How to install and configure a NAP server

Now that we’ve learned the basics of NAP it’s time to install and configure a Network Access Protection Server and discover more of its features. I will be using a Windows Server 2008 R2 machine on which I will add the Network Policy and Access Services server role. We’ve installed this role a couple of times now so, it should be easy to add it. Open up the Server Manager console, navigate to the Roles section and press the Add Roles button and select Network Policy and Access Services:
Network Policy and Access Services
On the Role Services section, select Network Policy Server, click Next and then Install the role:
Network Policy Server
Once the role has been installed, navigate to Administrative Tools and open up Network Policy Server console. From the Standard Configuration window select Network Access Protection (NAP) and click Configure NAP:
Configure NAP
In the Network Connection Method for Use with NAP section select the desired enforcement point and set a policy name. I will be using this NAP server for my VPN users so I will select Virtual Private Network (VPN) as the enforcement point:
NAP Virtual Private Network (VPN) enforcement
In the following section you’ll need to add the RADIUS clients that will be used by the NAP policy. These are VPN servers configured within your organization to authenticate remote users and computers. On the New RADIUS Client window you’ll need to enter the friendly name, IP address and the shared secret used by your network devices:
New RADIUS Client
It is recommended that you use multiple RADIUS VPN servers to authenticate remote clients to provide a failover infrastructure. Once you add your servers, they will appear in the RADIUS client section:
Next, you’ll need to configure user groups and machine groups. By default, all users and computers are allowed to authenticate using the NAP policy. To allow or deny access for a specified groups of users and/or computers press the Add button. I will apply this policy to all devices within my network so, I will leave this section blank:
Configure NAP
We’ll need to select a certificate issued by a trusted CA that will be used by all client computers. Note that Protected Extensible Authentication Protocol (PEAP) will be used by clients to authenticate within your network. You can also enable the Secure Pasword (PEAP-MS-CHAP v2) feature to allow users to type in the password-based credentials during authentication:
NAP authentication method
You will need to issue a certificate by a trusted Certification Authority and import it to your NAP server. Once you’ve added the certificate add it to the NPS Server Certificate section of the NAP Wizard. Once you click Next, the NAP configuration is done. After you have installed and configured NAP, several steps must be completed before NAP enforcement is enabled. We will discuss about NAP enforcement in a future article, for now, relax and enjoy your day!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s