Microsoft NAP: NAC for the rest of us?
NAP is a good foundation for policy-based network access control, but lacks granular controls and easy managementFollow @infoworld
NAP requires the setup of multiple databases for administration and management of the overall system, one of which is the logging database. Prior to Windows Server 2008 R2, the logging database required extensive SQL-based configuration. This setup has been automated in R2, completely relieving the administrator of an onerous task.
Similarly, prior to R2, Windows Server 2008 provided only one SHV configuration, meaning that wholesale changes to the system health requirements had to be made universally. Now you can apply different policies based on a specific configuration of the SHV. For example, systems internal to your network may require that only the anti-virus component is current, while systems connected via VPN may require both anti-virus and antispyware be active.
In addition, when used with Windows 7, R2 provides a streamlined remote access facility, simplifying remote connectivity and securing Remote Workspace, Presentation Virtualization, and Remote Desktop Services Gateway sessions.
NAP in the lab
As for previous reviews (see "NAC smorgasbord: Four ways to police the nework" and "Sophos NAC is a good start"), we examined NAP's ability to handle typical scenarios, including guest access, rogue devices, and non-Windows devices. We also examined the enforcement methods available natively with NAP. We installed Windows Server 2008 as the network core and configured both Windows Vista and Windows XP SP3 devices on the network. Our network also included a Mac OS X client and a printer, though NAP does nothing with non-Windows devices. It only tests the posture, or "health status," of Windows systems.
While configuring NAP was straightforward, it was also complex, requiring a long list of supporting services to be installed and configured. Even my simple deployment required several hours to configure, due to the prerequisites for 802.1X on Windows Server 2008, including the RADIUS server, certificates, and the enforcement clients.