As any network administrator knows, wireless networks
present special problems. Users love them because they allow them to access the
network from just about anywhere, but securing them can be a headache. One rogue access point, and before you know
it, all of your corporate data can be literally streaming out the windows.
Network Access Protection can help solve this problem. Here’s how.
Security and wireless
networking in the enterprise
A few years ago, if a user wanted you to deploy wireless
networking in the enterprise, the standard answer from a security perspective
was “NO!” The usefulness of wireless
network quickly overcame the initial security concerns. Instead of users
putting in rogue access points, many enterprises have embraced wireless
networking and had security in mind from the start. Network access protection
for the wireless networks functions, fundamentally, no different than the wired
counterparts. There are the various roles and enforcement methods that apply
much in the same ways in the scope of the MS-NAP implementation.
For the MS-NAP implementation, the key difference for
wireless clients revolves around encryption and roaming. As a general rule,
Microsoft recommends the IPSec enforcement method; but for wireless MS-NAP
implementations, the situation is a little different. This is because with
roaming wireless clients using the 802.1X authentication, the traffic is not
encrypted end-to-end, but stops at the router or switch from the wireless
If you have wireless networking equipment that supports the
IEEE 802.1X authentication protocol, Microsoft recommends that you use the
802.1X enforcement method or enforcement client (EC). The IEEE 802.1X
authentication protocol was jointly developed by Microsoft and select
However, be aware that products mature: if using the MS-NAP
implementation over with the 802.1X enforcement client, there are two product
lines for which you would have to maintain compatibility awareness. For
example, suppose you executed a firmware update to a piece of networking
equipment that incurred the enabling or disabling of 802.1X, which would break
the MS-NAP implementation. Windows updates may, in the future, cause the MS-NAP
implementation to behave differently or upgrade functionality; that may or may
not be compliant on your networking equipment as-is.
Wireless clients scope of use
Managing wireless clients or mobile users always presents
administrators with additional challenges for full functionality offline while
maintaining all desired access levels. Many administrators allow notebook users
to be local administrators, as it is just too easy to support the users when
they are out of the office by letting them perform certain tasks directly.
Chances are when the notebook users are out of the office,
they may be connecting to other networks to seemingly perform requisite
elements of their job. When considering a MS-NAP implementation if applied to
notebook users, be sure to test roaming off of your primary wired and wireless
networks and go to a public network, and then return to the protected network.
Be sure to also test your VPN connectivity from the public network. When
everything is working as expected, the MS-NAP client gives a successful message
that you are able to access the network and all seems fine. It is worth the
effort to make sure that there are no operator issues in network hopping and
that the security configuration is maintained and verified across all
One important consideration for wireless clients is that
they may fall into multiple categories. You may choose to implement MS-NAP with
one specific enforcement method, but a client may access your network from
Consider a typical notebook user within an enterprise that
has wireless networking. That user may access your network at their desk
through the wired connection, via the enterprise wireless network, and remotely
through the VPN. In that situation, there could be multiple ways you may need
to implement MS-NAP. In this situation, you could have multiple servers running
the Network Policy Server (NPS) for each connection point — VPN, DHCP, and
802.1X — or the IPSec enforcement client could span multiple connections. With
multiple enforcement methods in use, you architect your solution to point to
the same remediation network to streamline the resolution process, regardless
of connection state.
Online resources for
The MS-NAP implementation is still officially a beta from
the server side with the forthcoming release of Windows Server 2008. However,
there is a lot of good information from Microsoft about the configuration,
features, and usage scenarios of network access protection. Here are some
resources available now:
TechNet — Network Access Protection: Here’s a good starting
point for understanding the Microsoft Network Access Protection
implementation. Here, you can get some step-by-step guides for usage
examples and access to Webcasts.
Virtual Lab — Network Access Protection with IPSec Enforcement:
This is a 90-minute simulation where you can configure a MS-NAP
implementation online without the hassle of setting up a test network.
TechNet — Introduction to Network Access Protection: Here you
can download a white paper on an overview of the MS-NAP implementation.
— Using NAP on VPN connections: Here TechRepublic contributor
Scott Lowe gives a good walkthrough of MS-NAP using VPN connections.
TechNet — Network Access Protection: Frequently asked questions.
Network Access Protection a spin
This series on Microsoft’s Network Access Protection has
gone through client configuration, server configuration, and a look at the
entire scope of the solution. There are many configurations and usage scenarios
for the NAP and you need to decide if one is right for you. Share your comments
and questions below with the TechRepublic blog on Microsoft’s Network Access
Protection for Windows Server 2008 “Longhorn”.