Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring Network Access Protection

Published byKevin Golden Modified over 8 years ago

Similar presentations

Presentation on theme: "Configuring Network Access Protection"— Presentation transcript:

1 Configuring Network Access Protection
Course 6419A Module 12: Configuring Network Access Protection Module 12 Configuring Network Access Protection Presentation: 60 minutes Lab: 120 minutes This module helps students to configure and manage Network Access Protection (NAP) for Dynamic Host Configuration Protocol (DHCP), a virtual private network (VPN), and Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication. After completing this module, students will be able to: Describe Network Access Protection. Describe how NAP works. Configure NAP. Monitor and troubleshoot NAP. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file6419A_12.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD. 1

2 Module 12: Configuring Network Access Protection
Course 6419A Module Overview Module 12: Configuring Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP

3 Lesson 1: Overview of Network Access Protection
Course 6419A Lesson 1: Overview of Network Access Protection Module 12: Configuring Network Access Protection What Is Network Access Protection? NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture Interactions NAP Client Infrastructure

4 What Is Network Access Protection?
Course 6419A What Is Network Access Protection? Module 12: Configuring Network Access Protection Network Access Protection can: Enforce health-requirement policies on client computers Describe Network Access Protection (NAP) capabilities and characteristics by expanding on the information on the slide. What NAP can do: Enforce health-requirement policies on client computers that are running Windows® XP Service Pack 2 (SP2) and Windows Vista™. Ensure that client computers remain compliant with existing policies. Offer remediation support for computers that do not meet the health requirements for full network access. What NAP cannot do: Prevent authorized users with compliant computers from performing malicious activity on the network. Restrict network access for computers that are running Windows versions previous to Windows XP SP2 when exception rules are configured for those computers. NAP has three important and distinct aspects: Health state validation. Validates a computer’s health against health policies. Health policy compliance. Updates client computers that do not meet the requirements. Limited access enforcement. Isolates non-compliant computers onto a remediation network with limited access. Emphasize that NAP is a compliance tool, not a security tool. NAP provides an extra security layer, but it is not a complete security solution. NAP is enforced and supported by the following methods, which will be discussed in detail later: Internet Protocol Security (IPsec)-protected traffic IEEE 802.1X-authenticated connections Virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) address configurations Explain that unlike Network Access Quarantine Control (NAQC), NAP offers continuous health- state monitoring of connected computers. You can configure exception rules to not limit access to computers that are not NAP capable, to computers that are running Windows versions previous to Windows XP SP2, and to computers that are running other vendors’ client-operating systems. Ensure client computers are compliant with policies Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: Prevent authorized users with compliant computers from performing malicious activity Restrict access for Windows XP SP2 and earlier when exception rules are configured for those computers

5 Module 12: Configuring Network Access Protection
Course 6419A NAP Scenarios Module 12: Configuring Network Access Protection NAP benefits the network infrastructure by verifying the health state of: Explain the benefits that NAP provides to the network infrastructure. NAP verifies the health state of: Roaming laptops. The NAP-capable operating system reports the health state, through remote access, or wireless or physical connections. Desktop computers. NAP ensures that the latest updates and required software are installed to mitigate threats to these computers. Visiting laptops. NAP determines whether laptops of visiting consultants, business partners, and guests meets the network’s health requirements. Unmanaged home computers. When a user uses an unmanaged computer to initiate a remote access connection, NAP verifies the health state of the initiating computer against the health policy and may grant the computer limited network access if it is not in compliance. You can deploy NAP for one or all of the scenarios listed on the slide, depending on the company’s needs. Rather than a written or electronic policy that states the requirements for allowing network connectivity, NAP can limit network access automatically for any NAP- capable client-operating system. When used in conjunction with other security layers, NAP offers enforcement of health policies to help maintain a healthy network environment. Question: Have you ever had an issue with unsecure, unmanaged laptops causing harm to your network? Do you think NAP would have addressed this issue? Answer: Answers may vary, but NAP could have theoretically helped in these situations by preventing computers from accessing the network if they did not have an antivirus program installed and did not have the latest Windows updates. References Network Access Protection: Roaming laptops Desktop computers Visiting laptops Unmanaged home computers

