Posted on 2010-09-06
Medium Priority
Last Modified: 2012-05-10
I have set up NAP on a Windows server 2008 in a lab environment. The goal is to implement this in a production environment.

The goal is to handle 6 types of computers:

1. Domain joined, compliant
2. Domain joined, not compliant
3. Domain joined, not NAP capable
4. Not domain joined, compliant
5. Not domain joined, not compliant
6. Not domain joined, not NAP capable

When a machine connects to a switch in the network with cable it will be put in a vlan based on the category it falls into above.

I have solved the first 3 scenarios in my lab, but i had no luck with the last 3.

I got everything working with the first three scenarios on a win7 machine that was joined to the domain. I then set up a XP machine with sp3 to se if it worked with this OS also.

When i connected the XP machine to the switch it didnt get an IP address. My hope was that it would be recognized as a 4/5/6 machine (see categories above) and put in the vlan specified for that policy (i.e. vlan DMZ). But nothing happened. Then i configured the nap client via netsh etc etc.. Nothing happens..  After trying this and that i patched the xp box to a port in the switch with a static configuration so it got an IP in the corp network. I joined the computer to the domain and booted the computer. After i had done that i patched the xp box back to the port i used in the start and everything worked fine. If i disable the firewall the box is put in the dmz vlan, if i enable it the box gets back in the corp vlan. All good! When i removed the computer from the domain again (after i had concluded that all parts were working) and rebooted, the computer fails to get an ip address.

I am thinking 1 of 2:
1. It is not possible to handle computers unless they are members of the domain
2. My configuration on the NAP server needs to be adjusted.

My guess is 2, but i cant get it to work.

It is nice to see that i can gain control on my domain joined computers, but i need a solution that can handle a guest machine  that is not part of the domain, and put it in a dmz vlan as i want them to gain internet access, but not be able to access the servers.

I have fiddeled around with the NAP configuration, authentication/authentication methods etc, but i had no luck.
Question by:Reset_
  • 3
  • 2

Accepted Solution

dossaviation earned 2000 total points
ID: 33619041

Got your request on my original closed question.  I have literally spent months working on this both internally and with Microsoft engineers.  The short answer, direct from MS, is that you CAN implement NAP for guest (non-domain) computers, but you have to have a way to push a configuration to them.

(The following narration assumes you are using DHCP as an enforcement method...)

Needless to say, this is difficult.  In our environment, we have a hotel onsite that we are proving guest access for.  I don't have an elegant way to get the configuration file to them.  We were able to successfully set up a redirect page using DHCP for the clients to download a batch file that enabled NAP on the computer, but this strategy breaks down with Macintosh clients.  In our environment, this is not acceptable.

MS' official word is NO SUPPORT for Macintosh clients.  No surprise there.  So, that being said, here are the steps to get NAP rolling for non-domain computers:

1.  Implement NAP and DHCP on your lab server.  Authorize NAP for all DHCP scopes.
2.  Create the following batch file (name it whateveryouwant.bat):

sc config napagent start= auto
net start napagent
netsh nap client set enforcement ID = 79617 ADMIN = "ENABLE"

This allows for the NAP agent (using DHCP) to enable on the client machine.  

3.  Create a method of deploying or forcing non-domain clients to run this file.  Here's where things get challenging...first off, this does NOT work for Mac computers.  There is no way (other than RADIUS or 802.1x) to get Macs to work, and if you are considering 802.1x, quite frankly, choose Cisco or another third-party.  Anyway, in our case, we allowed for a DHCP redirect page to a generic internal website where we hosted the batch file for Windows clients to run.  Once that was complete, NAP worked for non-domain computers and Vlans were properly configured.

4.  Release/renew a non-domain client...you should see the restricted subnet and the NAP agent attempting to check/remedy the computer.

5.  When complete, run ipconfig and check the IP addy...should be the subnet you want.

A few gotchas:

1.  The non-domain client must run the batch file as Administrator.  Most users will have that by default, some don't.  Those machines without Admin rights were dead in the water.  This is especially difficult on Vista/7 with UAC.
2.  Macs, again...they don't work, at least not with DHCP enforcement.
3.  Windows Defender would NEVER properly report to the Health Server.  Didn't matter how up to date it was.  We simply turned off the anti-spyware check, which is sort of defeating the purpose.
4.  When using DHCP enforcement, a static IP will always bypass NAP enforcement.

