How to set up Network Access Protection to measure compliance of IPSec clients

The Step-by-Step Guide: Demonstrate NAP IPSec Enforcement in a Test Lab explains exactly how to set NAP up in a lab to measure compliance (and optionally restrict network access) of clients accessing the network using IPSec to identify themselves. This is my favourite way to secure network access as IPSec on it's own is incredibly powerful. It has the downside of being the most complicated NAP scenario and can be difficult to troubleshoot.

When configured in the appropriate manner each IPSec enabled device automatically proves it's identity using digital credentials (typically in the form of a certificate) and will only accept incoming connections from clients the do likewise to prove that they are in the right trust group. Optionally traffic can be filtered based on the packet type and it can be encrypted too though this should only be used when confidentiality is more important to you than being able to inspect / use traditional security tools.

IPSec WITH NAP can give a high level of assurity that only trusted well managed devices are able to communicate with each other. You can define policies to deal with scenarios where clients fail to meet either identity or health criteria.

One of the beauties of IPSec is that it takes place seamlessly to applications and the user unless the remote device fails to communicate.

If you haven't come across Network Access Protection then I recommend reading my earlier post Where can I find out more about Network Access Protection?