6 NAP Enforcement Methods
Course 6419A NAP Enforcement Methods Module 12: Configuring Network Access Protection Method Key Points IPsec enforcement for IPsec- protected communications Computer must be compliant to communicate with other compliant computers The strongest NAP enforcement type, and can be applied per IP address or protocol port number 802.1X enforcement for IEEE X-authenticated wired or wireless connections Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch or access point) VPN enforcement for remote access connections Computer must be compliant to obtain unlimited access through a RAS connection DHCP enforcement for DHCP- based address configuration Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP This is the weakest form of NAP enforcement Describe the four available NAP enforcement methods for client computers running Windows Server® 2008, Windows Vista, and Windows XP SP2 (with NAP Client for XP). Refer to the information on the slide to provide each method’s key points. Explain that Windows Server 2008 and Windows Vista also include a NAP enforcement method for connections to a Terminal Services Gateway (TSG) server, but do no support remediation: IPsec enforcement is the strongest NAP enforcement method available, but it has additional requirements. 802.1X and VPN enforcement are both strong enforcement methods, though not as strong as IPsec. DHCP is the weakest enforcement method, because it relies on the client having a DHCP configuration in the TCP/IP Properties. Anyone with administrative rights can change it to static and bypass DHCP health enforcement. Terminal Services Gateway enforcement affects the client computer from which the Terminal Services session has been launched, such as a home computer or a computer in a hotel business center. Question: Which of the NAP enforcement types would best suit your company? Can you see your organization using multiple NAP enforcement types? If so, which ones? Answer: Answers may vary depending on the enforcement method most suited to the students’ environments. References Terminal Services: Network Access Protection:

7 NAP Platform Architecture
Course 6419A NAP Platform Architecture Module 12: Configuring Network Access Protection Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Use the components of a NAP-enabled network infrastructure and an example of an intranet configuration on the slide to describe the interactions between NAP platform components. The example intranet on the slide is configured for the following: Health-state validation, health policy compliance, and limited network access for non- compliant NAP clients IPsec enforcement, 802.1X enforcement, VPN enforcement, and DHCP enforcement When obtaining a health certificate, making an 802.1X-authenticated or VPN connection to the intranet, or leasing or renewing an IPv4 address configuration from the DHCP server, each NAP client receives one of the following classifications: NAP clients that meet the health policy requirements are classified as compliant and are allowed unlimited access or normal communication. NAP clients that do not meet the health policy requirements are classified as non- compliant, and their access is limited to the restricted network until they meet the requirements. A non-compliant NAP client does not necessarily have a virus or some other active threat to the intranet, but it does not have the software updates or configuration settings that the health policy requires. Therefore, non-compliant NAP clients pose health risks to the intranet. The system health agents (SHAs) on NAP clients can update computers automatically with limited access using the software or configuration settings required for unlimited access. Question: Does your environment presently use 802.1x authentication at the switch level? If so, would 802.1x NAP be beneficial, considering you can configure remediation VLANs to offer limited access? Answer: Answers will vary. Discuss with students. References Network Access Protection:

8 NAP Architecture Interactions
Course 6419A NAP Architecture Interactions Module 12: Configuring Network Access Protection HRA VPN Server DHCP Server IEEE 802.1X Network Access Devices Health Requirement Server Remediation Server NAP Client NAP Health Policy Server RADIUS Messages System Health Updates HTTP or HTTP over SSL Messages Requirement Queries DHCP Messages PEAP Messages over PPP PEAP Messages over EAPOL Mention about the following interactions in a NAP-enabled network infrastructure: • Between a NAP client and an HRA • Between a NAP client and an 802.1X network access device (an Ethernet switch or a wireless access point) • Between a NAP client and a VPN server • Between a NAP client and a DHCP server • Between a NAP client and a remediation server • Between an HRA and a NAP health policy server • Between an 802.1X network access device and a NAP health policy server • Between a VPN server and a NAP health policy server • Between a DHCP server and a NAP health policy server • Between a NAP health policy server and a health requirement server Question: List an example of a NAP-enabled network infrastructure used in your organization. Answer: Answers may vary, but any Windows operating system from Windows XP SP2 and later is NAP capable. References Network Access Protection Platform Architecture:

9 NAP Client Infrastructure
Course 6419A NAP Client Infrastructure Module 12: Configuring Network Access Protection NAP Client Remediation Server 2 Remediation Server 1 NAP Agent NAP EC API NAP EC_A NAP EC_B NAP EC_C SHA API SHA_1 SHA_2 SHA_3 . . . Discuss the NAP Client Infrastructure Discuss the NAP enforcement client components Discuss the system health agent Discuss the NAP agent Discuss the SHA application programming interface Discuss NAP EC API Discuss how all these components work and communicate with one another Question: How would your organization deal with enabling the appropriate EC on non-domain computers that are outside of the management scope? Answer: Answers will vary, but IPsec enforcement is going to be the most secure method. References Network Access Protection Platform Architecture: Network Access Protection:

