Greetings, citizens of NAPville!
Here is some information to take into account when designing your policies for NAP, adapted from a section in the upcoming Network Access Protection Design Guide and written by our own Greg Lindsay:
· A RADIUS client access request can only match one connection request policy and one network policy. When the access request successfully matches a policy, no other policies are used to evaluate the access request.
· Policies are evaluated based on processing order and source:
o RADIUS access requests from Windows-based RADIUS clients can contain the MS-Network-Access-Server-Type RADIUS attribute, which specifies the source of the request. For example, access requests from a Windows Server 2008-based VPN server specify the source of Remote Access Server (VPN-Dial up).
o Access requests are evaluated against policies with the same source.
o If the source is not specified in the access request, the NPS service will evaluate it against the policies with a source of Unspecified.
o If there are no policies with the same source as the access request, the NPS service will evaluate it against the policies with a source of Unspecified.
o If there are multiple policies with the same source as the access request, the NPS service will evaluate it against the policy with the same source that is highest in the processing order (that is, the policy with the lowest Processing Order number). If the access request does not match the conditions of the policy, the NPS service evaluates the policy next highest in the processing order with the same source. This continues until the access request matches a policy or all policies with the same source have been evaluated.
The following table lists the NAP enforcement methods and their corresponding source.
NAP enforcement method
Health Registration Authority
Remote Access Server (VPN-Dial up)
Terminal Server (TS) Gateway
Terminal Server Gateway
Senior Program Manager