Configure DHCP NAP enforcement
DHCP NAP enforcement allows only compliant computers to receive IP addresses that are granted full network access, while noncompliant computers are assigned a subnet mask of 255.255.255.255 with no gateway IP addresses, restricting full access to the network.
I. Installation of NAP
1. In Server Manager, click Manage, select Add roles and features, in the wizard window that opens, go to the next step, and in the Select Server Roles dialog box, select Network policies and Services, and then click Next.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/82/wKiom1dDWT-QoVv1AAC0uoEcboM094.png "/>
2. Always "Next" to "Select Role Services", select "Network Policy Server". Then "Next".
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/80/wKioL1dDWjKy4cJoAAB_sA5w7Vo945.png "/>
3. Finally, click the Install button to install the NPS service.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/82/wKiom1dDWUCjTZpOAABuID9KxZg370.png "/>
Second, DHCP scope configuration
1. After you have installed the DHCP server role, right-click IPv4, select New scope, and in the New Scope Wizard dialog box, enter the scope of the domain name called NAP clients (any naming).
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/82/wKiom1dDWUCxFgFAAAA7F8_-19I531.png "/>
2. In "IP address range", enter the starting IP address as "192.168.1.1" and end the IP address as "192.168.1.254". Then click Next.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/80/wKioL1dDWjKSXEQQAABNk76qgwQ158.png "/>
3. In the Add exclusions and delays window, exclude the IP addresses that have been statically assigned.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/82/wKiom1dDWUGTTGtJAABTIobbwFE924.png "/>
4. In the lease term pane, leave the default, and then click Next.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/80/wKioL1dDWjPB-HpTAABiUfF6EiA920.png "/>
5. In the Configure DHCP Options window, leave the default settings, and then click the Next button.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/80/wKioL1dDWjPjsTYmAABfaY4zdN0386.png "/>
6. In the router (Default gateway) pane, enter the IP address of the gateway, click Add, and then click Next when you are finished.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/82/wKiom1dDWUKhhA7xAAA8gxqopBA790.png "/>
7. In the domain names and DNS servers pane, enter the domain name and the IP address of the DNS server, and then click Next.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/82/wKiom1dDWULS1gCMAABgQG695N0603.png "/>
8. On the WINS Server page, click Next, and in the activation Scope page, leave the default options until complete.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/80/wKioL1dDWjSDh6uDAAAzqqUIRKs549.png "/>
Third, authorized DHCP server
1. Right-click on the window root "DHCP" and select "Manage Authorized Servers".
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/80/wKioL1dDWjTRVqZnAABA_8Uil5k696.png "/>
2. In the "Manage Authorized Servers" window, select "Authorize", in the "Authorized DHCP Server" window that pops up, enter the IP address of the DHCP server, and then always OK until the window is closed.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/82/wKiom1dDWUPySrXlAAA5E2vFMV4245.png "/>
Iv. configuring NPS as a NAP health policy server
1. In the Server Manager window, open the Network Policy Server window, in the standard configuration area in the details pane on the right, select Network Access Protection (NAP) from the drop-down list, and then click the Configure NAP link.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/82/wKiom1dDWUOy_AX9AAB7avVo5Jc602.png "/>
2. In the Select the network connection method to use with NAP dialog box, select Dynamic Host Configuration Protocol (DHCP), the policy name remains the same, and then click Next.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/80/wKioL1dDWjWzQeLdAABec6Tse_k692.png "/>
3. In the Specify NAP enforcement server to run DHCP server window, select the RADIUS client, and note that the RADIUS client is not a real client computer, but not a DHCP server, to take a serious look at the instructions. Because the DHCP server is authorized here, it appears automatically, and if not, click the Add button. Click Next.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/82/wKiom1dDWUTCCbd6AABY-FTIZpw116.png "/>
4. In the Specify DHCP scope window, specify one or more scopes by clicking the Add button to assign IP addresses to customers who are in compliance with the health state. If you do not specify a scope, this policy applies to all scopes on the specified DHCP server.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/80/wKioL1dDWjbB-7RQAABTAIhrOtM686.png "/>
5. In the Configure Computer Groups window, you can grant or deny permissions for a group of computers, and the policy will be applied to all users without selecting any groups. Leave the default here and click Next.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/82/wKiom1dDWUWyizJ1AAA0avZ84A0915.png "/>
6. In the Specify NAP update server groups and URLs window, select or new to update the server group, or specify a troubleshooting URL page, and then click the Next button.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/80/wKioL1dDWjehuFEjAABRjz1nyLg324.png "/>
7. In the Define NAP health policy window, leave the default options and click Next.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/80/wKioL1dDWjfjG9ITAABxwvChPSc897.png "/>
8. In the Completing the NAP enhancement policy and RADIUS Client Configuration window, click the Finish button.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/82/wKiom1dDWUXBXG1sAABPXj45xEQ325.png "/>
9. In the Network Policy Server window, select Policy, connection request policy, verify that the NAP DHCP policy has been created and be ranked in the first location.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/80/wKioL1dDWjiyKK3vAACZH_0szus837.png "/>
V. Enable NAP enforcement on DHCP
1. Open the DHCP Management window, find "IPv4" and right click, select "Properties"
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/82/wKiom1dDWUezF7smAABTpt4FhIo450.png "/>
2. In the IPv4 Properties dialog box, click the Enable for all Scopes button, and in the dialog box that pops up, select Yes.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/82/wKiom1dDWUfifPENAABSYjQrB2k845.png "/>
3. In the IPv4 Properties dialog box, in the DHCP server behavior bar when you cannot connect to Network Policy server (NPS), select Restricted Access, and click OK.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/80/wKioL1dDWjmTXrY3AABVJKMb0S8124.png "/>
VI. Configuring NAP Client Group Policy
1. Open Group Policy Management, edit Default Domain policy, and then select the computer Configuration \ policies \ Windows Settings \ Security Settings \ Network Access Protection \NAP client configuration \ Enforcement Clients node.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/80/wKioL1dDWjqAQsS0AACvFxTDb_M830.png "/>
2. In the details pane on the right, double-click DHCP Quarantine Enforcement Client, in the window that opens, select the Enable this enforcement client option, and then click the OK button.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/82/wKiom1dDWUiwNY_wAAAiUlV6NGA540.png "/>
3. In the details pane on the right side of the computer Configuration \ policies \ Windows Settings \ Security settings \ System Services node, double-click Network Access Protection Agent, select the Define this policy setting check box, and in the Select service startup mode, select the automatic Radio box, and then click OK.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/82/wKiom1dDWUmQbx0HAAAxwC3VTJo705.png "/>
4. Select the computer Configuration \ policies \ Administrative Templates \ Windows Components \ Security Center node, in the details pane on the right, double-click Enable Security Center (domain only), in the dialog box, select Enabled, and then click the OK button.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/80/wKioL1dDWjvS8xX5AAC0eZG-HO4132.png "/>
VII. testing the DHCP NAP enforcement client
On the client computer, force the update of Group Policy by using the "Gpupdate/force" command, and then use the ipconfig command to view the obtained IP address condition.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/80/wKioL1dDWjuhQSzDAABWfgSS85s805.png "/>
As you can see, the DHCP client does not meet the NAP policy requirements and obtains an IP address that has a subnet mask of 255.255.255.255, which is an invalid subnet mask, indicating that the client computer did not pass the NAP health check.
More exciting or troubleshooting, please scan teacher Liu QR code:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/80/82/wKiom1dDWUrTN0T0AADMJcc3h74833.jpg "/>
A piece of work, a harvest
Good knowledge share
Configuring DHCP NAP enforcement in Windows R2