NAP Enforcement Exemption for Printers and other Network Appliances
Network administrators deploying DHCP NAP on their network often need to create NAP enforcement exemption for devices like printers, NAS, VoIP Phones which don't support NAP. Today, we would look at steps to create such NPS policy based on the MAC address of the NIC of the devices.
Limitations: Due to the restriction on the length of NAP Condition Attribute field, the MAC list may be at max 256 characters long. To accommodate more MACs, one has to use regular expression instead of precise MAC strings.
1. Launch NPS MMC -> Network Access Policy --> Right Click -> New
2. Set the name of the policy and select DHCP Server for the Type of Network Access Server. Click Next
3. In the Specify condition page, Click 'Add'
4. Scroll down the condition list and select 'Call Station ID' from the list. Click Add
5. Here, we have to enter the list of all the MAC Address we want to exempt. To specify the list, we take advantage of the pattern matching capability of NPS so that we dont end up creating one policy for each Appliance. Please note that this field has a limitation of 256 characters, so if you need to exempt large number of Interfaces, please use pattern matching instead of actual(exact) MAC strings.
Remove any hyphen (dashes) from the MAC address so 02-00-54-55-4E-01 becomes 020054554E01. Enclose the MAC between Caret and Dollar : ^020054554E01$ . This ensures that exact match is done. To add another MAC, put a Pipe/Logical OR (|) and put the another MAC enclosed between ^ and $. Please note that there should not be any space in the list. Add all the MACs you want to exempt in this list.
Click Ok to add the list. You can later add/remove MACs by opening the property of the Policy.
6. You can see the condition added. Click next
7. In the Specify Access Permission page, set "Access Granted" and click Next.
8. In the Configure Authentication Method page, ensure only "Perform machine health check only" is checked. Click Next.
9. Click Finish to complete the Wizard
10. Now the policy is in place, but due to policy processing order of NPS, this policy would never get a chance to be evaluated if there are other policies in place. Go to the NPS and select the policy -> Right Click -> Move Up.
11. Repeat the above till the policy is at the top of the list. You are done!!
Lets check whether all such devices are indeed exmpted by this policy.
Open Windows Event Viewer (eventvwr.mmc) and turn on / renew the address of all such devices. In the left pane of the MMC , click Custom View -> Server Role -> Network Access Server. Scroll down the logged events till you find either the MAC address or the exemption policy matched.
Hope this helps in your DHCP NAP deployment. Looking forward for comments, suggestions and queries.
Regards,
Ujjwal John
[Windows Enterprise Networking Group, Microsoft]
Comments
Anonymous
January 01, 2003
Hey Mark, You can use [A-Za-z0-9] to define any alpha num. In case of MAC IDs, to restrict the valid input to HEX characters, change the reg-ex to [A-Fa-f0-9] For info on reg-ex supported by NPS, please refer to technet.microsoft.com/.../cc755272(WS.10).aspxAnonymous
January 01, 2003
I am working through the same issue. I am trying to find the correct syntax for pattern matching 2 or more MAC addresses. For example: 00-11-22* OR 00-33-44* What would be the correct syntax?Anonymous
January 01, 2003
Hi Alex
You can create multiple policies of use regular expressions as illustrated in this blog to add the MAC address of all the non NAP capable devices.
ThanksAnonymous
January 01, 2003
Hello, have a question with the procedure, it works for windows 2008 R2? when clic in add see "calling station id" and "called station id" try with both but not work. some idea? thanksAnonymous
November 01, 2010
which syntax for regular expressions is used? Ie, would the string be ^001F2438*$ or ^001F2438[0-F]*$ or ^001F2438????$Anonymous
June 24, 2014
I have a lot of nonNAP capable devices that must be allowed full access, and this only permit 256 characters. So how do I add the MAC address of all?