Scribd
Upload
75 views225 pages

Pre Requirements

This document provides instructions for setting up 802.1x authentication between a Windows 2012 server and Windows 7 client using GNS3 and VirtualBox. It describes adding the virtual machines to GNS3, connecting them to a virtual switch, and installing the Network Policy Server (RADIUS) role on the Windows 2012 server to enable 802.1x authentication. The steps also cover installing additional roles like certificate authority and configuring the switch, RADIUS server and client policies to test 802.1x authentication between the virtual machines.

Uploaded by

zoopi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views225 pages

Pre Requirements

This document provides instructions for setting up 802.1x authentication between a Windows 2012 server and Windows 7 client using GNS3 and VirtualBox. It describes adding the virtual machines to GNS3, connecting them to a virtual switch, and installing the Network Policy Server (RADIUS) role on the Windows 2012 server to enable 802.1x authentication. The steps also cover installing additional roles like certificate authority and configuring the switch, RADIUS server and client policies to test 802.1x authentication between the virtual machines.

Uploaded by

zoopi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 225

802.

1x authentication with GNS3 windows 2012 and windows 7 client

pre-requirements

• VirtualBox 4.2.4 or later (www.virtualbox.org)


• GNS3 (www.gns3.org)
• windows 2012 installed to a virtual machine, and configured as DC
• a windows 7 client installed to a virtual machine, and member of the bomain
Table of Contents
pre-requirements...................................................................................................................................1
Environment setup................................................................................................................................3
GNS3...............................................................................................................................................3
Add the virtual machines.................................................................................................................9
Connect the virtual machines to the virtual etherswitch router.....................................................11
Start the virtual devices..................................................................................................................13
Install the Network Policy Server (RADIUS) to windows 2012.......................................................16
Install the Certificate Server to Windows 2012..................................................................................22
Configure the certificate authority......................................................................................................36
Configure the RADIUS server...........................................................................................................38
Set up the switch as RADIUS client..............................................................................................38
Set up the Connection Request Policy on the RADIUS Server.....................................................41
Set up the Network Policy on the RADIUS Server.......................................................................48
Configure the EtherSwitch router for 802.1x.....................................................................................73
Test the 802.1x authentication on the client.......................................................................................77
NAP with DHCP enforce....................................................................................................................85
Set up DHCP server on the windows 2012 machine.....................................................................85
Set up the DHCP relay on the switch.............................................................................................92
Add the “Health roles” to the already installed NAP Service.......................................................93
Group policy settings for DHCP and 802.1x enforce..................................................................103
Set up the NAP capability on the DHCP.....................................................................................112
Set up the NAP on the NPS server...............................................................................................120
Create a Remediation Server Group.......................................................................................120
Set up windows security health...............................................................................................122
Create Health policy................................................................................................................124
Create Network Policy............................................................................................................127
Create the second Network policy for non compliant machines.............................................136
NAP with 802.1x enforce.................................................................................................................146
Turn off the NAP on the DHCP scope.........................................................................................146
Enable the EAP Quarantine enforcement client by group policy................................................148
Enable the NAP capabality on the client computers network card..............................................157
Set up the NPS server manually..................................................................................................160
Disable the previous DHCP Network policy rules..................................................................160
Modify the 802.1x authentication Network Policy, to check the health too...........................162
Create a new Network policy rule for the non compliant machines.......................................167
Create Connection Policy on the NPS server..........................................................................195
Set up the NPS by wizard............................................................................................................200
Environment setup

GNS3

1. Start the GNS3. It will ask for a project name and directory.

2. Give it any name and directory

3. Select Edit / Preferences, to test and set up the virtualbox integration.

4. On the preferences window select Virtualbox, and on the „General Settings” tab click on the test
settings button. Hopefully the virtualbox API works fine. If not try to reinstall the GNS3 (I
recommend to use the all in one istallation package).

5. Open the „VM List” combobox, and select the virtual machine what you want to add. We will
add two virtualmachines, then win2012 and the win7:

6. We want to simulate a network, and do not want to connect out of the virtual environment so
check the „Do not use first NIC for connections with the host OS” box, then click to the „Save”
button.
7. Similarly add the win7 machine:

8. Now we have to add an IOS image to the GNS3. Borrow one from your company, then click to
the Edit / „IOS images and hypervisors”
9. Click to the „...” icon next to the „Image File”

10. Select your borrowed image file, the click to the open button:
11. If the image should be decompressed, just click to the yes button.

