NAP8021XStepByStep.docx
《NAP8021XStepByStep.docx》由会员分享,可在线阅读,更多相关《NAP8021XStepByStep.docx(47页珍藏版)》请在冰点文库上搜索。
![NAP8021XStepByStep.docx](https://file1.bingdoc.com/fileroot1/2023-4/30/1acd6786-53f9-49ef-a714-c85034cf367d/1acd6786-53f9-49ef-a714-c85034cf367d1.gif)
NAP8021XStepByStep
StepByStepGuide:
Demonstrate802.1XNAPEnforcementinaTestLab
MicrosoftCorporation
Published:
February2008
Abstract
NetworkAccessProtection(NAP)isanewpolicyenforcementtechnologyintheWindows Vista®,Windows Server® 2008andWindowsXPwithServicePack3operatingsystems.NAPprovidescomponentsandanapplicationprogramminginterface(API)setthathelpadministratorsenforcecompliancewithhealthrequirementsfornetworkaccessandcommunication.ThispapercontainsanintroductiontoNAPandinstructionsforsettingupatestlabtodeployNAPwiththe802.1Xenforcementmethod.Thelabrequirestwoserverandtwoclientcomputers,andan802.1XcompliantswitchthatsupportstheuseofRADIUStunnelattributestospecifythe802.1XclientVLAN.Withthistestnetwork,youcancreateandenforceclienthealthrequirementsusingNAPandthe802.1Xfeaturesonyourswitch.
CopyrightInformation
Thisdocumentsupportsapreliminaryreleaseofasoftwareproductthatmaybechangedsubstantiallypriortofinalcommercialrelease,andistheconfidentialandproprietaryinformationofMicrosoftCorporation.Itisdisclosedpursuanttoanon-disclosureagreementbetweentherecipientandMicrosoft.ThisdocumentisprovidedforinformationalpurposesonlyandMicrosoftmakesnowarranties,eitherexpressorimplied,inthisdocument.Informationinthisdocument,includingURLandotherInternetWebsitereferences,issubjecttochangewithoutnotice.Theentireriskoftheuseortheresultsfromtheuseofthisdocumentremainswiththeuser.Unlessotherwisenoted,theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious,andnoassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
©2008MicrosoftCorporation.Allrightsreserved.
Microsoft,MS-DOS,Windows,Windows NT,andWindows ServerareeitherregisteredtrademarksortrademarksofMicrosoft CorporationintheUnited Statesand/orothercountries.
Allothertrademarksarepropertyoftheirrespectiveowners.
Contents
Step-by-StepGuide:
Demonstrate802.1XNAPEnforcementinaTestLab5
Inthisguide6
802.1XNAPenforcementoverview6
Scenariooverview7
NAPenforcementprocesses7
Policyvalidation8
NAPenforcementandnetworkrestriction8
Remediation9
Ongoingmonitoringtoensurecompliance9
Hardwareandsoftwarerequirements9
Stepsforconfiguringthetestlab10
Configurethe802.1Xcompliantswitch11
ConfigureDC112
InstalltheoperatingsystemonDC112
ConfigureTCP/IPonDC112
ConfigureDC1asadomaincontrollerandDNSserver13
Raisethedomainfunctionallevel13
InstallanenterpriserootCAonDC114
CreateauseraccountinActiveDirectory15
Adduser1totheDomainAdminsgroup16
CreateasecuritygroupforNAPclientcomputers16
ConfigureNPS117
InstallWindows Server 200817
ConfigureTCP/IPpropertiesonNPS117
JoinNPS1tothedomain18
UserAccountControl18
InstalltheNPSserverrole19
InstalltheGroupPolicyManagementfeature19
ObtainacomputercertificateonNPS119
ConfigureNPSasaNAPhealthpolicyserver20
ConfigureNAPwithawizard21
VerifyNAPpolicies25
ConfigureSHVs25
ConfigureNAPclientsettingsinGroupPolicy26
ConfiguresecurityfiltersfortheNAPclientsettingsGPO27
ConfigureCLIENT128
InstallWindows VistaandconfigureTCP/IPonCLIENT128
JoinCLIENT1tothedomain29
AddCLIENT1totheNAPclientcomputerssecuritygroup29
EnableRunontheStartmenu30
VerifyGroupPolicysettings30
Configureauthenticationmethods30
ConfigureCLIENT232
InstallWindows VistaandconfigureTCP/IPonCLIENT233
JoinCLIENT2tothedomain33
CompleteconfigurationofCLIENT234
802.1XNAPenforcementdemonstration34
AllowICMPthroughWindowsFirewall34
Setupdesktopshortcuts35
DemonstrateCLIENT1toCLIENT2connectivity35
DemonstrateNAPenforcement36
Demonstrateauto-remediation37
SeeAlso39
Appendix39
SetUACbehavioroftheelevationpromptforadministrators39
ReviewNAPclientevents40
ReviewNAPserverevents40
Step-by-StepGuide:
Demonstrate802.1XNAPEnforcementinaTestLab
NetworkAccessProtection(NAP)isanewtechnologyintroducedinWindows Vista®andWindows Server® 2008,andavailableforWindowsXPwithServicePack 3.NAPallowsyoutocreateandenforcehealthrequirementsforsoftwareandsystemconfigurationsofcomputersthatconnecttoyournetwork.NAPassessesthehealthofclientcomputersand,optionally,limitsnetworkaccesswhenclientcomputersaredeemednoncompliantwiththeserequirements.