10 Module 12: Configuring Network Access Protection
Course 6419A Lesson 2: How NAP Works Module 12: Configuring Network Access Protection NAP Enforcement Processes How IPsec Enforcement Works How 802.1X Enforcement Works How VPN Enforcement Works How DHCP Enforcement Works

11 How IPsec Enforcement Works
Course 6419A How IPsec Enforcement Works Module 12: Configuring Network Access Protection Key Points of IPsec NAP Enforcement: Comprised of a health certificate server and an IPsec NAP EC Health certificate server issues X.509 certificates to clients when they are verified as compliant Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet IPsec Enforcement confines the communication on a network to those nodes that are considered compliant You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis IPsec enforcement process: The IPsec EC component sends its current health state to the Health Registration Authority (HRA.) The HRA sends the NAP client’s health state information to the NAP health policy server. The NAP health policy server evaluates the NAP client’s health-state information, determines whether the NAP client is compliant, and sends the results to the HRA. If the NAP client is not compliant, the results include health-remediation instructions. If the health state is compliant, the HRA obtains a health certificate for the NAP client. The NAP client now can initiate IPsec-protected communication with other compliant computers using its health certificate for IPsec authentication, and then respond to communications initiated from other compliant computers that authenticate using their own health certificate. If the health state is not compliant, the HRA informs the NAP client how to correct its health state and does not issue a health certificate. The NAP client cannot initiate communication with other computers that require a health certificate for IPsec authentication. However, the NAP client can initiate communications with remediation servers to correct its health state. The NAP client sends update requests to the appropriate remediation servers. The remediation servers provide the NAP client with the required updates for compliance with health requirements. The NAP client updates its health-state information. The NAP client sends its updated health-state information to the HRA, and the HRA sends the updated health-state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and sends that result to the HRA. The HRA obtains a health certificate for the NAP client. The NAP client now can initiate IPsec-protected communication with other compliant computers.

12 How 802.1X Enforcement Works
Course 6419A How 802.1X Enforcement Works Module 12: Configuring Network Access Protection Key Points of 802.1X Wired or Wireless NAP Enforcement: Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection The following process describes how 802.1X enforcement works for a NAP client that is initiating an 802.1X-authenticated connection on the intranet: The NAP client and the Ethernet switch or wireless AP begins 802.1X authentication. The NAP client sends its user or computer authentication credentials to the NAP health policy server, which also is acting as a authentication, authorization, and accounting (AAA) server. If the authentication credentials are not valid, the connection attempt is terminated. If the authentication credentials are valid, the NAP health policy server requests the health state from the NAP client. The NAP client sends its health-state information to the NAP health policy server. The NAP health policy server evaluates the health-state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the Ethernet switch or wireless AP. If the NAP client is not compliant, the results include a limited-access profile for the Ethernet switch or wireless AP, and health-remediation instructions for the NAP client. If the health state is compliant, the Ethernet switch or wireless AP completes the 802.1X authentication, and the NAP client has unlimited intranet access. If the health state is not compliant, the Ethernet switch or wireless AP completes the 802.1X authentication but limits the client’s access to the restricted network. The NAP client can send traffic only to the remediation servers on the restricted network. The NAP client sends update requests to the remediation servers. The remediation servers provision the NAP client with the required updates for compliance with health policy. The NAP client updates its health-state information. The NAP client restarts 802.1X authentication and sends its updated health-state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the Ethernet switch or wireless AP to allow unlimited access. The Ethernet switch or wireless AP completes the 802.1X authentication, and the NAP client has unlimited intranet access. Non-compliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes non-compliant 802.1X enforcement consists of NPS in Windows Server 2008 and an EAPHost EC in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008

13 How VPN Enforcement Works
Course 6419A How VPN Enforcement Works Module 12: Configuring Network Access Protection Key Points of VPN NAP Enforcement: Computer must be compliant to obtain unlimited network access through a remote access VPN connection The following process describes how VPN enforcement works for a NAP client that is initiating a VPN connection to the intranet: The NAP client initiates a connection to the VPN server. The NAP client sends its user authentication credentials to the NAP health policy server, which also is acting as an AAA server. If the authentication credentials are not valid, the VPN connection attempt is terminated. If the authentication credentials are valid, the NAP health policy server requests the health state from the NAP client. The NAP client sends its health-state information to the NAP health policy server. The NAP health policy server evaluates the health-state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the VPN server. If the NAP client is not compliant, the results include a set of packet filters for the VPN server and health-remediation instructions for the NAP client. If the health state is compliant, the VPN server completes the VPN connection, and the NAP client has unlimited intranet access. If the health state is not compliant, the VPN server completes the VPN connection but, based on the packet filters, limits the access of the NAP client to the restricted network. The NAP client can send traffic only to the remediation servers on the restricted network. The NAP client sends update requests to the remediation servers. The remediation servers provide the NAP client with the required updates for health policy compliance. The NAP client updates its health-state information. The NAP client restarts authentication with the VPN server and sends its updated health- state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the VPN server to allow unlimited access. The VPN server completes the VPN connection, and the NAP client has unlimited intranet access. Non-compliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted network to the VPN connection if the client becomes non-compliant VPN enforcement consists of NPS in Windows Server 2008 and a VPN EC as part of the remote access client in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008