12. click to the “Save” button. You will see a warning message: “Warning: IDLE PC will have to be
configured”, we will deal it later. Finally click to the “Close” button.
Add the virtual machines

13. Select the “VirtualBox guest” icon on the left, and drag and drop it to the large empty area on
the middle.

14. A window appears to select which virtual machine you want to add. First I add the windows
2012 server:

15. Similarly drag and drop a second “VirtualBox guest” to the middle area. Now the previous
selection window may not appear, because there is only one other “VirtualBox guest” remained.
Connect the virtual machines to the virtual etherswitch router

16 The drag and drop an “EtherSwitch router” to the middle area. Now we must connect the
“VirtualBox” guests to the switch. Select the connect icon, and from the popup menu the “Manual”
connection (if you select a simple Gigabit or Fastethernet you can not choose the exact port):

17 We connect the first NIC of the win2012 VirtualBox guest to the FastEthernet 1/0 port of the
“EtherSwitch router” and the first NIC of the win7 VirtualBox guest to the FastEthernet 1/1 port of
the “EtherSwitch router”. To do these connections right click to the “EtherSwitch router”, and select
the “FastEthernet 1/0” (f1/0) port:

18 Right click to the win2012 VirtualBox guest, and from the popup menu select the “e1” interface
19 to create the other connection
right click again to the
“EtherSwitch router” and select the “FastEthernet 1/1” (f1/1) interface. Then right click to the win7
“VirtualBox guest”, and select the e1 interface of it:

20 to finish the connection click again the add link button on the task bar.

21 here is the final network draw with the interfaces:


Start the virtual devices

22 Start the windows 2012 server by right click on it and select the start command from the popup
menu:

23. when it booted up similarly start the win7 machine.


24. Then finally start the “EtherSwitch router”

25 After starting the “EtherSwitch router” you will recognize it will up all the CPU resources of the
computer. To help on it we should use the “IDLE PC”.
26 Right click to the “EtherSwitch router”, and from the popup menu select the “Idle PC” command

27 then it calculates for a


while

28 Select a value with star in front of it, then click to the OK button. If an information widow
appears click to the OK button on that as well:
29 The CPU stress of your computer should significantly decrease. If not repeat the process.

30 Test the
connection
between the
win7 client
and the win 2012 server by ping
Install the Network Policy Server (RADIUS) to windows 2012

31 Start the server manager, if it does not start automatically, then select Manage / “Add Roles and
Features”

32 Click next on the welcome screen of the wizard:

33 Select the Role-based or feature-based installation


34 Select the local server

35 Select the “Network Policy and Access Services” to install.


36 the computer informs you, it will requires some additional features to install. Click to the “Add
Features” button, to accept the dependents.

37 click to next to continue the wizard


38 The required features are already selected, so click next on the “Select Feature” page

39 Click next on the “Network Policy and Access Services” screen


40 Select the “Network Policy Server” role service to install. We do not need the “Health
Registration Authority” and the “Host Credential Authorization Protocol” yet, we will install them
later, when we configure the health policy with 802.1x.

41 On the confirmation window click to the “Install” button.


42 then wait until the installation finish
Install the Certificate Server to Windows 2012

43 select Manage / “Add Roles and Features” in the server manager.

44 Click next on the welcome screen


45 Select “Role-based or feature-based installation”, and click to next

46 Select the local server as destination

47 Select the “Active Directory Certificate Service” as server role.


48 Again the computer informs you, it will requires some additional features to install. Click to the
“Add Features” button, to accept the dependents.

49 Click next on the “server roles” window


50 Click next on the “Select Feature” page

51 click next on the certificate server installation window


52 install the “Certification Authority Web Enrollment” role service as well.

53 Again the computer informs you, it will requires some additional features to install. Click to the
“Add Features” button, to accept the dependents.
54 click next on the “select role services” window

55 click next on the “Web server role (IIS)”


56 I used to add “Basic Authentication” as well, but it is not mandatory, just works good as a
backup authentication method.

57 click install on the confirmation window


58 wait until the installation complets.

59 There are some additional task we should do, so click to the post-deployment configuration.
60 use a domain administrator user to configure, then click to the next button

61 select the two role services, to do the post configuration:


62 Select the CA type (the enterprise here has not any connection with the windows enterprise or
standard connection, it means the CA is AD integrated, so the domain computers can find it
automatically). Generally at least two level hierarchy recommended (a Standalone root CA, and an
Enterprise issue CA). Now in the test environment we will install only an enterprise root CA,
because it requires less resource.

63 Select “Root CA” as CA type


64 Select the “Create a new private key”, because we want to create a new certificate server.

65 Set the key length and authentication algorithm. I used the largest available ones. If you want to
install certificate network devices as well check what is supported by the IOS. Now we do not
install certificate to the switch, the authentication will be done on the RADIUS server.
66 change the CA name, or set some additional parameter if you want, then click to next.

67 set the validity period.


68 select the place of the CA database and transaction log files:

69 on the confirmation window click to configure.


70 Wait until the installation finishes.
Configure the certificate authority

By default the Certificate authority does not issue certificate good for RAS and IAS server, so we
should enable that certificate template as well.

1. start the Certification Authority management console

2. right click tot he “Certificate Templates”, then from the popup menu select new / Certificate
Template to Issue
3. from the Certificate templates select the “RAS and IAS Server”, then click to OK

4. check, if this template really appears among the templates.