NAPisdeployedusingmultipleclientandservercomponents.SomeNAPcomponentsarepresentineverydeployment,whileothersvaryaccordingtotheNAPenforcementmethodormethodsyouhavechosen.
Figure1:
ComponentsofNAP
NAPenforceshealthpoliciesforthefollowingnetworkaccessandcommunicationtechnologies:
∙InternetProtocolsecurity(IPsec)
∙802.1Xport-basedwiredandwirelessnetworkaccesscontrol
∙VPNwithRoutingandRemoteAccess
∙DynamicHostConfigurationProtocol(DHCP)IPv4addressleaseandrenewal
∙TerminalServicesGateway(TS Gateway)
NAPenforcementoccurswhenclientcomputersattempttoaccessthenetworkthroughnetworkaccessservers,suchasan802.1Xaccesspoint(AP)orvirtualprivatenetwork(VPN)server,orwhenclientsattempttocommunicatewithotherprotectednetworkresources.
Inthisguide
Thisguideprovidesstep-by-stepinstructionsfordeploying802.1XNAPenforcementinatestlabusingtwoservercomputersandtwoclientcomputers.Softwareandhardwarerequirementsareprovided,aswellasabriefoverviewofNAPandthe802.1Xenforcementmethod.
Important
Thefollowinginstructionsareforconfiguringatestlabusingtheminimumnumberofcomputers.Individualcomputersareneededtoseparatetheservicesprovidedonthenetworkandtoclearlyshowthedesiredfunctionality.Thisconfigurationisneitherdesignedtoreflectbestpracticesnordoesitreflectadesiredorrecommendedconfigurationforaproductionnetwork.Theconfiguration,includingIPaddressesandallotherconfigurationparameters,isdesignedonlytoworkonaseparatetestlabnetwork.
802.1XNAPenforcementoverview
TheIEEE802.1X-2001and802.1X-2004standardsdefineport-baseduserauthenticationmethodsusedwhenaccessingbothwiredandwirelessnetworkinfrastructures.An802.1Xdeploymentconsistsofthreemajorcomponents:
Supplicant
Acomputerthatrequestsaccesstoanetwork.Thesupplicantisattachedtothepass-throughauthenticator.
Pass-throughauthenticator
TypicallyaswitchorwirelessAPthatenforcesport-basedauthentication.
Authenticationserver
Acomputerthatauthenticatesandauthorizesasupplicantconnectionattemptonbehalfofthepass-throughauthenticator.Supplicantcredentialsarevalidatedbytheauthenticationserverusinganauthenticationservice,suchastheRemoteAuthenticationDial-InUserService(RADIUS).Followingevaluationoftheconnectionattempt,theRADIUSserverrespondstothepass-throughauthenticator,indicatingwhetherthesupplicantisallowedtoconnect.
802.1XauthenticationisaccomplishedusingExtensibleAuthenticationProtocol(EAP).EAPmessagesusedintheauthenticationprocessfor802.1Xaretransportedbetweenthepass-throughauthenticatorandthesupplicantbyamethodcalledEAPoverLAN(EAPoL).Componentsofthe802.1Xauthenticationprocessareshowninthefollowingfigure.
Figure2:
Componentsof802.1X
Inan802.1XNAPenforcementscenario,NetworkPolicyServer(NPS),thetechnologythatreplacesInternetAuthenticationService(IAS)inWindowsServer 2008,communicateswithan802.1Xauthenticatingswitchoran802.1XcompliantwirelessAPusingtheRADIUSprotocol.NPSinstructstheswitchorAPtoplaceclientsthatarenoncompliantwithnetworkhealthrequirementsonarestrictednetworkbyapplyingIPfiltersoraVLANidentifiertotheconnection.802.1XNAPenforcementprovidesstrongnetworkaccesscontrolforallcomputersconnectingtothenetworkthrough802.1X-capablenetworkaccessdevices.
Note
InadditiontointegrationwithNAP,WindowsServer 2008andWindows Vistaincludeenhancementstosupport802.1Xauthenticatingswitchesfor802.3wiredEthernetconnections.EnhancementsincludeanextendedActiveDirectoryschemaforGroupPolicysupportandnetshlancommand-lineinterfacesupportforconfiguringwired802.1Xsettings.Formoreinformation,seeActiveDirectorySchemaExtensionsforWindowsVistaWiredandWiredGroupPolicyEnhancements(andNetshCommandsforWiredLocalAreaNetwork(lan)(
Scenariooverview
Inthistestlab,NAPenforcementfor802.1Xport-basednetworkaccesscontrolis