The "RADIUS client is NAP-capable" check box

  • Article

When you create a new RADIUS client or modify the settings of an existing RADIUS client from the RADIUS Clients node of the Network Policy Server snap-in, there is a RADIUS client is NAP-capable check box. Here is an example.

RADIUS client configuration

What is this check box all about?

As I state in the Windows Server 2008 Networking and Network Access Protection (NAP) book, you should select this box if the RADIUS client is a NAP enforcement point that is running Windows Server 2008. That is, if the NAP enforcement point is one or more of the following:

· A Health Registration Authority (HRA) for IPsec enforcement

· A virtual private network (VPN) server for VPN enforcement

· A Dynamic Host Configuration Protocol (DHCP) server for DHCP enforcement

· A Terminal Server (TS) Gateway server for TS Gateway enforcement

When this check box is selected, the NPS service sends NAP-specific RADIUS vendor-specific attributes (VSAs) in the Access-Accept message. When this check box is not selected, the NPS service does not send NAP-specific RADIUS VSAs in the RADIUS Access-Accept message.

When configuring RADIUS clients for a NAP deployment, do the following:

· For RADIUS clients corresponding to Windows Server 2008-based NAP enforcement points, select the RADIUS client is NAP-capable check box. Windows Server 2008-based NAP enforcement points use the information in the NAP-specific VSAs to determine the state of the NAP client and how to limit the access of a noncompliant NAP client. Also included in these VSAs is the System Statement of Health Response (SSoHR), which the enforcement point passes to the NAP client. For a complete listing of these VSAs, click here.

· For RADIUS clients corresponding to IEEE 802.1X-capable switches and wireless access points for 802.1X enforcement, clear the RADIUS client is NAP-capable check box. Some IEEE 802.1X-capable devices automatically deny connections when the Access-Accept message contains attributes that the device is not expecting. In the case of 802.1X enforcement, the IEEE 802.1X-capable devices are instructed to limit the access of noncompliant NAP clients through standard RADIUS attributes such as Filter-ID and Tunnel-Type. With 802.1X enforcement, the NAP health policy server sends the SSoHR and other NAP-specific information directly to the NAP client using a Protected Extensible Authentication Protocol (PEAP) message.

When you create RADIUS clients from within the Configure NAP wizard, you do not have the ability to configure this check box. You must modify the RADIUS client configuration from the RADIUS Clients node of the Network Policy Server snap-in after completing the Configure NAP wizard.

Joe Davies
Senior Program Manager

This posting is provided "AS IS" with no warranties, and confers no rights.