5. give some time to your computer, to request a certificate automatically, you may can reboot it,
just to be sure. It is recommended, to run a gpupdate /force on the client, may be to reboot it, to get
the the certificate of this newly installed enterprise root ca through the AD communication.
Configure the RADIUS server

Set up the switch as RADIUS client

71 start the NAP server management tool

72 Select the RADIUS Clients, to configure the switch as RADIUS client.

73 right click to the Radius Clients and select “New” from the popup menu
74 give a friendly name to the switch and configure the IP address of it. I will use for the switch the
IP 192.168.168.1. After it we must configure a shared secret between the switch and the RADIUS
server, what they will use, to mutually authenticate eachother. I used the password cisco123. It can
be anything in general at least a 10 character long key is recommended, because it is a quite weak
authentication method.
75 Check if the new RADIUS client is created.
Set up the Connection Request Policy on the RADIUS Server

76 right click to the “Connection Request Policies”, and select New from the popup menu.

77 give a name to the “Connection Request Policy”, and leave the type as “Unspecified”
78 On the “Specify Conditions” window click to the “Add...” button, to define a condition.

79 Select NAS port type as condition.


80 Select Ethernet as port type (we want to answer to the 802.1x requests)

81. on the “Specify Connection Request Forwarding” we do not want to forward the request to
select “Authenticate request on this server” and click to next button.
82 On the ”Specify Authentication Methods” window do not select any authentication method (we
will configure them later on the Network Policies), just click to the next button.
83 On the “Configure Settings” window click to the next button
84 On the completing window click to the Finish button
85 check if the policy is created
Set up the Network Policy on the RADIUS Server

86 Right click to the “Network Policies” and from the popup menu select the New command

87 Give a name to the Network Policy, leave the type of it as Unspecified the click to the Next
button
88 On the Specify Conditions window click to the “Add...” button

89 Select NAS port type as condition.


90 Select Ethernet as port type, then click to the OK button

91 Click again to the “Add...” button


92 Select “Windows Groups” as condition, then click to the “Add...” button
93 Click to the “Add Groups...” button

94 Add the “Domain Computers” (when the user is not logged in the computer will use it's own
account, to athenticate. Without it there can be problems with downloading computer policies, login
and things like that). Then click to the OK button

95 Then add the “Domain Users”. After the user logged in, the computer will reauthenticate,
because may be depending on the logged on user you want to set up different VLAN, or whatever.
If you do not want it there is a registry kay, to use the computer account after the user logged in.
96 Check, you added both groups, then click to the OK button

97 Check, if there is “OR” condition between the two groups, then click to the Next button
98 we want to enable the communication if someone authenticated so select Access Granted on the
“Specify Access Permission” windows, then click to the next button
99 On the “Configure Authentication Methods” window click to the “Add...” button under the EAP
types
100 and from the popup menu select Microsoft Protected EAP (PEAP), and click to the OK button.
101 Select the newly added EAP type, and click to the “Edit...” button

102 Select the certificate we want to use Hopefully you already got one, if not, then request server
certificate for IAS and authentication server type. Do NOT use the certificate of the CA server
itself, that will not work! Then click to the “Add...” button, to add other autherntication type:
103 Select “Smart Card or other certificate” as authentication method, then click to the OK button:

104 I set the “Allow client to change password after it has expired”, to make
105 On the Configure Authentication Methods click next
106 On the “Configure Constraints” window click to the next button
107 On the Configure Settings window click to the “Add...” button
108 Select “Tunnel-Medium-Type” then click to the “Add...” button
109 On the Attribute Information window click again to the “Add...” button
110 Select “Commonly used for 802.1x” as attribute information

111 Click to the OK button on the “Attribute information” window

112 Select “Tunel-Preference” as next attribute we want to define


113 give it a value 1, then click to the OK button

114 Select Tunnel-Pvt-Group-ID as next attribute, and click to the Add... button
115 On the Attribute Information window click to the “Add...” button again
116 Define the VLAN you want the user became the member after the authentication. I will use the
VLAN 2 as the authenticated users VLAN.

117 click OK on the Attribute Information window

118 Select Tunnel-Type as next attribute, and click to the “Add...” button
119 On the Attribute Information window click to the “Add...” button again
120 Select Virtual LANs from the Commonly used for 802.1x, then click to the OK button

121 Click OK on the “Attribute information” window

122 Click close on the “Add Standard RADIUS Attribute” window


123 Check if all the settings are correct, then click to the next button
124 on the completeing window click to the Finish button
125 check if the New network policy is created correctly
Configure the EtherSwitch router for 802.1x

Plan: We create two VLANs, the VLAN 168 for the server (it does not require 802.1x
authentication, otherwise the switch were not able to contact to its RADIUS). And an access VLAN
(VLAN 2), it will require 802.1x authentication, now only the win7 client will be in it. The switch
will authenticate the client on the RADIUS server of the win 2012, first we accept MS-CHAPv2
later we change it to certificate based authentication. The RADIUS server will send the VLAN to
the client after the authentication, where it will join (now VLAN 2). The IP addresses of the VLANs
are:
• 192.168.168.0/24 in VLAN 168, the default gateway is the switch, with the IP
192.168.168.1 in this VLAN.
• 192.168.2.0/24 in VLAN 2, the default gateway is the switch with the IP 192.168.2.1 in this
VLAN.

