NAP Deployment in my Office

-

hi all,

 

i have assigned task deploy nap in our office. let me describe scenario,

i want computer (workgroup) not part of domain when connect network, first check health status visitor's laptop, vendor's desktop computer or wifi mobiles , redirect them subnet (different dhcp server) can ip , start using internet. network , domain resources disabled them if 1 have domain user id , password. 

2ndly when computer joins domain. first check health requirement , if not meet redirect other subnet (different dhcp server , remediation server), after remediation joins domain.

also want joined domain clients should health checked , remediated automatically. complete report can generate.

currently 1 dhcp server running in network.

hope have understood scenario.

kindly guide me how design , deploy

 

thanks in advance.

naeem

 

 

 

 

hi,

there couple of basic concepts must understand before proceed.

first, nap not typically remediate guest or vendor computers. because not have correct settings enabled such nap agent, nap enforcement client, or specific 802.1x authentication settings. way health check on non-domain joined computers (which not recieve group policy) configure requried settings locally. can done script if desired, need supplied individually each workgroup computer.

second, there some settings must implement on switch achieve your desired scenario. when workgroup computer connects switch has 802.1x authentication enabled, you have 2 possible situations:

1) 802.1x enabled on workgroup computer correct settings.

in case, user prompted domain user credentials. if entered successfully, can redirected unique vlan or given partical network access using acl. if wish implement this kind of authentication, user must supplied restricted domain user account that they pass 802.1x authentication. you can create "vendor" account in active directory (for example user:vendor password:vendorpass) and use network policy on nps send computer authenticates account vendor vlan. dhcp server can supply ip , gateway from unique scope these computers. keep in mind here sharing domain credentials, can security risk.

2) 802.1x either not enabled, or enabled incorrect settings on workgroup computer.

in case, if port computer connects has 802.1x enabled, authentication fail. switches have ability redirect instances of failed authentication guest vlan automatically. not done via radius (nps) policy setting. if switch not have capability, or haven't configured yet, port typically drops line protocol. if computer not pass 802.1x authentication (whether or not have guest vlan configured), cannot evaluate these computers using 802.1x-based policy on nps. in order use 802.1x nap computer must first pass 802.1x authentication. you evaluate them using dhcp-nap based policy if wish, or ipsec-nap policy.

for vendor computers, bottom line sounds need configure switch guest vlan , redirect computers fail 802.1x authentication vlan. guest vlan can provide internet access. don't need nap this.

if have computer newly joining domain, issue becomes little more complicated. don't think can achieve process described. reasonable computer join domain first, recieve group policy settings (including nap settings), evaluated health same domain computers. trying computer join domain after health evaluated require set scenario similar 1 mentioned above first redirect computer unique vlan can have health evaluated dhcp-based nap policy.

let me know if have more questions,

-greg



Windows Server  >  Network Access Protection



Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering date:         event id:      5125 task category: cluster shared volume level:         warning keywords:       user:          system computer: description: cluster shared volume 'volume1' ('cluster disk 1') has identified 1 or more active filter drivers on device stack interfere csv operatio
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema    running partition tests on : configuration    running partition tests on : test    running enterprise tests on : test.com       starting test: dns          test results domain
Read more

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authentication type: - eap t
Read more