14 How DHCP Enforcement Works
Course 6419A How DHCP Enforcement Works Module 12: Configuring Network Access Protection Key Points of DHCP NAP Enforcement: Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server Non-compliant computers have network access limited by an IPv4 address configuration that allows access only to the restricted network DHCP enforcement actively monitors the health status of the NAP client and renews the IPv4 address configuration for access only to the restricted network if the client becomes non-compliant Emphasize that because DHCP enforcement relies on a limited IPv4 address configuration that a user with administrator-level access can override, it is the weakest form of NAP limited network access. The following process describes how DHCP enforcement works for a NAP client that is attempting an initial DHCP configuration on the intranet: The NAP client sends a DHCP request message containing its health-state information to the DHCP server. The DHCP server sends the health-state information of the NAP client to the NAP health policy server. The NAP health policy server evaluates the health-state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the DHCP server. If the NAP client is not compliant, the results include a limited-access configuration for the DHCP server and health-remediation instructions for the NAP client. If the health state is compliant, the DHCP server assigns an IPv4 address configuration for unlimited access to the NAP client and completes the DHCP message exchange. If the health state is not compliant, the DHCP server assigns an IPv4 address configuration for limited access to the restricted network to the NAP client and completes the DHCP message exchange. The NAP client can send traffic only to the remediation servers on the restricted network. The NAP client sends update requests to the remediation servers. The remediation servers provides the NAP client with the required updates for compliance with health policy. The NAP client updates its health-state information. The NAP client sends a new DHCP request message containing its updated health-state information to the DHCP server. The DHCP server sends the updated health-state information of the NAP client to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the DHCP server to assign an IPv4 address configuration for unlimited intranet access. The DHCP server assigns an IPv4 address configuration for unlimited access to the NAP client and completes the DHCP message exchange. DHCP enforcement consist of a DHCP ES that is part of the DHCP Server service in Windows Server 2008 and a DHCP EC that is part of the DHCP Client service in Windows Vista, Windows XP with SP2 (with NAP Client for Windows XP), and Windows Server 2008

15 Lesson 3: Configuring NAP
Course 6419A Lesson 3: Configuring NAP Module 12: Configuring Network Access Protection What Are System Health Validators? What Is a Health Policy? What Are Remediation Server Groups? NAP Client Configuration

16 What Are System Health Validators?
Course 6419A What Are System Health Validators? Module 12: Configuring Network Access Protection System Health Validators are server software counterparts to system health agents Each SHA on the client has a corresponding SHV in NPS SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client SHVs contain the required configuration settings on client computers The Windows Security SHV corresponds to the Microsoft SHA on client computers Notice that the System Health Validator (SHV) has two tabs, one for Windows Vista and another for Windows XP SP2. The Spyware Protection section is not included in the Windows XP SP2 settings. Consider opening the NPS console, and under Network Access Protection in the console tree, select System Health Validators, and then in the details pane, double-click Windows Security Health Validator. In the Settings section, point out to the students the lower section of the dialog box, which states how to resolve error codes that may be returned. The default is to configure the client as non-compliant, but you can change this setting. Click Configure in the dialog box, and click both the Windows Vista and Windows XP tabs. Describe some of the options that are available to create a health policy with which client computers must comply. Question: Does NAP work only with Microsoft-supplied System Health Validators? Answer: No. It is extensible, so you can use any vendor’s System Health Agents and System Health Validators if they follow the NAP API. References Help Topic: System Health Validators

