Constrans Specify the maximu minutes that the server can remain idle before the connection is disconnected 6 sy, Session Timeout T Discon lx Called Station ID z€ Day and time restricti
Trang 1New Network Policy : xi
wl Constraints are additional parameters of the network policy that are required to match the connection request Ifa
constraint is not matched by the connection request, NPS automati rejects the request Constraints are
optional; if you do not wantto configure constraints, click Next g
Configure the constraints for this network policy ¢
F all constraints are not matched by the connection request, network ied
Constrans Specify the maximu minutes that the server can remain idle before the connection
is disconnected 6
sy, Session Timeout T Discon
lx Called Station ID
z€) Day and time
restrictions
“| NAS Port Type
Tiép theo trong man hinh Configure Settings ban chon NAP Enforcement
Trong cửa sổ bên phải bạn chọn Allow full network access dé d6éng y gan quyền không giới hạn cho Health
Policy là Full Access
; Configure Settings
wl: NPS applies settings to the connection requestif all of the network policy conditions and constraints for the policy
are matched
Configure the settings for this network policy
If conditions and constraints match the connection request and the policy grants access, settings are applied
Settings:
RADIUS Attributes = Specify whether you want to enforce rk Access Protection for this policy ~
@ Standard
¿Sau * Allow full network access
Allows unrestricted n access for clients when the connection request matches Network Access the policy Use this option for reporting mode
Protection
N2 uo.i ™ Allow full netwo ess for a limited time
" Allows see network access until the specified date and time After the specified
mm date andtimé, health policy is enforced and non-compliant computers can access only
Routing and Remote the network
Access
Bandwidth Allocation
Protocol (BAP) ™ Allow limited access
Non-compliant clients are allowed access only to a restricted network for updates ae
& |P Filters
‘ j— Remediation Server Group and Troubleshooting URL
gy Encryption To configure a Remediation Server Group, a Troubleshooting URL, or both, click
Tung tu ban tao mét Network la Limit Access Policy nhằm gán quyền nhưng có giới hạn cho Health Policy là
Trang 2New Network Policy
7 Z Specify Network Policy Name and Connection Type
You can specify a namefor your network policy and wre of connections to which th
PA
|Limit Access Policy| &
— Network connection method @
Select the type of network access server that connection request to NPS You can select either the
type or Vendor specific 5
* Type of network access server:
[Unspecfied 3 = xị
( Vendor specific:
+
10 K
Trong màn hình Specify Access Permission bạn chọn Access granted
; ¿ Specify Access Permission %
Configure whether you want to grant network access "(vế nerer access if the connection request r policy
@
Get act cet comet stents match th cog os pod
™ Access denied
Deny access ff client connection attempts m Y condlions of this policy
T- Access is determined by User Dialin ies (which override NPS policy)
Grant or deny access according to alin properties if client connection attempts match the conditions of this policy
Tai ctfa sO Configure Authentication Methods ban chon Perform machine health check only
Trang 3New Network Policy
Configure Authentication Methods
Confiqure one or more authentication methods required for the connection request to match this policy For EAP authentication, you must configure an EAP type If you deploy NAP with 802.1X or VPN, you must configure Protected EAP in connection request policy, which overrides network policy authentication settings
l Iv] Tc LÍ
\ ) Move Vowh
oa
Add | E ait | FiEffinve
1p
ƑƑ User can cnange password atter it has expire
