Freigeben über

NAP demystified (hopefully)

  • Artikel

As I learned at Tech Ed 2007, Microsoft NAP still has two large misconceptions out in the world:

1. NAP is solely based on DHCP technology - 100% FALSE

2. Deploying NAP requires a complete "rip and replace" of your existing AD/Server infrastructure - 100% FALSE

I created the table below to demystify which options are available for the NAP Client across three platforms.

The table doesn’t discuss the NAP Server, but I think it is worth discussing briefly. Our NAP Server "role", contained in Windows Server 2008, is named "Network Policy and Access Services". The heart of the NAP Server is named "Network Policy Server" or "NPS" for short. To deploy NAP in your environment, you must have at least one Windows Server 2008 computer running NPS. That’s it! It doesn’t need to be a domain controller, nor even joined to a domain in most cases.

On to the table:

NAP Client Feature

Windows XP

Windows Vista

Windows Server 2008(acting as a client)

Notes

Installed by default

x

þ

þ

The NAP Client for Windows XP will be available publicly within Windows XP Service Pack 3, releasing in the Windows Server 2008 timeframe.

Turned "OFF" by default

þ

þ

þ

You can enable NAP via Group Policy (GP), command-line, registry or MMC.

Public APIs

þ

þ

þ

DHCP Enforcement

þ

þ

þ

VPN Enforcement

þ

þ

þ

IPsec Enforcement

þ

þ

þ

Windows XP supports only IKE based IPsec (no AuthIP support).

802.1x Wireless Enforcement

þ

þ

þ

802.1x Wired Enforcement

þ

þ

þ

Windows System Health Agent (WSHA)

þ

þ

x

Windows Security Center integration with the NAP Client. This is not available on the Server (acting as a NAP Client).

MMC Configuration

x

þ

þ

The .Net Managed MMC Snap-in is not available on Windows XP.

Command-line Configuration

þ

þ

þ

Local Configuration

þ

þ

þ

Group Policy (GP) Configuration

þ

þ

þ

I hope this clears up some things about NAP for you. Please feel free to comment on this post -or- email me -or- post to our public web forum!

NAP the WORLD in 2007,

Jeff Sigman
NAP Release Manager
Jeff.Sigman@online.microsoft.com *
- https://blogs.technet.com/nap
- https://microsoft.com/nap
- https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17

* Remove the "online" to actually email me.
** This posting is provided "AS IS" with no warranties, and confers no rights.

Comments

  • Anonymous
    January 01, 2003
    NAP Team's Jeff Sigman (Senior Program Manager) has posted on the NAP Blog some Q&A regarding

  • Anonymous
    January 01, 2003
    Since I spend nearly 1/3 of my week answering (or ignoring :->) emails about the XP NAP Client, I

  • Anonymous
    January 01, 2003
    NAP: Network Access Protection

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    My pleasure!

  • Jeff

  • Anonymous
    June 29, 2007
    How can we enable NAC client on Win XP SP2 if the NAC Snap in is not present ? On a Video I can see a NAP Status icon, where we can get this icon ?

  • Anonymous
    July 02, 2007
    Thank you Jeff.