How to configure NAP clients

   We’ve learned a couple of things about NAP in the previous articles. In today’s post I’ll show you how to configure NAP clients. Before we proceed with this short tutorial make sure that your NAP server is up and running. If you have any problems regarding NAP installation and configuration please check the previous articles.
   The best way to configure your NAP clients within an AD domain is by using the Group Policy Management Console. For this demonstration I will be using a Windows Server 2012 Virtual Machine. Once you’ve opened GPMC, create a new GPO (Group Policy Object), I will create a new GPO named NAP Client Configuration. Once the new policy has been created, right click it and press Edit:
Group Policy Management Console
   Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration:
NAP Client Configuration
There are several NAP configurations available here:
Enforcement Clients – this is the enforcement option used by NAP, we’ve talked about IPSec enforcement in a previous article. All clients will use the enforcement type specified in this section.
User Interface Settings – you can specify text or images that will appear in the Network Access Protection user interface on client computers
Request Policy – you can use such policy to specify the Hash Algorithm or the Cryptographic Service Provider used with NAP. You can also use the second menu to specify the trusted Health Registration Authority Servers that will be used by NAP clients to obtain their health certificate:
Health Registration Authority Servers
Now we’ll need to start the Network Access Protection Agent service on all computers that will be using NAP, I will start this service using a GPO. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services and double click on Network Access Protection Agent. Check the Define this policy setting box and set the startup mode to automatic:
Network Access Protection Agent
Note that you can start the NAP client service on each computer manually but, this is a time consuming operation so it’s best to use a GPO.
If you are using the in-build Windows System Health Validator (SHV) then, you will need to turn on Security Center service on all computers. This service can be started from Computer Configuration/Policies/Administrative Templates/Windows Components/Security Center:
Security Center service
Now double click Turn on Security Center (Domain PCs only) policy and enable it:
Turn on Security Center
Once all these configurations are completed, your NAP clients should be able to use this network protection mechanism. You can quickly verify the NAP state on a Windows Client by typing netsh nap client show state in command prompt.
That’s it for this article folks, hope you will find it interesting and helpful. Wish you all the best!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s