126 right click on the router, then select the console command from the popup menu

127 The switch is in exec (or admin) mode it can be seen from the # at the end of the prompt. If
your switch is in user mode from any reason (it can be seen from the > at the end of the prompt)
then type: enable then hit enter, to enter to the admin mode. To configure the switch use the
configure terminal command.

128 Create the two required VLANs (VLAN 2 and VLAN 168), and give them some name (it is not
mandatory to name them):
vlan 2
name Access
vlan 168
name Management
exit

129 Add the port f1/0 to VLAN 168, and set it up as access port, similarly add port f1/1 to VLAN 2,
and set it up as access port, then save the configuration. We set both ports to portfast mode, as one
can read in the warning it is dangerous. This mode menas, if the :

interface FastEthernet 1/0


switchport mode access
switchport access vlan 168
spanning-tree portfast

interface fastEthernet 1/1


switchport mode access
switchport access vlan 2
spanning-tree portfast

do write
130 Define the IP address for both VLANs, then create a DHCP server on the switch, what will give
IP address to the client machines in VLAN 2. Obviously exclude the IP address of the switch itself.
Then save the configuration:

interface vlan 2
ip address 192.168.2.1 255.255.255.0
no shutdown
exit

interface vlan 168


ip address 192.168.168.1 255.255.255.0
no shutdown
exit

ip dhcp excluded-address 192.168.2.1


ip dhcp pool access
network 192.168.2.0 /24
default-router 192.168.2.1
dns-server 192.168.168.110
exit

do write

131 And finally set up the 802.1x authentication.

Create a new authentication authorization audit (aaa) model, and set it up, to use radius
authentication for 802.1x, and the RADIUS server is the windows 2012 server with IP address
192.168.168.110, the port is the usual 1812 UDP, and the radius shared secret is “cisco123”. Then
enable the dot1x in general.

aaa new-model
aaa authentication dot1x default group radius
radius-server host 192.168.168.110 auth-port 1812 key cisco123
dot1x system-auth-control

Set up the f1/1 interface to require authentication (auto mode).


interface fastEthernet 1/1
dot1x port-control auto
exit

set up the port f1/0 to do not require authentication (force-authorized)

interface FastEthernet 1/0


dot1x port-control force-authorized
exit
do write
Test the 802.1x authentication on the client

132 go to the Administrative tools / services, and if it is not started start the “Wired AutoConfig”
service. I also recommend, to set it automatic.

133 Log on to the windows 7 machine and open the network sharing center

134 click to the “Change adapter settings”


135 You can see a from the question mark the authentication is working, but you were not able to
authenticate yet. Right click to the Local Area Connection, and select the Properties from the popup
menu

136 Go to the Authentication tab (if you do not see this tab start the “Wired AutoConfig” service,
then reopen this properties window), and click to the Settings button
137 clear the checkmark from the “Validate Server Certificate” checkbox (first we test it with these
settings, later we put it back). Then click to the Configure button next to the “Secure Password
EAP-MSCHAPv2”

138 Clear the checkmark before the “Automatically use my Windows logon name and password
(and domain if any)” (again we do it to see the steps of the authentication cleaner, later we will put
it back). Then click OK on the all the network settings windows.
139 Because previously we cleared the checkmark the computer asks for a username and password.
Type it, and click to the OK button.

140 Hopefully the authentication will be successful, you can see it from the disappearing question
mark. If the authentication is not successful and you get error messages like the following ones on
the server, then most probably the certificate on your RADIUS server is not the correct one:
140 If the authentication was working we can put back the check mark before the “Validate Server
Certificate”, and select out Certificate server as “Trusted Root Certification Authorities”, then click
OK on all the Network settings windows.
141 Now you will get a warning about the certificates, and you should accept the certificate of the
RADIUS server by clicking to the connect button:
142 Then put back the checkmark before the “Automatically use my Windows logon name and
password (and domain if any)”, and click OK on every network configuration windows.

143 Disable and Enable the network card, to see if the computer authenticates automatically with
your username and password.
NAP with DHCP enforce

Set up DHCP server on the windows 2012 machine

144 create a new IP4 scope, by click to the IPv4 and select the “New Scope...” from the popup
menu.

145 click to the next button on the welcome page of the wizard.
146 We will use this scope to give IP address to the computers in VLAN 2 so I give it a name vlan2,
but of course it can be anything.
147 set up a scope range, I used the range 192.168.2.200..250.

148. If you want to define exclusion, set them up, I do not need any
149 For lease duration I used the default value. It is only a test environment, so it can be anything.

