NAP Enforcement Exemption for Printers and other Network Appliances

Network administrators deploying DHCP NAP on their network often need to create NAP enforcement exemption for devices like printers, NAS, VoIP Phones which don't support NAP. Today, we would look at steps to create such NPS policy based on the MAC address of the NIC of the devices.

Limitations: Due to the restriction on the length of NAP Condition Attribute field, the MAC list may be at max 256 characters long. To accommodate more MACs, one has to use regular expression instead of precise MAC strings.

 

1. Launch NPS MMC -> Network Access Policy --> Right Click -> New

2. Set the name of the policy and select DHCP Server for the Type of Network Access Server. Click Next

3. In the Specify condition page, Click 'Add'

4. Scroll down the condition list and select 'Call Station ID' from the list. Click Add

 5. Here, we have to enter the list of all the MAC Address we want to exempt. To specify the list, we take advantage of the pattern matching capability of NPS so that we dont end up creating one policy for each Appliance. Please note that this field has a limitation of 256 characters, so if you need to exempt large number of Interfaces, please use pattern matching instead of actual(exact) MAC strings.

Remove any hyphen (dashes) from the MAC address so  02-00-54-55-4E-01 becomes 020054554E01. Enclose the MAC between Caret and Dollar : ^020054554E01$ . This ensures that exact match is done. To add another MAC, put a Pipe/Logical OR (|) and put the another MAC enclosed between ^ and $. Please note that there should not be any space in the list. Add all the MACs you want to exempt in this list.

Click Ok to add the list. You can later add/remove MACs by opening the property of the Policy.

 

6. You can see the condition added. Click next

 

7. In the Specify Access Permission page, set  "Access Granted"   and click Next.

 

 8. In the Configure Authentication Method page, ensure only "Perform machine health check only" is checked. Click Next.  

 

9. Click Finish to complete the Wizard

 

 

10. Now the policy is in place, but due to policy processing order of NPS, this policy would never get a chance to be evaluated if there are other policies in place. Go to the NPS and select the policy  -> Right Click -> Move Up.

 

11. Repeat the above till the policy is at the top of the list. You are done!!

Lets check whether all such devices are indeed exmpted by this policy.

Open Windows Event Viewer (eventvwr.mmc)  and turn on / renew the  address  of all such devices. In the left pane of the MMC , click Custom View ->  Server Role -> Network Access Server. Scroll down the logged events till you find either the MAC address or the exemption policy matched.

 

Hope this helps in your DHCP NAP deployment. Looking forward for comments, suggestions and queries.

Regards, 

Ujjwal John

[Windows Enterprise Networking Group, Microsoft]