Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

In this part 3, I will show you more about policies and see what they do in a DHCP enforcement solution.

Picture 1 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3
Use Group Policy Filtering to create a NAP DHCP enforcement policy - Part 1
Picture 2 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3
Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 2

Thomas Shinder

Network Administration - In Part 2 of this series, we went over the NAP configuration wizard in the NPS console. The NAP configuration wizard has created a number of policies, specifically including connection request policies, health policies, and network policies. In this part 3, I will show you more about these policies and see what they do in the DHCP enforcement solution .

Policy requires connection

The connection request policy allows you to specify whether connection requests are processed internally or forwarded to remote RADIUS servers. In the figure below, you can see that the wizard has created a NAP DHCP connection policy that has specific conditions and settings. As you can see in the figure below, a condition that is applied to this policy is also applied to the days of the week, and only Setting has the Authentication provider value Local Computer (the computer is running the translation. NPS case).

Double click on this policy and see what appears.

Picture 3 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 1

On the Overview tab, you can see that the policy is enabled and that the network connection method is DHCP. This means that the DHCP server is the network access server for this network and the DHCP network access server communicates with the RADIUS (NPS) server to determine whether or not to allow network access and access type. What is allowed for the network based on the client health status.

Picture 4 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 2

On the Conditions tab, you can see the conditions that appeared in the previous NPS console. Only the conditions that apply to this rule will apply to all hours of the week.

Picture 5 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 3

On the Settings page, click the Authentication link in the left pane of the page. Here you can see that the authentication settings are set to Authenticate requests on this server . This RADIUS (NPS) server is the server that performs authentication. In some cases, you will want to leave the DHPC server on a computer completely separate from the NPS server that is performing authentication. In that case, you still need to install NPS on the DHCP server, but then you configure the NPS server to forward authentication requests to the remote RADIUS (NPS) server using Forward requests to the Follow RADIUS server group for remote control as shown in the image below.
Click OK in the NAP DHCP Properties dialog box .

Picture 6 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 4

As you can see, the connection request policy sets the authentication conditions and settings for the entire NAP policy. Now let's take a closer look at NAP network policies.

Network policies

NAP network policies allow you to specify who is authorized to connect to the network and in what circumstances they may or may not be connected. You can see the wizard of NAP has created 3 network policies for our entire NAP policy:

  1. NAP DHCP Compliant This rule applies to NAP compliant computers

  2. NAP DHCP Noncompliant This rule applies to NAP-compliant computers

  3. This DHCP DHCP NAP-Capable Rule applies to computers that cannot handle NAP policies.

In the three figures below, you can see Conditions and Settings for each of these rules. The main difference between these three rules is the access level that each rule provides to clients. With full consensus, comprehensive access levels will be provided. With disagreement or not being able to use NAP machines, these machines will be restricted to access the network to a certain extent.

Picture 7 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 5

Picture 8 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 6

Picture 9 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 7

Double-click on one of the rules and see what details are inside the rules. When you double-click the NAP DHCP Noncompliant Properties rule, the first tab you see is the Overview tab. Here we can see that the policy is enabled, Access Permission is set to Grant access and the user's dial-in properties are ignored (because DHCP clients do not access the modal network). dial). Finally, you will see the Network connection method set up as DHCP server .

Picture 10 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 8

On the Conditions tab, you will see the NAP DHCP Noncompliant Health Policy applied when NAP DHCP Noncompliant Properties Network Rule is applied. We will look into these health policies in depth.

Picture 11 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 9

In the Constraints page , the wizard has configured health policy constraints. There is only one constraint here as a health condition that needs to be applied and tested without any other evaluation requirements.

Picture 12 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 10

Click the Settings tab, and then click the NAP Enforcement link in the left pane of the dialog box. In the right pane you will see the wizard has configured the access level allowed for this Network Policy. In this case, the wizard has configured the policy to Allow limited access . Limited access is set as only IP addresses, network IDs, and servers that require basic network services and allow negotiation. You can add many things like this by clicking the Configure button in the Remediation Server Group and Troubleshooting URL box .

If you click the Configure button, you will see that the Network Services group created appears as a conditional server group to apply to this network policy.

Note that, based on the options in the wizard, Network Policy is also configured to automatically suspend when the Enable auto-remediation of client computers check box is checked.

Picture 13 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 11

Health policy

Health policies are used with NAP to allow you to specify the configuration required for NAP consensus clients to access the network. In essence, health policies are used to determine whether the computer meets the essentials of a consensus computer. As you can see in the picture below, the wizard has created two health policies.

  1. NAP DHCP Compliant ( Consent )
  2. NAP DHCP Noncompliant

The purpose of each of these policies is clear. The consensus policy defines computers in agreement with the health policies of the network and the other policy defines non-compliant machines.

Double click on the NAP DHCP Noncompliant entry to bring up the NAP DHCP Noncompliant Properties dialog box .

Picture 14 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 12

When you click the Network Access Protection button on the left pane of the Network Policy Server console , you will see two other buttons: System Health Validator and Remediation Server Group . Click the System Health Validator button .

Here you can see in the right pane of the console is a list of System Health Validators applied to define the Health Policy as we have seen. By default, only one SHV is the Windows Security Health Validator . When you click on this SHV you will see in the lower pane in SHV a list of error code configurations. The wizard has set up each of these error codes to make the client think that it is not agreeing.

Let's look in more detail by double-clicking on the Windows Security Health Validator entry .

Picture 15 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 13

When you double-click it, you will see the Windows Security Health Validator Properties dialog box appear. Here you can see the Error code resolution settings . These settings are used to specify how to manage situations where error codes appear during NAP execution. The defaults configured by the wizard are almost safer, and we also recommend that you keep them.

Click the Configure button to configure the settings for this SHV.

Picture 16 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 14

When that button is clicked, the Windows Security Health Validator dialog box appears, which has two tabs: one is the Windows Vista tab and the Windows XP tab. In this example we only focus on the Windows Vista tab because that is the client that we will test when the configuration is complete.
The Windows Security Health Validator allows you to configure the following components:

  1. Firewall: You can enable the firewall on the Vista client to agree with the general health policy.

  2. Virus Protection: Enforcement of virus protection can be enforced. In addition, virus protection updates may be required for consensus.

  3. Spyware Protection: Can use antispyware application, in addition to updating the application.

  4. Automatic Updating: When automatic updates are established, NAP agent on the client will solve all problems. For example, if a user disables Windows Firewall, then NAP agent on another computer will try to activate the firewall again.

  5. Security Update Protection: When this option is set up, you can restrict clients from accessing the network based on their current status for security updates. You can also use the drop down list as shown in the figure below to set what type of security upgrade is required. It is also possible to set the minimum number of hours allowed when the client has checked for new security updates and whether or not to allow clients to use Windows Server Update Servers or Windows Update (Microsoft Update is given default permission).

Picture 17 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 15

The figure below shows the SHV settings for the Windows Security Health Validator for Windows XP clients. Note that the anti-malware options are not here.

Picture 18 of Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 3

Figure 16

Conclude

In this article, I have covered the details of the Health, Network and Connection Request policies created by the NAP wizard. Also introduced is the Windows Security Health Validator. In the next section, we will check the DHCP server settings, then test the NAP policies.

Update 26 May 2019
Category

System

Mac OS X

Hardware

Game

Tech info

Technology

Science

Life

Application

Electric

Program

Mobile