How to configure Microsoft NAP for basic use with AMT

Version 1

    Microsoft NAP Configuration

    This document will outline steps required to configure Microsoft NAP with 802.1X enforcement. Upon completion of these steps a client running the NAP agent will be require to have Windows Firewall turned on. If it is the client will gain full network access. If it is not the client will be placed in an access limited VLAN until the setting is corrected.

    This document was written and baselined on the Brand Promise Validation (BPV) network infrastructure. Although the steps should be generic enough for any infrastructure, your mileage may vary.

    Configuring NAP has some baseline requirements of the network infrastructure. From there is involves three steps.


    Baseline requirements: • 802.1x capable switch

    o Recommend Cisco 2960, 3560, 3750, 4900, or 6500 series switches, or any other vendors switch supporting 802.1x network access control.

    • Domain controller running Windows 2003 server or higher with a domain level of Windows Server 2003. Below are details to set the domain level:

    o Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

    o In the left pane of the Active Directory Domains and Trusts dialog box, right-click your domain and then click Raise Domain Functional Level.

    o From the drop-down list box, choose Windows Server 2003, and then click Raise.

    o In the dialog box that warns this change cannot be reversed, click OK. o In the dialog box that confirms the functional level was raised successfully, click OK.

    • Enterprise CA running Windows 2003 server or higher, joined to the domain

    • System to run Long Horn Server

    • Client PC with Windows Vista, joined to the domain


    4 Main Steps:

    1. Configure the 802.1x capable switch

    2. Add a DHCP scope

    3. Install and Configure the Long Horn Server

    4. Configure the client


    Configure the 802.1x capable switch

    Because different switches use different command sets depending on the model and software running on this switch, it is not possible to provide an exact step-by-step guide on how to configure 802.1x on every possible switch. Please refer to the documentation provided by your switch vendor for instructions on configuring 802.1x.

    The following list shows the required configuration details for any 802.1x capable switch. Once the values below have been configured, it is recommended that they be written down, as following sections will require many of these details to configure the NAP server.


    Friendly name / hostname:

    Assign your switch a hostname. In the BPV network the admin assigns this setting.


    IP address:

    Assign your switch a management IP addresses (usually on vlan1). BPV uses <bench subnet>.254


    Radius Server Address:

    Assign the IP address of the radius server, in this case the address of the NAP server.


    Shared RADIUS key:

    Assign a shared RADIUS key, this key must be the same on both the switch and the NAP server.


    Compliant VLAN:

    Create a VLAN that has full access to the rest of the network. This is the VLAN that a client is assigned to when it passes the NAP check. Write down the name of the VLAN. Also write down the network information (subnet & default route). BPV uses the following values: VLAN Name: <bench#>-NAP-COMPLIANT Subnet: <bench subnet>.2 /24 Default Route: <bench subnet>.2.254


    Non-compliant VLAN:

    Create a non routed Layer 2 VLAN that has no access to the rest of the network. This is the VLAN that a client is assigned to when it fails the NAP check. Write down the name of the VLAN. uses the following values: VLAN Name: <bench#>-NAP-NON-COMPLIANT


    DHCP Forwarder/Helper:

    Configure the NAP Compliant VLAN with a DHCP Forwarder/helper if DHCP is desired. BPV uses DHCP.


    Non 802.1x authentication VLAN(s)/Port(s) for everything else:

    Configure the switch to permit all servers and non-NAP clients to access the entire network. This may be accomplished by connecting such PCs directly to non 802.1x authenticated ports on this switch or by an uplink port to the rest of the network. BPV uses the uplink method. Note, the uplink port must not have 802.1x enabled.


    Add a DHCP Scope

    As all DHCP servers are different this document does not outline steps needed to create this scope. Instead, this is an exercise left to the reader. All that is required is that a scope is created for the Good VLAN created above.

    Install and Configure the Long Horn Server

    These steps will have you install Long horn, and join it to the domain, configure it so it’s easier to manage, install the NPS role, obtain a certificate, and configure NPS.

