General NAP policy design considerations

Greetings, citizens of NAPville!

Here is some information to take into account when designing your policies for NAP, adapted from a section in the upcoming Network Access Protection Design Guide and written by our own Greg Lindsay:

Consider the following rules when configuring connection request policies and network policies in the Network Policy Server (NPS) snap-in:

· A RADIUS client access request can only match one connection request policy and one network policy. When the access request successfully matches a policy, no other policies are used to evaluate the access request.

· Policies are evaluated based on processing order and source:

o RADIUS access requests from Windows-based RADIUS clients can contain the MS-Network-Access-Server-Type RADIUS attribute, which specifies the source of the request. For example, access requests from a Windows Server 2008-based VPN server specify the source of Remote Access Server (VPN-Dial up).

o Access requests are evaluated against policies with the same source.

o If the source is not specified in the access request, the NPS service will evaluate it against the policies with a source of Unspecified.

o If there are no policies with the same source as the access request, the NPS service will evaluate it against the policies with a source of Unspecified.

o If there are multiple policies with the same source as the access request, the NPS service will evaluate it against the policy with the same source that is highest in the processing order (that is, the policy with the lowest Processing Order number). If the access request does not match the conditions of the policy, the NPS service evaluates the policy next highest in the processing order with the same source. This continues until the access request matches a policy or all policies with the same source have been evaluated.

The following table lists the NAP enforcement methods and their corresponding source.

NAP enforcement method

Source

IPsec

Health Registration Authority

802.1X

Unspecified

VPN

Remote Access Server (VPN-Dial up)

DHCP

DHCP Server

Terminal Server (TS) Gateway

Terminal Server Gateway

You can select a source from Type of network access server on the Overview tab in the properties of the policy.

Thanks Greg!

Joe Davies
Senior Program Manager