LÍ 0scfi Encrvpted Authentication
ƑƑ Usei can change password after it nas expired
| |
a
T Alle
Iv Pe
encrypted auth
Tiép theo trong man hinh Configure Settings ban chon NAP Enforcement
Trong cửa sổ bên phải bạn chọn Allow limited access dé déng y gan quyén cé gidi han cho Health Policy la
Limit Access
Trang 4New Network Policy xi
: Configure Settings
wh, NPS applies settings to the connection request if all of the network policy conditions and constraints forthe policy
are matched,
Configure the settings for this network policy
If conditions and constraints match the connection request and the policy grants access settings are applied
Settings:
RADIUS Attributes =} © Alow full network access for a limi e a
@ Standard Allows unrestricted network a until the specified date and time After the specified
Vendor Specific date and time, health poli orced and non-compliant computers can access only
the restricted network G Network Access
gE) Extended State
Routing and Remote
Access ~ Reset Server Group and Troubleshooting URL
To
4 Mù Min k : nd „ aaa a Remediation Server Group, a Troubleshooting URL, or both, click
& |P Filters
gly Encryption - do not meet health requirements defined
Màn hình sau khi tạo 2 Netw ork Policy hoàn tất
= Network Policy Server
|S nes si — © Network policies a designate who is authorized to connect to the netwc
& [=f Policies
Connection Request Polici
> Network Policies ||_ Policy Name | Status | Processin
Health Policies @ Full Access Policy Enabled 3
EI Network Access Protection Ligg limit, Policy Enabled 4
=v System Health Validators ions to Microsoft Routing and Remote Access server Disabled 999998
jg Remediation Server Group nnections to other access servers Disabled 999999
®& Accounting
Đến đây ta đã hoàn tất việc cấu hình NAP trên DHCP Server
Tuy nhiên mặc định tại DHCP Server sẽ không hiểu được các qui định này Nên tại DHCP ban chon Scope tiép tục nhấp phải vào Scope chọn Properties
Trang 5+ | H m | @
Scope [172.16.1.c 1 DHCP
Properties
Tiép tuc chon Tab Network Access Protection (NAP) va chon Enable for this scope
Scope [172.16.1.0] DHCP Properties
vanced
Tiếp tục nhấp phải vào Scope Options chon Configure Options
Trang 6&@ DHCP
File Action View Help
| DHCP
2 8 server.gccom.net
¬ Scope [172 16.1.0] Scoy @ Standard 172.16 1.1
(28 Address Leases đổ] 015 DN Name Standard gccom.net
C8] Reservations
C8 Server Options Confiqure Options
8 ms
Chọn Tab Advanced chọn Default Network Access Protection Class trong User Class
Trong Available Options chọn 015 DNS Domain Name nhập giá tri là None
Vendor class: [DHCP Standard Onto” >|
User clas] Default Netwo ss Protection Class |
C 014 Merit Dump File G Path name f—t
015 DNS Domain Name ae DNS Domai
— Data entry
String value:
|None vở
Màn hình sau khi hoàn tất
Em
File Action View Help
| phcp
= 4 server gccom.net
El ff) IPv4
EI (1 Scope [172 16 1.0] Scoi
INS Domain Name Standard
(& Address Pool k None
(28 Address Leases NS Servers Standard 172 16.1.1
Gal Reservations DNS Domain Name Standard gccom.net
{gl Scope Options
(3 Server Options K`
172, 16, 1,1
Trang 7
Các máy Client không thỏa đủ điều kiện Windows Sercurity Health Validator thì được DHCP Server cấp IP nhưng không cấp Default Gatew ay nhờ dựa vào Netw ork Policy là Limit Access Policy được qui định bởi Health Policy là Limit Access
Bây giờ ta tiếp tục cấu hình NAP cho các máy Client
Tại máy PC02 bạn vào Run nhập lệnh napclcfg.m sc
Em «x
Bp Type the name of a program, fo Ider, ment, or Internet
—— resource, and Windows will = you
Open: | napclcfg.msc| oe >|
@ This task will be d with administrative privileges
ss’
OK Cancel | Browse |
Trong màn hinh NAP Client Configuration ban Enable thuéc tinh DHCP Quarantine Enforcement Client lén
8:-j NAP Client Configuration(Local Cc
> Enforcement Clients