    Install Longhorn and Join it to the Domain

    1. Install Longhorn with defaults

    2. Set static Ip for your area & Disable IPv6.

    3. Set Machine Name for your area:

    a. BPV Lab default = <bench#>NAP

    4. Join Longhorn to the area domain.


    Configure Longhorn so it’s easier to manage (not required for NAP, but must be done in BPV)

    1. Login as a domain administrator

    2. Configure the desktop to you liking

    3. Turn off “Shutdown Event Tracking”

    a. Click Start -- > Run

    b. In the Run box type "gpedit.msc" and click OK & then Continue

    c. Click the + sign before Administrative Templates (the one in Computer Configuration under Local Computer Policy)

    d. Click System

    e. Double click “Display Shutdown Event Tracker” and select the Disable radio button in the property page and press OK.

    4. Turn off User Account Control (UAC)

    f. Click Start->Settings->Control Panel

    g. Double Click User Accounts

    h. Click “Turn User Account Control on or off” and Continue.

    i. Uncheck “Use User Account Control….” And click OK.

    j. Choose Restart Now. Upon reboot login as a Domain Admin (same one as before).

    5. Turn off IE Enhanced Security

    k. Click Start->Programs->Administrative Tools->Server Manager

    l. Click “Configure IE ESC”.

    m. A dialog titled Internet Explorer Enhanced Security Configuration” appears. Set Administrators and Users to off and click OK.

    6. Turn off Windows Firewall

    n. Click Start->Programs->Administrative Tools->Server Manager

    o. In the left pane expand Configuration and click Windows Firewall with Advanced Security.

    p. In the right pane click Windows Firewall Properties

    q. The Windows Firewall with Advance Security Settings box will appear. Set the Firewall state to “Off” in the following tabs; “Domain Profile”, “Private Profile”, “Public Profile”


    Install the NPS Role

    1. As a domain administrator Click Start->Programs->Administrative Tools->Server Manager

    2. Click Roles

    3. Click Add Roles

    4. Click Server Roles

    5. Check “Network Policy and Access Services”

    6. Click Next twice.

    7. Check “Network Policy Server” and click next.

    8. Click Install\


    Obtain a computer certificate

    1. As a domain administrator Click start->Run

    2. Type mmc and click OK

    3. Click File->Add/Remove Snap in

    4. Choose Certificates and Click Add

    5. A “Certificates Snap-in” dialog appears. Choose computer account and click next and then finish.

    6. Click OK.

    7. In the left pane expand certificates

    8. Right click personal and choose all tasks->request new

    9. Click Next

    10. Check computer and click Enroll.

    11. Click finish.

    12. Close Console1 and don’t save changes.


    Configure the Network Policy Server

    1. As a domain administrator Click start->Programs->Administrative tools->Network Policy Server

    2. Click “Configure NAP”

    3. A Configure NAP Window will appear. Choose the following and click next:

    r. Network connection method: IEEE 802.1X (Wired)

    s. Policy Name: NAP 802.1X (Wired)

    4. Choose add. On the New RADIUS Client window enter the following and click OK

    t. Friendly Name: <the friendly name of your 802.1x switch> (iLAB-NAC1 for Switches configured for ilab in DOPD lab.)

    u. Address: <the IP address of your 802.1x switch> iLAB-NAC1.vprodemo.com MUST USE IP ADDRESS, USING NAME MESSES UP

    v. Shared Secret:

    i. Manual (!QAZxsw2 for now. Will be updated to P@ssw0rd for DOPD switches soon)

    ii. <secret for your 802.1x switch>

    5. Click next. Click next again in the Configure User Groups and Machine Groups form.

    6. On the Configure an Authentication Method form choose “Secure Password (PEAP…..” and click next

    7. On the configure Virtual LANs (VLANs) form click configure for the Organization network VLAN and configure the following, then click OK:

    w. RADIUS Standard Attributes:

    i. Tunnel-Medium-Type: 802 (includes all 802 media…..

    ii. Tunnel-Pvt-Group-ID: <name of the good VLAN> interop-nac (bad = NAC Quarantine)

    iii. Tunnel-Type: Virtual LANs (VLAN)

    iv. (leave others as not configured)

    x. Vendor Specific attributes

    i. (Microsoft) Tunnel-Tag: 1

    8. On the configure Virtual LANs (VLANs) form click configure for the Restricted network VLAN and configure the following, then click OK:

    y. RADIUS Standard Attributes:

    i. Tunnel-Medium-Type: 802 (includes all 802 media…..

