication.

  2. On the User Credentials tab, select Use Windows user name and password.

  3. On the Authentication tab, under Select Authentication method, select EAP-MSCHAPv2.

  4. Select the Allow fast reconnect and Enable posture validation check boxes, and then click OK.

  5. Click OK to complete configuration of the NAP-NAC wired network policy.

  6. Close the Group Policy Management Editor. If you are prompted to apply settings, click Yes.

Configure security filters for the NAP-NAC client settings GPO

Next, configure security filters for the NAP-NAC client settings GPO. This prevents client settings from being applied to server computers in the domain.

To configure security filters for the NAP-NAC client settings GPO

  1. On the server running NPS, click Start, click Run, type gpmc.msc, and press ENTER.

  2. In the Group Policy Management Console (GPMC) tree, navigate to Forest: Contoso.com\Domains\Contoso.com\Group Policy Objects\NAP client settings.

  3. In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.

  4. When you are prompted to confirm the removal of delegation privilege, click OK.

  5. In the details pane, under Security Filtering, click Add.

  6. In the Select User, Computer, or Group dialog box, under Enter the object name to select (examples), type NAP-NAC client computers, and then click OK.

  7. Close the GPMC.

Note

To apply NAP-NAC client settings, you must add domain-joined NAP-NAC client computers to this security group.

Deploy the Cisco EAP-FAST (ECP) update to NAP-NAC client computers

Client computers running Windows Vista must have the Cisco EAP-FAST (ECP) update installed. You can deploy the update using Windows Update. After creating the following registry key, detection of an Encryption Control Protocol (ECP) device will occur. The ECP device will be installed without prompting the user, and on the next check for automatic updates, EAP-FAST (ECP) will be offered as an optional download.

To deploy the Cisco EAP-FAST (ECP) update

  1. On the NAP-NAC client computer, click Start, point to All Programs, click Accessories, click Command Prompt, type regedit, and then press ENTER. The registry editor opens.

  2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EapHost.

  3. Right-click EapHost, point to New, click Key, and then type ECP.

  4. Right-click ECP, point to New, click Key, and then type 1.43.0.0.18867.

  5. Close the registry editor.

  6. Wait for about 5-10 minutes for the ECP node to appear in Device Manager.

  7. Click Start, right-click My Computer, and then click Properties.

  8. Click Device Manager, and then open System Devices\ECPNode.

  9. Right-click ECPNode, and then click Update Driver Software.

  10. Follow the instructions to allow Windows Update to install the EAP-FAST update on the computer.

Note

If you use Windows Server Update Services (WSUS), the EAP-FAST update must be configured and approved for distribution by an administrator.

Add client computers to the NAP-NAC client computers security group

Domain-joined client computers must be added to the NAP-NAC client computers security group so that they can receive NAP-NAC client settings from Group Policy.

To add a client computer to the NAP-NAC client computers security group

  1. On the domain controller, click Start, click Run, type dsa.msc, and then press ENTER.

  2. In the Active Directory Users and Computers console tree, click the name of your domain.

  3. In the details pane, double-click NAP-NAC client computers.

  4. In the NAP-NAC client computers Properties dialog box, click the Members tab, and then click Add.

  5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types, select the Computers check box, and then click OK.

  6. Under Enter the object names to select (examples), type the name of a NAP-NAC client computer, and then click OK.

  7. Verify that the client computer name is displayed under Members, and then click OK.

  8. Close the Active Directory Users and Computers console.

  9. Restart the client computer.

See Also

Other Resources

Preparing for EAP Certification Program (ECP) Testing