NAP demystified (hopefully)


As I learned at Tech Ed 2007, Microsoft NAP still has two large misconceptions out in the world:


1.    NAP is solely based on DHCP technology – 100% FALSE


2.    Deploying NAP requires a complete “rip and replace” of your existing AD/Server infrastructure – 100% FALSE


 


I created the table below to demystify which options are available for the NAP Client across three platforms.


The table doesn’t discuss the NAP Server, but I think it is worth discussing briefly. Our NAP Server “role”, contained in Windows Server 2008, is named “Network Policy and Access Services”. The heart of the NAP Server is named “Network Policy Server” or “NPS” for short. To deploy NAP in your environment, you must have at least one Windows Server 2008 computer running NPS. That’s it! It doesn’t need to be a domain controller, nor even joined to a domain in most cases.


On to the table:
























































































NAP Client Feature


Windows XP


Windows Vista


Windows Server 2008
(acting as a client)


Notes


Installed by default


x


þ


þ


The NAP Client for Windows XP will be available publicly within Windows XP Service Pack 3, releasing in the Windows Server 2008 timeframe.


Turned “OFF” by default


þ


þ


þ


You can enable NAP via Group Policy (GP), command-line, registry or MMC.


Public APIs


þ


þ


þ


 


DHCP Enforcement


þ


þ


þ


 


VPN Enforcement


þ


þ


þ


 


IPsec Enforcement


þ


þ


þ


Windows XP supports only IKE based IPsec (no AuthIP support).


802.1x Wireless Enforcement


þ


þ


þ


 


802.1x Wired Enforcement


þ


þ


þ


 


Windows System Health Agent (WSHA)


þ


þ


x


Windows Security Center integration with the NAP Client. This is not available on the Server (acting as a NAP Client).


MMC Configuration


x


þ


þ


 The .Net Managed MMC Snap-in is not available on Windows XP.


Command-line Configuration


þ


þ


þ


 


Local Configuration


þ


þ


þ


 


Group Policy (GP) Configuration


þ


þ


þ


 


 


I hope this clears up some things about NAP for you. Please feel free to comment on this post -or- email me -or- post to our public web forum!


 


NAP the WORLD in 2007,


 


Jeff Sigman
NAP Release Manager
Jeff.Sigman@online.microsoft.com *
http://blogs.technet.com/nap
http://microsoft.com/nap
http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17

* Remove the “online” to actually email me.
** This posting is provided “AS IS” with no warranties, and confers no rights.

Comments (7)

  1. Anonymous says:

    NAP Team's Jeff Sigman (Senior Program Manager) has posted on the NAP Blog some Q&A regarding

  2. Anonymous says:

    Since I spend nearly 1/3 of my week answering (or ignoring :->) emails about the XP NAP Client, I

  3. Anonymous says:

    NAP: Network Access Protection

  4. Anonymous says:

    Hey Charles, you can enable NAP on XP with:

    1.) Group Policy (GP) – running NAP MMC against a GPO on Vista or 2008 Server.

    2.) Command-line (script) – "netsh nap client …"

    3.) Registry – see forum:

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1744957&SiteID=17

    – Jeff

  5. Anonymous says:

    My pleasure!

    – Jeff

  6. charles says:

    How can we enable NAC client on Win XP SP2 if the NAC Snap in is not present ?

    On a Video I can see a NAP Status icon, where we can get this icon ?

  7. charles says:

    Thank you Jeff.