    ii. Tunnel-Pvt-Group-ID: <name of the bad VLAN>

    iii. Tunnel-Type: Virtual LANs (VLAN)

    iv. (leave others as not configured)

    z. Termination-Action: RADIUS-Request

    aa. Vendor Specific attributes

    i. (Microsoft) Tunnel-Tag: 1

    9. Click next and next again on the Define NAP Health Policy form.

    10. Click finish.

    11. In the left pane expand Policies and choose Connection Request Policies.

    12. Disable all Policies except “NAP 802.1X (Wired)”

    13. Right click NAP 802.1X (Wired) and go to properties

    14. On the Conditions tab remove all conditions. Then add a Day and time restrictions condition that allows 24x7 access.

    15. Click OK

    16. In the left path choose network policies.

    17.1Disable all policies except the following:

    bb. NAP 802.1X (Wired) Compliant

    cc. NAP 802.1X (Wired) Noncompliant

    dd. NAP 802.1X (Wired) Non NAP-Capable

    17.2 Rename:

    aa. NAP 802.1X (Wired) Compliant > NAP 802.1X (Wired) AMT Compliant

    bb. NAP 802.1X (Wired) NonCompliant > NAP 802.1X (Wired) AMT NonCompliant

    17.3 Clone:

    aa. NAP 802.1X (Wired) AMT Compliant > NAP 802.1X (Wired) OS Compliant

    bb. NAP 802.1X (Wired) AMT NonCompliant > NAP 802.1X (Wired) OS Noncompliant

    17.4 Order the Policies as such:

    NAP 802.1X (Wired) AMT Compliant

    NAP 802.1X (Wired) AMT NonCompliant

    NAP 802.1X (Wired) OS Compliant

    NAP 802.1X (Wired) OS Noncompliant

    18.1 Install Intel SHV via setup file.

    18.2. In MMC window, go to Network Access Protection > System health validators. Verify Intel AMT SHV is present.

    18.3 Right click Windows Security Health Validator and choose properties. Click Configure. Uncheck all boxes except for Firewall in both tabs. Click OK twice.

    19.1 In Policies > Health Policies, create the following policies:

    NAP 802.1X (Wired) AMT Compliant

    NAP 802.1X (Wired) AMT NonCompliant

    NAP 802.1X (Wired) OS Compliant

    NAP 802.1X (Wired) OS Noncompliant

    19.2 For all the above policies right click > properties and

    aa For compliant policies, set the ‘Client SHV checks’ option to ‘Client passes all…’

    bb For non compliant policies, set the ‘Client SHV checks’ option to ‘Client fails all..’.

    cc For AMT polices set ‘SHVs used’ to ‘Intel AMT SHV’.

    dd For OS polices set ‘SHVs used’ to ‘Windows security’.

    20. Under Policies > Network policies, for each “NAP 802.1x…” entry, right click, choose properties and select the conditions tab.

    20.1 For OS policies add corresponding system health policy.

    20.2 For AMT policies add corresponding system health policy. Also choose add and add an Operating policy. Within the following menu, choose add again and check the “Operating system version” box and set it to be equal zero.

    20.3 Right click all policies and choose enable.

    Configure the Client

    This section outlines steps required to configure the NAP agent on the client. Note that the client must have Windows Vista installed, be joined to the domain, and either be setup for DHCP (if there is a DHCP scope for the good VLAN) or configured with a static IP for the good VLAN prior to connecting it to the 802.1x authentication enabled port. Once this is done, complete the following:

    1. Click Start, click All Programs, click Accessories, and then click Run.

    2. Next to Open, type services.msc, and then press ENTER.

    3. In the list of services, right-click Network Access Protection Agent, and then click Properties.

    4. Next to Startup type, choose Automatic.

    5. Under Service status, click Start, wait for the service to start, and then click OK.

    6. In the list of services, right-click Wired AutoConfig, and then click Properties.

    7. Next to Startup type, choose Automatic.

    8. Under Service status, click Start, wait for the service to start, and then click OK.

    9. Close the services window.

    10. Click Start, click All Programs, click Accessories, and then click Run. 11. Next to Open, type mmc, and then press ENTER.

    12. On the File menu, click Add/Remove Snap-in.

    13. Click NAP Client Configuration, and then click Add.

    14. In the NAP Client Configuration dialog box, click OK to accept the default selection, Local computer (the computer on which this console is running).