150 Configure the DHCP options


151 Add the IP address of the switch (192.168.2.1) as default router

152 set up the DNS information. Now the DNS server is our windows 2012 machine
192.168.168.110.

153 Set up WINS server if required, I do not need it now so click to next
154 Activate the scope now

155 click finish button


Set up the DHCP relay on the switch

156 We should delete the previously created pool, and instead it set up the switch on VLAN2 as
DHCP relay agent. To do it use the following commands:

no ip dhcp pool access

Enter to the context of VLAN 2, then set up the Relay agent

interface vlan 2
ip helper-address 192.168.168.110
no autostate
do write
Add the “Health roles” to the already installed NAP Service

157 Select the NAP service, and from the TASKS combo box select the “Add Roles and Features”
commans

158 Click next on the welcome screen


159 Select the “Role-based or feature-based installation” then click to next
160 Select the local server from the pool

161 Check the “Health registration Authority”


162 The computer states you should install some features as well. Just accept the recommendations
by clicking the “Add Features” button.
163 Put a check before the “Host Credential Authorization Protocol”

164 Again, to this role we must install some features, click to the “Add Features” button, to accept
the recommendation of the computer.
165 click to the next button

166 The required features were automatically selected, so just click to the next button again
167 click to the next button again
168 on the “Certification Authority” page select the “Use the local CA to issue health certificates for
this HRA server” then click to the next button

169 if you select yes only domain members will get health certificates, if you want to allow the
communication of non domain member computers select the no.
170 click install, to start the installation
171 wait patiently, until it finishes
Group policy settings for DHCP and 802.1x enforce

In the group policy we should set up the “Network Access Protection Agent” service to auto start,
and the “Wired AutoConfig” service to auto start.
Enable the “DHCP Quarantine Enforcement Client”, and the “EAP Quarantine Enforcement Client”
(later we will do the 802.1x enforce, so we enable both if we there).
Turn on security center for the client computers.

1. Open the Active Directory users and computers, and create an organization unit, and drop there
the computer object of your windows 7 test machine

2 Start the group policy management console

3 right click to the OU contains your windows 7 test machine, and from the popup menu select the
“Create a GPO in this domain, and Link it here...”
4 give it some name, and we do not need any starter GPO.

5 right click to this newly created policy, and from the popup menu select “Edit”.
6. Navigate to: computer configuration / Policies / Windows settings / Secure Settings / System
Services. Right click to the “Network Access Protection Agent”, and from the popup menu select
“Properties”.

7 Set up the service to Automatic start


8 check if it really set to automatic

9 Right click to the “Wired AutoConfig”, and from the popup menu select “Properties”.
10 Set up the service to Automatic start

11 check if it really set to automatic


12 Navigate to: computer configuration / Policies / Windows settings / Secure Settings / Network
Access Protection / Enforcement Clients. Right click to the “DHCP Quarantine Enforcement
Client”, and from the popup menu select “Enable”.

13 Right click to the “EAP Quarantine Enforcement Client”, and from the popup menu select
“Enable”. (Obviously this step does not need for the DHCP enforce, but we will do a 802.1x
enforce later, and we set up this as well)
14 Navigate to: computer configuration / Policies / Administrative templates / Security Center.
Right click to the “Turn on security center (Domain computers only)”, and from the popup menu
select edit.
15 enable this policy, and click to the OK.
Set up the NAP capability on the DHCP

1 Start the DHCP management console

2 Right click to the scope, and from the popup menu select “Properties”
3 navigate to the “Network Access Protection” tab, and enable the NAP for this scope.

4 right click to the “Policies” container, and from the popup menu select the “New policy...”
command.
5 give some name to the policy, then click to the “Next” button

6 Click to the “Add” button


7 Select “User Class” for criteria, “Equals” as operator, and “Default Network Access Protection
Class” as value:
8 Click to the next button

9 define a smaller IP range for the non compliant computers, just to be able to simply check it, then
click to the next button.
10 Click next on the following window
11 click finish to finish the configuration.
12 check if the policy is created
Set up the NAP on the NPS server

Create a Remediation Server Group

1 We create a remediation group, to be able to support the computers not bypass the health check.
Start the “Network Policy Server” management console, then right click to the “Remediation Server
Group”, and from the popup menu selet New

2 give a name to the remediation server group, then click to the “Add...” buddon
3 type the IP address or the name of the computer you want to use as remediation server, you can
give it a friendly name, if you wish, but it not mandatory.

4 if you wand to add more computers use the “Add...” button. For me this one is enough, so I just
click to the “OK” button.
Set up windows security health

After we set up the remediation server group the next step is to define what kind of tests we want to
run on the computers.

1 find the “Network Access Protection” / System Health Validators / Windows Security Health /
Settings. Right click to the “Default Configuration”, and from the popup menu select the Properties
command.

2 Select what kind of test you want to execute, now I want test only if the firewall is enabled,
because it is easy to test in this way. Then click to the OK button.
Create Health policy

Now we should create two health policies, one which define how we identify the compliant
computers, and the non compliant computers.

