D-Link Wireless AP with NAP 802.1x solution WRPD, Jan, 2008
What’s Network Access Protection (NAP) Network Access Protection technology is led by Microsoft, which is policy enforcement technology used in next generation Windows platforms, and provides components and an application programming interface (API) set that help administrators enforce compliance with health policies for network access or communication. According to corporation policy, administrators could enforce compliance with health requirements for network access and communication. NAP requirements: Server: Microsoft Windows Server 2008, Codename “Longhorn” Clients: Microsoft Windows Vista or Microsoft XP SP2 with NAP client Appliances: DWL-3200AP D-Link Confidential
Network Access Protection (NAP) Overview There are 4 important pillars with NAP architecture, including: Policy Validation, Network Restriction, Remediation and Ongoing Compliance. Policy Validation: Are computers “healthy” – compliant with company’s security policy Network Restriction: Restrict network access based on their health Remediation: Provides necessary updates to become healthy Once healthy, the network restrictions are removed Ongoing Compliance: Changes in computers’ health may dynamically result in network restrictions D-Link Confidential
Network Access Protection – Walk Through 12/24/2017 3:28 AM Network Access Protection – Walk Through Corporate Network Restricted Network Remediation servers System health servers Here you go Can I have updates? Ongoing policy updates to NPS Policy Server May I have access? Here’s my current health status Requesting access. Here’s my new health status Should this client be restricted based on its health? According to policy, the client is up to date Grant access According to policy, the client is not up to date. Quarantine client, request it to update DWL-3200AP You are given restricted access until fix-up Microsoft network policy server Client Client is granted access to full intranet D-Link Confidential © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 4
NAP 802.1X Flow Chart D-Link Confidential Enable WPA(2) PEAP and Dynamic VLAN on DWL-3200AP 802.1X Authentication Fail Client stays in Guest VLAN Yes Remediation process completed If client compliance status or company policy is changed Success Not Compliant Compliant Client is assigned to Non-compliance VLAN for remediation Policy Compliance Check Client is assigned to Compliance VLAN D-Link Confidential
Necessary Policies in 802.1X NAP Scenario There are 3 type of polices should be configured under Network Policy Server, which is a component within Microsoft Windows Server 2008 Connection Request Policy This policy determines which connection request is acceptable In 802.1X NAP scenario, only connection request from DWL-3200AP is acceptable Health Policy System Health Validator (SHV) determines which element is needed when validating health status, such like: firewall status, anti-virus status, anti-spyware status and so on Health Policy adopts SHVs to determine which criteria is healthy, for example: “must pass all the SHV checks” is healthy Network Policy Network Policy determines which action is going to take based on the health status D-Link Confidential
NAP How-to in Brief Microsoft Active Directory Install Active Directory Certificate Services Microsoft Windows Server 2008, Codename “Longhorn” Install Network Policy Server (new version RADIUS server) [Detail] Configure RADIUS setting, correlated with DWL-3200AP [Detail] Configure polices, rules and actions Connection Request Policy [Detail] Health Policy [Detail] (System Health Validator [Detail]) Network Policy [Detail] Microsoft Windows Vista or XP SP2 with NAP client Enable NAP client enforcement feature [Detail] D-Link DWL-3200AP Configure WPA(2)-PEAP and RADIUS setting, correlated with DWL-3200AP [Detail] Enable MSSID with VLAN setting [Detail] D-Link Confidential
Windows Server 2008 – Network Policy Server [Back] D-Link Confidential
Windows Server 2008 – RADIUS Setting [Back] D-Link Confidential
Windows Server 2008 – Connection Request Policy [Back] D-Link Confidential
Windows Server 2008 – System Health Validator [Back] D-Link Confidential
Windows Server 2008 – Health Policy [Back] D-Link Confidential
Windows Server 2008 – Network Policy Important A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that clients matching these conditions should continue to be evaluated by the policy. Note The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group these attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tag value is required for your switch. [Back] D-Link Confidential
Windows Vista [Back] D-Link Confidential
DWL-3200AP Configuration 1 DWL-3200AP Configuration Select WPA or WPA2 Enterprise Input the radius server setting 15 D-Link Confidential
DWL-3200AP Configuration 2 Enable VLAN State Select Dynamic to enable dynamic vlan function. D-Link Confidential
DWL-3200AP 802.1x NAP Test Environment VLAN10 Guest VLAN 20 Limited Access VLAN 30 Full Access DWL-3200AP enable WPA(2) PEAP and dynamic vlan setting D-Link switch which support 802.1q VLAN,create v10,v20,v30 for guest vlan, limited access vlan and full access vlan. Microsoft AD/NAP Enforcement/Health check/NPS server Windows Vista Business 17 D-Link Confidential
Network Access Protection - Resources Network Access Protection Web site http://www.microsoft.com/technet/network/nap/default.mspx Introduction to Network Access Protection http://www.microsoft.com/technet/network/nap/napoverview.mspx Network Access Protection Platform Architecture http://www.microsoft.com/technet/network/nap/naparch.mspx Step By Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en Network Access Protection: Frequently Asked Questions http://www.microsoft.com/technet/network/nap/napfaq.mspx Network Access Protection - TechNet Forums http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17 D-Link Confidential