NAP demystified (hopefully)
As I learned at Tech Ed 2007, Microsoft NAP still has two large misconceptions out in the world:
1. NAP is solely based on DHCP technology - 100% FALSE
2. Deploying NAP requires a complete "rip and replace" of your existing AD/Server infrastructure - 100% FALSE
I created the table below to demystify which options are available for the NAP Client across three platforms.
The table doesn’t discuss the NAP Server, but I think it is worth discussing briefly. Our NAP Server "role", contained in Windows Server 2008, is named "Network Policy and Access Services". The heart of the NAP Server is named "Network Policy Server" or "NPS" for short. To deploy NAP in your environment, you must have at least one Windows Server 2008 computer running NPS. That’s it! It doesn’t need to be a domain controller, nor even joined to a domain in most cases.
On to the table:
NAP Client Feature |
Windows XP |
Windows Vista |
Windows Server 2008(acting as a client) |
Notes |
Installed by default |
x |
þ |
þ |
The NAP Client for Windows XP will be available publicly within Windows XP Service Pack 3, releasing in the Windows Server 2008 timeframe. |
Turned "OFF" by default |
þ |
þ |
þ |
You can enable NAP via Group Policy (GP), command-line, registry or MMC. |
Public APIs |
þ |
þ |
þ |
|
DHCP Enforcement |
þ |
þ |
þ |
|
VPN Enforcement |
þ |
þ |
þ |
|
IPsec Enforcement |
þ |
þ |
þ |
Windows XP supports only IKE based IPsec (no AuthIP support). |
802.1x Wireless Enforcement |
þ |
þ |
þ |
|
802.1x Wired Enforcement |
þ |
þ |
þ |
|
Windows System Health Agent (WSHA) |
þ |
þ |
x |
Windows Security Center integration with the NAP Client. This is not available on the Server (acting as a NAP Client). |
MMC Configuration |
x |
þ |
þ |
The .Net Managed MMC Snap-in is not available on Windows XP. |
Command-line Configuration |
þ |
þ |
þ |
|
Local Configuration |
þ |
þ |
þ |
|
Group Policy (GP) Configuration |
þ |
þ |
þ |
I hope this clears up some things about NAP for you. Please feel free to comment on this post -or- email me -or- post to our public web forum!
NAP the WORLD in 2007,
Jeff Sigman
NAP Release Manager
Jeff.Sigman@online.microsoft.com *
- https://blogs.technet.com/nap
- https://microsoft.com/nap
- https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17
* Remove the "online" to actually email me.
** This posting is provided "AS IS" with no warranties, and confers no rights.