1 right click to the policies / Health Policies and from the popup menu select “New”

2 create a new policy for the healthy computers. Give it some name, and from the “Client SHV
checks” select the “Client passes all SHV checks”. So this policy will evaluates to true, if the client
pass every check. Then click to the OK button
3 right click again to the policies / Health Policies and from the popup menu select “New”. Create a
new policy for the non healthy computers. Give it some name, and from the “Client SHV checks”
select the “Client fails one or more SHV checks”. So this policy will evaluates to true, if the client
fails on at least one check. Then click to the OK button

4 Check if both the health policies are created.


Create Network Policy
The next step is to create two network policies. The first is to enable full network access for the
compliant client computers, and a second, to enable access to only the remediation computers for
the non compliant computers.

1 right click to the Policies / Network Policies, and from the popup menu select “New”

2 Give some name to the policy, and select “DHCP Server” as “Type of network access server”,
then click to the “Next” button.
3 on the specify condition window click to the “Add...” button
4 Select “Health Policies” as condition type then click to the “Add...” button
5 Select the “Client Healthy” policy, then click to the OK button

6 We do not have any other condition so click to the Next button.

7 Specify “Access granted” as permission, then click to the next button


8 On the “Configure Authentication Methods” window select “Perform machine health check only”,
then click to the next button
9 On the “Configure constraints” window click to the next button
10 On the “Configure Settings” window select “Nap enforcement”, and there the “Allow full
network access”, then click to the next button.
11 On the completing window click to the finish button
Create the second Network policy for non compliant machines

Now very similarly we create another policy for those computers which fail on the health check.
The difference will be only that we allow these computers to communicate only to the remediation
servers.

1 right click to the Policies / Network Policies, and from the popup menu select “New”

2 Give some name to the policy, and select “DHCP Server” as “Type of network access server”,
then click to the “Next” button.
3 on the specify condition window click to the “Add...” button
4 Select “Health Policies” as condition type then click to the “Add...” button
5 Select the “Client NOT Healthy” policy, then click to the OK button

6 We do not have any other condition so click to the Next button.

7 Specify “Access granted” as permission, then click to the next button


8 On the “Configure Authentication Methods” window select “Perform machine health check only”,
then click to the next button
9 On the “Configure constraints” window click to the next button
10 On the “Configure Settings” window select “Nap enforcement”, and there the “Allow limited
access”, then click to the configure button.
11 Select the Remediation server group, because we want these computers to be reached by the non
compliant computers.
12 On the completing window click to the finish button

13 Check the two newly created policies


NAP with 802.1x enforce
Previously we created a NAP enforcement with DHCP. It is good for testing purposes, because easy
to configure, and used to work fine, but from security point of view it is nothing. It can be easily
bypassed by setting up a static IP address to our computers. So in real environment some better
enforcement are required. One can be the 802.1x exnforcement. Let us see how it can be configured

Turn off the NAP on the DHCP scope

First turn off the previously created DHCP enforcement, just to do not have any side effect.

1 Start the DHCP management console

2 Right click to the scope, and from the popup menu select “Properties”
3 navigate to the “Network Access Protection” tab, and disable the NAP for this scope.
Enable the EAP Quarantine enforcement client by group policy

1 Open the “active directory users and computers” console, and create an organization unit for the
test computers, then move there the windows 7 machine.

2 start the server manager, and from the tools start the “Group Policy Management Console”

3 find the organization unit contains your test computer. Right click to it, and from the popup menu
select the “Create a GPO in this domain, and Link it here...”
4 Give a name to this group policy, and click to the OK button (we do not use any starter GPO)

5 Right click to the newly created group policy, and from the popup menu select the Edit command

6. Navigate to: computer configuration / Policies / Windows settings / Secure Settings / System
Services. Right click to the “Network Access Protection Agent”, and from the popup menu select
“Properties”.
7 Set up the service to Automatic start

8 check if it really set to automatic


9 Right click to the “Wired AutoConfig”, and from the popup menu select “Properties”.

10 Set up the service to Automatic start


11 check if it really set to automatic

12 Navigate to: computer configuration / Policies / Windows settings / Secure Settings / Network
Access Protection / Enforcement Clients. Right click to the “EAP Quarantine Enforcement Client”,
and from the popup menu select “Enable”.
14 Navigate to: computer configuration / Policies / Administrative templates / Security Center.
Right click to the “Turn on security center (Domain computers only)”, and from the popup menu
select edit.
15 enable this policy, and click to the OK.
Enable the NAP capabality on the client computers network card

1 On the client computer navigate to the network connections. Right click to the network card you
want to use, and from the popup menu select the properties command

2 go to the authentication tab (if you do not find it then the “Wired AutoConfig” service does not
run, we set it up as automatic in the previous group policy part so use a gpupdate /force command,
reboot the machine, or wait until it applies. Or of course you can start the service by the services
snapin in the administrative tools). Put a checkmark to the “Enable IEEE 802.1x authentication”,
then click to the settings button next to the “Microsoft: Protected EAP (PEAP)”
3 put a check before the “Enforce Network Access Protection”, then click to the OK.
Set up the NPS server manually

Disable the previous DHCP Network policy rules

We have already disabled the previous DHCP rules on the DHCP server, now we disable the DHCP
rules on the NPS server as well.