It goes without saying that the use of DHCP as an enforcement method is only for a deterrent and is probably not the best way to use NAP.  In our environment, we are still searching for the best clean access solution.

I can walk you through the steps a little more thoroughly, but hopefully this can help you get going.

Author Comment

ID: 33626115
Dossaviation, Thank you for a really good answer! You have confirmed my suspicions and i dont think i will go for Microsoft NAP in our environment.

In my oppinion NAP works great if you are dealing with domain computers but that is not the case for many of our customers. I need a lot more flexibility in the solution i pick and i am not going to use more time trying to get this NAP shoe to fit.

This has to be common problems when implementing NAC in a network, and i really hope Microsoft would adress theese issues. Mabe it is just me, but beeing able to define a policy where you are able to put non-windows and non-nap capable clients in a "if-everything-fails" VLAN, is a must have.

I am currently looking into the IDM product from HP, and so far it looks like it will fit my needs perfectly.

From the IDM manual:
"If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not
override RADIUS authentication and default switch settings, unless you
configure it to do so. You can create a "guest" profile in IDM to provide
limited access for unknown users."

According to my estimate a solution based on PCM+ and IDM will cost around 7000$ to implement (includes 1 yr of maintanance, upgrades etc..) and then 300$ a yr to get all the program updates etc.. At this point it looks like the best way to go.

Again, thank you for your time, and a very good answer.

I will close the case and award you the points.


Expert Comment

ID: 33627236

Wholeheartedly agree with every point you make.  We too were trying to "fit the NAP shoe", so to speak...you can't argue with the cost (free) so we had hoped that the product would allow for some dynamic configurations and quick interaction with our Cisco environment.

Alas, that is not the case.  After decommissioning the Cisco Clean Access product (way too complicated for my staff) the search began.

We still seek out a simple, easy to manage, role based NAC solution.  I will check out IDM...hadn't heard about that one.  The cost seems pretty good as well.

I was happy to help out.  No sense re-doing work that has already been done.  Please PM me and keep me posted on your IDM experiences.  It might work in our environment as well.

Take care!

Author Comment

ID: 33627333
Will do!

Thanks again Dossaviation

Author Comment

ID: 33628044
Working with the security setup wizard in HP's IDM i found a setting under "Advanced settings for Wired 802.1x" named unauth-vid (Unauthorized vlan id)

I set this to my guest vlan, and the laptop i have been using for this lab automatically got put in the guest vlan without any configuration on the laptop.

After checking the config on the switch it looks like it adds the following configuration on the ports:

aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server timeout 1
radius-server host
aaa port-access gvrp-vlans
aaa port-access authenticator 17-24
aaa port-access authenticator 17 unauth-vid 50
aaa port-access authenticator 17 client-limit 1
aaa port-access authenticator 18 unauth-vid 50
aaa port-access authenticator 18 client-limit 1
aaa port-access authenticator 19 unauth-vid 50
aaa port-access authenticator 19 client-limit 1
aaa port-access authenticator 20 unauth-vid 50
aaa port-access authenticator 20 client-limit 1
aaa port-access authenticator 21 unauth-vid 50
aaa port-access authenticator 21 client-limit 1
aaa port-access authenticator 22 unauth-vid 50
aaa port-access authenticator 22 client-limit 1
aaa port-access authenticator 23 unauth-vid 50
aaa port-access authenticator 23 client-limit 1
aaa port-access authenticator 24 unauth-vid 50
aaa port-access authenticator 24 client-limit 1
aaa port-access authenticator active

Now i am thinking it might be possible to configure the switch this way in the NAP case i had going earlier, and beeing able to put clients that are not NAP capable etc into a guest vlan. I havent tried a linux box or anything like that yet, but my guess is that everything that doesnt autthenticate with the radius server will be put in this vlan. If this is true things will be better, not perfect but a lot better.

"aaa port-access authenticator 24 unauth-vid 50"

I just wanted to give u a quick update on this, i will continue the IDM lab now and do some research on this later.


Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question