Posted on 2010-09-06
I have set up NAP on a Windows server 2008 in a lab environment. The goal is to implement this in a production environment.
The goal is to handle 6 types of computers:
1. Domain joined, compliant
2. Domain joined, not compliant
3. Domain joined, not NAP capable
4. Not domain joined, compliant
5. Not domain joined, not compliant
6. Not domain joined, not NAP capable
When a machine connects to a switch in the network with cable it will be put in a vlan based on the category it falls into above.
I have solved the first 3 scenarios in my lab, but i had no luck with the last 3.
I got everything working with the first three scenarios on a win7 machine that was joined to the domain. I then set up a XP machine with sp3 to se if it worked with this OS also.
When i connected the XP machine to the switch it didnt get an IP address. My hope was that it would be recognized as a 4/5/6 machine (see categories above) and put in the vlan specified for that policy (i.e. vlan DMZ). But nothing happened. Then i configured the nap client via netsh etc etc.. Nothing happens.. After trying this and that i patched the xp box to a port in the switch with a static configuration so it got an IP in the corp network. I joined the computer to the domain and booted the computer. After i had done that i patched the xp box back to the port i used in the start and everything worked fine. If i disable the firewall the box is put in the dmz vlan, if i enable it the box gets back in the corp vlan. All good! When i removed the computer from the domain again (after i had concluded that all parts were working) and rebooted, the computer fails to get an ip address.
I am thinking 1 of 2:
1. It is not possible to handle computers unless they are members of the domain
2. My configuration on the NAP server needs to be adjusted.
My guess is 2, but i cant get it to work.
It is nice to see that i can gain control on my domain joined computers, but i need a solution that can handle a guest machine that is not part of the domain, and put it in a dmz vlan as i want them to gain internet access, but not be able to access the servers.
I have fiddeled around with the NAP configuration, authentication/authentication methods etc, but i had no luck.