1 right click to the rule what gives full network access to your healthy clients, and from the popup
menu select the “Disable” command

2 similarly right click to the rule what gives limited network access to your non healthy clients, and
from the popup menu select the “Disable” command
Modify the 802.1x authentication Network Policy, to check the health too

During the first part we created a rule called “Secure Ethernet”, to do the 802.1x network
authentication. Now we modify this rule, to request not only user authentication, but check the
system health too. We will have to create two rules, one for the compliant machines, and another for
the non compliant machines. We create the first one by modifying the already existing rule, then we
create a second one.

1 right click to the “Secure Ethernet rule”, and select the properties from the popup menu.

2 go to the “Conditions” tab, and click to the “Add...” button.


3 select “Health Policies”, then click to the “Add...” button

4 Select the “Client Healthy” health policy then click to the OK button
5 Check if the condition appears, then click to the settings tab

6 click to the NAP enforcement, and set it to “Allow full network access”, then click to the OK.
7 Right click to the rule, and rename it as “Healthy clients FULL access”
Create a new Network policy rule for the non compliant machines
Create a separate rule for the non compliant computers. We could duplicate the previous rule, and
modify only the health policy, but it worth to go through it.

1 right click to the Policies / Network Policies, and from the popup menu select “New”

2 give some name to this new policy, and set the “Type of network access server” to “Unspecified”,
then click to the “next” button.
3 On the “Specify conditions” window click to the “Add....” button.
4 Select “NAS Port Type”, then click to the “Add...” button
5 Select “Ethernet” as “NAS Port Type”, then click to the OK button

6 On the “Specify conditions” window click again to the “Add....” button.


7 Now select “Windows Groups”, then click to the “Add...” button
8 On the “Windows Groups” window click to the “Add Groups...”

9 Type “Domain Computers”, then click to the Check Names. If it recognized then click to the OK
button

10 On the “Windows Groups” window click again to the “Add Groups...”


11 Type “Domain users”, then click to the Check Names. If it recognized then click to the OK
button

12 check if both groups are added, then click to the OK button


13 On the “Specify conditions” window click again to the “Add....” button.

14 Select “Health Policies”, then click to the “Add...” button


15 On the Health Policies window select “Client NOT Healthy”, then click to the OK button.

16 Check if all the three conditions are added, then click to the “Next” button
17 On the “Specify Access Permission” window select “Access granted”, then click to the “Next”
button
18 On the “Configure Authentication Methods” window click to the “Microsoft Protected EAP
(PEAP)”, then click to the “Edit...” button.
19 Select the certificate to authenticate the IAS server. Click to the Add button.
20 On the “Add EAP” window select “Smart Card or other certificate”, later we will use certificate
based user authentication, then click to the OK button.

21 click to the OK button

22 Click to the Next button


23 on the “Configure Constraint” window click to the Next button.
24 On the “configure settings” window click to the “Add...” button
25 Select “Tunnel-medium-type” then click to the “Add...” button
26 On the “Attribute Information” window click to the “Add...” button again

27 From the “Commonly used for 802.1x” combo box choose the 802 (includes all 802 media plus
ethernet canonical format), then click to the OK button
28 click to the OK button on the “Attribute Information” window

29 On the “Add Standard RADIUS Attribute window” Select “Tunnel-Pvt-group-ID” then click to
the “Add...” button
30 On the “Attribute Information” window click to the “Add...” button again

31 Type “3” as value (the non compliant computers will added to VLAN 3), then click to the OK
button
32 click to the OK button on the “Attribute Information” window

33 On the “Add Standard RADIUS Attribute window” Select “Tunnel-Type” then click to the
“Add...” button
34 On the “Attribute Information” window click to the “Add...” button again

35 From the “Commonly used for 802.1x” combo box choose the “Virtual LANs (VLAN)”, then
click to the OK button
36 click to the OK button on the “Attribute Information” window

37 On the “Add Standard RADIUS Attribute window” Select “Tunnel-Preference” then click to the
“Add...” button
38 Type “1” as value, then click to the OK button

39 On the “Configure Settings” window check if everything is set up correctly, then click to the
NAP enforcement
40 Select “Allow limited access”, then click to the “configure...” button, to set up the remediation
servers
41 Select the remediation server group then click to the OK button
42 On the “Configure Settings” window click to the Next button.

43 On the “Completing new Network Policy” window click to the Finish button
44 Check if both role are created.
Create Connection Policy on the NPS server

We should modify the “Connection Request Policy”, to chech the health status.