User Interface Settings
Health Registration Settings 'DHCP Quarartine Enforcement Clent - "`: M Refresh
®#` Remote Access @usrantine Enforcement Client Disabled
& IPSec h«/rÔyYy Disabled _ Properies
rantine Enforcement Client Disabled
ntine Enforcement Client Disabled
MEAP
s
Enforcement Clients
Vao tiép Services chon Network Access Protection Agent va chuyén sang chế động Automatic đồng thời
Start dịch vụ này lên
« œ || | Í=] s ‹2|fml»mi PA
C2, Services (Local) Name « eœ
S3 Netlogon
© Network Access Protection Agent
C4 Network Connections @
Cel Network List Servi
| Description _| Status _| Startup Type
Started Automatic Enables Net Automatic Manages obj Started Manual Identifies th Started Automatic
Maintains as
vw, Network Locati areness Collects and Started Automatic
C3 Network P erver Manages aut Started Automatic (D
S% New Q»c< Interface Service This service Started Automatic
<4 Office Source Engine Saves install Manual
Bây giờ ta sẽ tiến hành kiểm tra bằng cách tắt tính năng Firew all của máy Client đi
Trang 8:®' Windows Firewall Settings wW xi
General | Exceptions | Advanced |
I3 Windows Firewall is helping to protect your computer
Windows Firewall can help prevent hackers or malicious software from gaining
access to your computer through the Internet or a network
This setting blocks all outside sources fronPconnecting to this
computer, except for those unblo the Exceptions tab
©
Block all incoming corfadctions
Select this option ou connect to less secure networks All
exceptions will be ed and you will not be notified when
Windows Fir ocks programs
x) @ of s
Avoid using this setting Turning off Windows Firewall will make this
computer more vulnerable to hackers or malicious software
Tell me more about these settings
Bat DOS Command én sé thay may Client nhận được IP từ DHCP Server tuy nhiên do không bật tính năng Firew all (không thỏa đủ điều kiện do Window s Sercurity Health Validator đặt ra) nên máy Client này không nhận được Default Gateway
Như vậy máy Client này chỉ có thể truy cập được torng mạng LAN mà thôi, không thể truy cập Internet được Administrator: C:\Windows\system32\cmd.exe - |D| xị
Microsoft Windows LUernsilon 6.8.6861 1
Copyright ‘¢c> 2666 Microsoft Corporation All rights reserved
C:\Users\Administrator>ipconfig /renew
Windows IP Configuration
An error occurred while releasing interface Loopback Pseudo-Interface 1 :
stem cannot find the file specified
Ethernet adapter Lan:
Connection-specific DNS Suffix = None
IPu4 ñddress - - - - - œ /2-16.1.b58
Subnet Mask h ee” ere tert lier ee
Default Gateway - «
Tunnel adapter Local ñrea €onnectionx* 6:
Media State - «= «= « « » « « = Media disconnected
Connection-specific DNS Suffix :
Trang 9
Network access is limited, mee
Bây giờ tôi bật tinh nang Firewall cua may Client lên
** Windows Firewall Settings
2° more
_ ng rs
=I| me more about these settings
Vao lai DOS Command sé thay may nhan IP một cách hoàn chỉnh
Trang 10W Administrator: C:\Windows\system32\cmd.exe - |D| x|
Microsoft Windows [Uersion 6.6.6601 1
Copyright Cc) 2666 Microsoft Corporation All rights reserved
C:\Users\Administrator>ipconfig /renew
Windows IP Configuration
An error occurred while releasing interface Loopback Pseudo-Interface 1 : The sy
stem cannot find the file specified
Ethernet adapter Lan:
Connection-specific DNS Suffix : gccom.net
IPv4 Address - + +++ ¢ gal?2.16.1.38
Default Gateway « -gew =: 172.16.1.1
Tunnel adapter Local Area Connection 6:
Connection—spec if ic HT Suffix = :
C:\Users\Administrator>,
OK minh vtra trinh bay xong phan Network Access Protection (NAP) DHCP trong 70-648, 70-649 cua MCSA
Công ty TNHH đầu tư phát trién tin hoc GC Com Chuyên trang kỹ thuật máy vi tính cho kỹ thuật viên tin học Điện thoại: (073) - 3.511.373 - 6.274.294
Website: http://www.gccom.net