Wednesday, June 20, 2012

Implementing NAP with 802.1x enforcement

In my earlier post, I've configured 802.1x with EAP-TLS. Now, I'm expanding the effort to Network Access Protection (NAP) with 802.1x enforcement. Machines that are validated compliant to the policy are able to access authorized network or VLAN. Otherwise, it would go into Guest VLAN for further remediation action. In NAP with 802.1x enforcement, clients would send Statement of Health (SoH) to the Windows NPS server for System Health Validation against the Health Policies on top of 802.1x authentication. The SoH would contain information pertaining to the Security Center of the Windows clients.

In this example, I would just configure the Health Policies to check the status of Windows Firewall. The Windows 7 client and the NPS (Windows Server 2008 R2) have been setup in a full AD environment with AD Certificate Services. All certificates have been issued and the network switch is configured with 802.1x settings.

On the NPS server, click on the "Configure NAP" to start the wizard. Follow the wizard instructions carefully. Go to the "Connection Request Policies" after the completion of wizard. Right-click on the NAP policy and click "Properties". Click on the "Settings" tab and edit on the "Microsoft Protected EAP (PEAP)". Read the below underlined description that you must configure the PEAP properties here.

Choose the correct server cert that is generated based on the "RAS and IAS Server" template as mentioned in my previous post. In addition, ensure that the below highlighted items are added and enabled. Edit on the "Smart Card or other certificate" to choose the correct cert and CA if you're using cert authentication.

On the client configuration, it would be more efficient to use Group Policy to configure and enable the NAP setting. On the computer configuration, create the "Wired Network (IEEE802.3) Policies" as shown below:

Ensure that the clients' PEAP authentication settings match the NPS server's. In addition, under the "Security Settings", edit the Startup of "Wired AutoConfig" and "Network Access Protection Agent" to "Automatic".  Next, go to "Network Access Protection" to enable "EAP Quarantine Enforcement Client". You may also like to configure other optional settings like "User Interface Settings".

Once the GPO is created, link it to the client OUs and run "gpupdate" on the Windows 7 client. Check the status on the event viewer. If everything runs well, try disabling the Windows firewall and it will be enabled back automatically for compliant. For more details and troubleshooting, refer to this NAP with 802.1x enforcement step-by-step guide.

1 comment:

  1. Using windows encryption feature for encrypting your files and folders is safe but not secure because this encryption is not strong and an average computer user with the help of some decrypting and cracking software can easily decrypt your data and easily use it for his/her personal use.