    15. Click Local Group Policy Object Editor, and then click Add.

    16. Click Finish to accept the default, Group Policy Object of Local Computer.

    17. In the Add or Remove Snap-ins dialog box, click OK.

    18. In the left pane, double-click NAP Client Configuration (Local Computer), and then click Enforcement Clients.

    19. In the middle pane, right-click EAP Quarantine Enforcement Client, and then click Enable.

    20. In the left pane, double-click Local Computer Policy, double-click Computer Configuration, double-click Administrative Templates, double-click Windows Components, and then click Security Center.

    21. In the middle pane, double-click Turn on Security Center (Domain PCs only).

    22. Select Enabled, and then click OK.

    23. Close the Console1 window.

    24. Click No when prompted to save console settings.

    25. Click Start, right-click Network, and then click Properties.


    26. Click Manage network connections.

    27. Right-click Local Area Connection, and then click Properties.

    28. Click the Authentication tab, and verify that Enable IEEE 802.1X authentication is selected.

    29. Click Settings.

    30. In the Protected EAP Properties dialog box, verify that the following check boxes are selected, as shown in the following example:

    a. Validate server certificate

    b. Enable Fast Reconnect

    c. Enable Quarantine checks

    31. Click Configure, verify that Automatically use my Windows logon name and password (and domain if any) is selected, and then click OK.

    32. Click OK, and then click OK again.

    33. Restart the computer.

    34. If not already done, plug the client into the 802.1x authentication enabled port.

    Verifying everything works Now that everything is configured here is what should happen. Open Manage Network Connections. There will be listed something like Local Area Connection for the local wired interface. When the network cable is plugged in the middle line of text beside the icon will say “attempting to authenticate”. When successful it will say “enabled” and then “detecting”. Once you see enabled the 802.1x authentication has taken place successfully. If windows firewall is enabled you should have access to the entire network. Find out by pinging the domain controller. If windows firewall is not enabled the NIC will still say “enabled’. However, the client will be unable to ping the domain controller, or anything else that is not in the bad VLAN. Couple notes:

    DHCP is a little weird. After 802.1x authentication windows needs to request a DCHP address. However, it does not always wait for authentication to succeed and so a DHCP request may go unanswered. This is a windows bug. If ipconfig /renew is run the client should get an address and be running on the network, assuming the client is in the good VLAN.

    Logs for the NPS server can be viewed in the Longhorn Management console:

    1. Right click computer and click manage

    2. expand Diagnostics->Event Viewer->Custom Views->Server Roles->Network Policy and Access Services.

    For every 802.1x authentication request there will be two information entries. These will give you information on the client, the RADIUS client (aka the switch), success/failure of authentication, and the policy used to measure success. Here’s what too look for:

    • If the client has Windows firewall enabled:

    o Network Policy name: NAP 802.1X (Wired) Complaint

    o Result: Full Access

    • If the client does not have Windows firewall enabled:

    o Network Policy name: NAP 802.1X (Wired) Noncomplaint

    o Result: Full Access

    Note in both cases full access is granted. This means that full access to the appropriate VLAN was granted. In the case of the no windows firewall full access is granted to the bad VLAN, and thus the client can not access the rest of the network.

    If the log shows other policies used double check the settings for all Policies in NPS. It is likely that one is enabled or disabled that should not be or that a condition is not properly set.

    If the log show limited access double check NAP enforcement in the Network Policies. They should be set to Allow full network access.

    If the log looks correct but the client is not connecting to the network try static to eliminate DHCP issues. Also, verify with the switch that the client is being placed in the proper VLAN. If it is not double check the Network Policies Radius Attributes. Ensure the proper Tunnel-Pvt-Group-ID value (the name of the VLAN) is set. It is possible that some switches require the VLAN ID rather than the name. The recommended Cisco 2940 requires the name, not the ID.

    If the NPS logs are OK, the client is using a static IP, and is being assigned into the proper VLAN then there is likely an issue with VLAN/routing config somewhere on the network. Good luck. 802.1x can always be turned off temporarily to verify all VLAN/routing.

    AMT Provisioning requirements:

    1. 802.1x profile used for wired 802.1x authentication must be configured with EAP-PEAP (MS-CHAP v2).

    2. AMT profile used to provision the ME must have NAP enabled.