Network Layout

1

DC Computer:
Windows 2008 R2
IP: 192.168.11.100/24

Add role: DHCP server
Scope: 192.168.11.50-60/24

2

Add role: Network policy and access services
Role services: Network Policy Server

3

Click “Configure NAP” button
Network connection method: DHCP
NAP Enforcement Servers running DHCP server—Simply click “Next” button
DHCP scope – simply click “Next” button
Machine Groups – simply click “ next” button
NAP remediation server group and URL – simply click “next” button
Define NAP Health Policy – simply click “Next” button

Configure System Health Validator

4

5

Enable NAP Settings for a DHCP scope

6

Configure the default user class

Next, configure scope options for the default user class. These server options are used when a compliant client computer attempts to access the network and obtain an IP address from the DHCP server.

7

Configure the default network access protection class

Next, configure scope options for the default network access protection class. These server options are used when a noncompliant client computer attempts to access the network and obtain an IP address from the DHCP server.

8

Make sure that the NIC of Windows 7 machine is configured with automatic assigned DHCP.

When the Network Access Protection agent service doesn’t start and DHCP Quarantine Enforcement client is disabled, the NIC is assigned with IP options for noncompliant client computers.

9

10

11

A classless network address (mask 255.255.255.255) has the limited network access.

Windows 7 machine can ping the NPS (DC) but not Vista machine. The NAP DHCP enforcement server is automatically available to clients on the restricted network. You do not have to add this server to a remediation server group. Windows 7 machine cannot ping Vista machine (limited network access).

How about a client computer that Network Access Protection agent service starts and DHCP Quarantine Enforcement Client is enabled?

12

13

14

Windows 7 computer doesn’t have antivirus program installed. It is noncompliant client. Vista computer does have antivirus program installed. It is a compliant client.
Vista machine gets the full network access IP address.

Modify the Security Health Validator settings

15

16

Windows 7 machine becomes compliant. It gets the full network access IP address. Windows 7 machine can ping Vista machine.

17

You want the noncompliant computer (windows 7) can access Antivirus server so it can install the application.

Remediation Server groups

Network Policy and Access Services

      NPS (Local)

            Policies

                        Network Policies

                                    NAP DHCP Noncompliant

18

19