1 Right click to the already created “Secure Ethernet” rule, and from the popup menu select
“Properties”

2 Go to the settings tab, and check the “Override network policy authentication” box, then click to
the “Add...” button
3 On the “Add EAP” window select “Microsoft: Protected EAP (PEAP)”, then click to the OK
button

4 Select the “Microsoft: Protected EAP (PEAP)”, then click to the “Edit...” button.
4 Select the certificate to authenticate the IAS server, and check the “Enforce Network Access
Protection”. Click to the Add button.
5 On the “Add EAP” window select “Smart Card or other certificate”, then click to the OK button,
later we will change the user authentication to certificate based.

6 On the “Configure Protected EAP Properties” click to the OK button

7 On the “Secure Ethernet Properties” window click to the OK button


Set up the NPS by wizard

All these things what we had done manually can be done through a wizard.

1 Go to the NPS text on the tree view and click to the “Configure NAP” link.

2 On the “Configure NAP” window select “IEEE 802.1x (Wired)” as “Network connection
method”, and give it some policy name, then click to the “Next” button
3 On the “Configure NAP” window check if our radius clients are appearing, then click to the Next
button.
4 On the “Configure User Groups and Machine Groups” window click to the “Add...” button next
to the machine groups
5 On the Select Group window type “Domain Computers”, and click to the “Check Names” button.
If it is recognized click to the OK button.
6 click to the “Add...” button next to the user groups

7 On the Select Group window type “Domain Users”, and click to the “Check Names” button. If it
is recognized click to the OK button.
8 On the “Configure User Groups and Machine Groups” window click to the Next button

9 On the “Configure an Authentication Method” window check if the NPS server certificate is
correct. Select “Secure Password (PEAP-MS-CHAP v2)” as authentication. If want to use later
certificate based user authentication select the “Smart Card or other certificate (EAP-TLS)” too.
10 On the “Configure Traffic Controls” window next to the “Full access network” click to the
“configure...” button.
11 On the “Configure RADIUS Attributes” window at the “RADIUS Standard Attributes” tab select
“Tunnel-Type”, and click to the “Edit...” button.
12 On the “Attribute Information” window click to the “Add...” button.
13 On the “Attribute Information” window select under the “Commonly used for 802.1x” the
“Virtual LANs (VLAN)”.

14 Click OK on the “Attribute Information” window

15 On the “Configure RADIUS Attributes” window at the “RADIUS Standard Attributes” tab select
“Tunnel-Medium-Type”, and click to the “Edit...” button.
16 On the “Attribute Information” window click to the “Add...” button.
17 On the “Attribute Information” window select under the “Commonly used for 802.1x” the “802
(includes all 802 media plus Ethernet canonical format)”.

18 Click OK on the “Attribute Information” window

19 On the “Configure RADIUS Attributes” window at the “RADIUS Standard Attributes” tab select
“Tunnel-Pvt-Group-ID”, and click to the “Edit...” button.
20 On the “Attribute Information” window click to the “Add...” button.

21 On the “Attribute Information” window type “2” as value (the compliant computers will be the
member of VLAN 2). Then click to the OK button.

22 On the “Attribute Information” window click to the OK button

23 On the “Configure RADIUS Attributes” window click to the OK button.


24 On the “Configure Traffic Controls” window next to the “Restricted access network” click to the
“configure...” button.
25 On the “Configure RADIUS Attributes” window at the “RADIUS Standard Attributes” tab select
“Tunnel-Type”, and click to the “Edit...” button.
26 On the “Attribute Information” window click to the “Add...” button.

27 On the “Attribute Information” window select under the “Commonly used for 802.1x” the
“Virtual LANs (VLAN)”.

28 Click OK on the “Attribute Information” window

29 On the “Configure RADIUS Attributes” window at the “RADIUS Standard Attributes” tab select
“Tunnel-Medium-Type”, and click to the “Edit...” button.
30 On the “Attribute Information” window click to the “Add...” button.

31 On the “Attribute Information” window select under the “Commonly used for 802.1x” the “802
(includes all 802 media plus Ethernet canonical format)”.

32 Click OK on the “Attribute Information” window

33 On the “Configure RADIUS Attributes” window at the “RADIUS Standard Attributes” tab select
“Tunnel-Pvt-Group-ID”, and click to the “Edit...” button.
34 On the “Attribute Information” window click to the “Add...” button.

35 On the “Attribute Information” window type “3” as value (the compliant computers will be the
member of VLAN 3). Then click to the OK button.

36 On the “Attribute Information” window click to the OK button

37 On the “Configure RADIUS Attributes” window click to the OK button.


38 On the “Configure Traffic Controls” window click to the “Next” button
39 On the “Define NAP health policy” select the “Window security health validator”. I cleared the
“Enable auto remediation of client computers”, because it is easier to test on this way. Select the
“Deny full network access to NAP-ineligible client computers...”
40 On the completing “NAP Enforcement Policy and RADIUS Client Configuration” window click
to the finish button.

You might also like