17 Module 12: Configuring Network Access Protection
Course 6419A What Is a Health Policy? Module 12: Configuring Network Access Protection To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it Consider demonstrating how to configure health policy and assign the SHV. To create a health policy and apply an SHV to it: Open the Network Policy Server console from the Administration Tools menu. Expand Policies, right-click Health Policies, and then click New. In the Policy Name box, type a name for the policy, specify the Client SHV checks drop-down list, assign the SHV that you want the policy to use in the SHVs used in this policy section, and then select the Windows Security Health Validator check box. To add the health policy to a network policy: Open or create a network policy and on the Conditions tab, click Add, and then specify health policies from the available options. To enable NAP in the policy: On the Settings tab, select NAP Enforcement, and specify the Remediation servers, auto-remediation, and range of access to the network. Question: Can you use only one SHV in a health policy? Answer: No. You can specify any that are available. References Help Topic: Health Policies Help Topic: Create a Health Policy Help Topic: Understanding How to Configure Health Policy Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network You can define client health policies in NPS by adding one or more SHVs to the health policy NAP enforcement is accomplished by NPS on a per-network policy basis After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy

18 What Are Remediation Server Groups?
Course 6419A What Are Remediation Server Groups? Module 12: Configuring Network Access Protection With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring non-compliant NAP-capable clients into compliance Consider demonstrating how to use the NPS console to configure remediation server groups. To create a new remediation server group: Open the NPS console, and in the console tree, double-click Network Access Protection, right-click Remediation Server Groups, and then click New. Under Group Name, type a name for the group, and then click Next. Under Add Servers, click Add, specify the friendly name and IP address or FQDN for the server, select Resolve, and then click OK. Repeat this step to specify additional Remediation servers for the group. Once you have created one or more Remediation server groups, go to the Settings tab of the network policies that contain the health policies to specify the Remediation server groups to which non-compliant clients will connect. Question: What services might a remediation server offer to update antivirus signatures? Answer: It might offer a File Transfer Protocol (FTP) service, or something similar, so clients can download and install the latest signatures. References Help Topic: Configure Remediation Groups Help Topic: Remediation Server Groups A remediation server hosts the updates that the NAP agent can use to bring non-compliant client computers into compliance with the health policy that NPS defines A remediation server group is a list of servers on the restricted network that non-compliant NAP clients can access for software updates

19 NAP Client Configuration
Course 6419A NAP Client Configuration Module 12: Configuring Network Access Protection Some NAP deployments that use Windows Security Health Validator require that you enable Security Center Expand on the slide’s information when describing the NAP client-configuration requirements: Enabling Security Center NAP service Configuring enforcement clients Question: What Windows groups have the rights to enable Security Center in Group Policy, enable NAP service on clients, and enable/disable NAP enforcement clients? Answer: The following groups have these rights: Enterprise Admins, Domain Admins, and Local Administrators. References Help Topic: Enable Security Center in Group Policy Help Topic: Enable the Network Access Protection Service on Clients Help Topic: Configure NAP Enforcement Clients The Network Access Protection service is required when you deploy NAP to NAP-capable client computers You also must configure the NAP enforcement clients on the NAP-capable computers

20 Lesson 4: Monitoring and Troubleshooting NAP
Course 6419A Lesson 4: Monitoring and Troubleshooting NAP Module 12: Configuring Network Access Protection What Is NAP Tracing? Configuring NAP Tracing

21 Module 12: Configuring Network Access Protection
Course 6419A What Is NAP Tracing? Module 12: Configuring Network Access Protection NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: Basic Advanced Debug The students should be aware that logging is disabled by default and that they should enable it if they want to troubleshoot NAP-related problems or evaluate the overall health and security of their organization’s computers. Question: List at least one example of how NAP tracing can be used to determine an issue with client communication. Answer: Answers may vary, but one example could be to review detailed information on why a client computer has been deemed non-compliant or is otherwise quarantined to a restricted network. References Help Topic: Configure NAP Tracing You can use tracing logs to: Evaluate the health and security of your network For troubleshooting and maintenance NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs

22 Configuring NAP Tracing
Course 6419A Configuring NAP Tracing Module 12: Configuring Network Access Protection You can configure NAP tracing by using one of the following tools: The NAP Client Management console The Netsh command-line tool Describe the two tools that are available for configuring NAP tracing. Emphasize that only members of the Local Administrators group can enable logging, and point out the location of trace logs to students. In the next topic, you will demonstrate how to enable logging, specify the details of the log, and how to view the log. Question: What is the netsh command for enabling NAP debug logging levels? Answer: The command is netsh nap client set tracing state=enable level=verbose. References Help Topic: Enable and Disable NAP Tracing To enable logging functionality, you must be a member of the Local Administrators group Trace logs are located in the following directory: %systemroot%\tracing\nap

Download ppt "Configuring Network Access Protection"

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.

4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Chapter 9: Troubleshooting and Repairing Networking.

Chapter 9: Troubleshooting and Repairing Networking.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.

Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India

Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India

Similar presentations

Ads by Google