Configure Policies for 802.1X Enforcement
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
The NAP health policy server uses the Network Policy Server (NPS) role service with configured network policies, health policies, and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. Based on the results of this evaluation, NPS instructs the 802.1X authenticating switch or access point to provide full access to compliant NAP client computers and to restrict access to noncompliant client computers when NAP is deployed using full enforcement mode.
Note
Before performing this procedure, you must install a certificate for Protected Extensible Authentication Protocol (PEAP) authentication. For more information, see Install a Computer Certificate for PEAP.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Configure NAP policies for 802.1X enforcement with the NAP configuration wizard
The NAP configuration wizard helps you to set up NPS as a NAP health policy server. The wizard provides commonly used settings for each NAP enforcement method, and automatically creates customized NAP policies for use with your network design. You can access the NAP configuration wizard from the NPS console.
Note
By default, the NAP configuration wizard creates a noncompliant network policy configured for full enforcement. To change the NAP enforcement mode, see Configure Network Policy for Deferred Enforcement and Configure Network Policy for Reporting Mode.
To configure NPS using the NAP configuration wizard
Click Start, click Run, type nps.msc, and then press ENTER.
In the Network Policy Server console tree, click NPS (Local).
In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. See the following example.
On the Select Network Connection Method for Use with NAP page, under Network connection method, select IEEE 802.1X (Wired) or IEEE 802.1X (Wireless), and then click Next.
If the RADIUS clients that will send access request messages to NPS are switches, select IEEE 802.1X (Wired).
If the RADIUS clients that will send access request messages to NPS are wireless access points, select IEEE 802.1X (Wireless).
Based on your selection in the previous step, either the Specify 802.1X Authenticating Switches page or the Specify 802.1X Authenticating Switches or Access Points page is displayed. On this page, click Next. RADIUS clients will be configured in another procedure.
On the Configure User Groups and Machine Groups page, click Next. If required, user and machine group requirements will be configured in another procedure.
On the Configure an Authentication Method page, choose the authentication method to use with PEAP by selecting the check box next to one or both of the available EAP types. By default, the Secure Password (PEAP-MS-CHAP v2) method is selected. You can also select the Smart Card or other certificate (EAP-TLS) method. After selecting one or more EAP types, click Next.
Note
If you have not previously selected a server certificate to use for PEAP authentication, or if you want to select a different certificate, click Choose. To view properties of this certificate, click View.
- On the Configure Virtual LANs (VLANs) page, you can configure network access for compliant and noncompliant computers. Network access is determined by configuring VLANs, access control lists (ACLs), or other attributes. Instructions for configuring client access using VLANs are provided in the following steps. Optional steps for configuring ACLs are also included. To configure ACLs only, follow the steps to configure the Filter-ID attribute and do not configure the Tunnel-Pvt-Group-ID attribute.
Note
Before configuring RADIUS tunnel attributes, check with your hardware vendor to verify your equipment supports these attributes.
Use the following steps to configure network access for compliant computers. In this example, VLAN ID 3 will be used for compliant computers. An access control list number of 103 is used for optional steps to enforce network restriction using ACLs.
On the Configure Virtual LANs (VLANs) page, under Organization network VLAN, click Configure.
(Optional) In the Virtual LAN (VLAN) Configuration dialog box, on the RADIUS standard attributes tab, click Filter-ID, and then click Edit.
(Optional) In the Attribute Information dialog box, click Add.
(Optional) Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 103, and then click OK twice. This value represents the compliant ACL.
In the Virtual LAN (VLAN) Configuration dialog box, on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit.
In the Attribute Information dialog box, click Add.
Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice.
In the Virtual LAN (VLAN) Configuration dialog box, on the RADIUS standard attributes tab, click Tunnel-Medium-Type, and then click Edit.
In the Attribute Information dialog box, click Add.
Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected, and then click OK twice.
In the Virtual LAN (VLAN) Configuration dialog box, on the RADIUS standard attributes tab, click Tunnel-Pvt-Group-ID, and then click Edit.
In the Attribute Information dialog box, click Add.
Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 3, and then click OK twice. This value represents the compliant VLAN ID used in this example.
In the Virtual LAN (VLAN) Configuration dialog box, click the Vendor Specific attributes tab, and then click Add.
In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.
In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then click Add.
In the Attribute Information dialog box, under Attribute value, type 1, and then click OK.
Note
The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group these attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch.
18. Click **Close**, and then click **OK**.
Use the following steps to configure network access for noncompliant computers. These steps are identical to those used for compliant computers with the exception that VLAN ID 2 is configured for noncompliant computers. An access control list number of 102 is used for optional steps to enforce network restriction using ACLs.
On the Configure Virtual LANs (VLANs) page, under Restricted network VLAN, click Configure.
(Optional) In the Virtual LAN (VLAN) Configuration dialog box, on the RADIUS standard attributes tab, click Filter-ID, and then click Edit.
(Optional) In the Attribute Information dialog box, click Add.
(Optional) Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 102, and then click OK twice. This value represents the noncompliant ACL.
In the Virtual LAN (VLAN) Configuration dialog box, on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit.
In the Attribute Information dialog box, click Add.
Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice.
In the Virtual LAN (VLAN) Configuration dialog box, on the RADIUS standard attributes tab, click Tunnel-Medium-Type, and then click Edit.
In the Attribute Information dialog box, click Add.
Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected, and then click OK twice.
In the Virtual LAN (VLAN) Configuration dialog box, on the RADIUS standard attributes tab, click Tunnel-Pvt-Group-ID, and then click Edit.
In the Attribute Information dialog box, click Add.
Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose String, type 2, and then click OK twice. This value represents the noncompliant VLAN ID used in this example.
In the Virtual LAN (VLAN) Configuration dialog box, click the Vendor Specific attributes tab, and then click Add.
In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.
In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then click Add.
In the Attribute Information dialog box, under Attribute value, type 1, and then click OK.
Click Close, and then click OK.
This completes the configuration of VLAN properties for compliant and noncompliant computers. Click Next.
On the Define NAP Health Policy page, select the check box next to each SHV that will be used to evaluate the health status of NAP client computers. To enable automatic remediation of noncompliant client computers, select the Enable auto-remediation of client computers check box. Under Network access restrictions for NAP-ineligible client computers, you can choose the level of network access granted to computers that do not provide their health status during network authentication. By default, these computers are placed on the restricted network. Click Next to continue.
On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.
See Also
Concepts
Configure RADIUS Clients for NAP
Configure Remote RADIUS Server Groups for NAP
Configure User and Machine Group Requirements
Install a Computer Certificate for PEAP