4. Configure a Network Policy Server (NPS) Infrastructure 4.3 Configure Network Access Protection (NAP)

NAP components
client-side: NAP-supported version of Windows(XP SP3+) as well as 3rd party NAP clients for MAC and Linux
NAP enforcement points: 80.2.1x device, DHCP server enforcement, HRA, RAS
NAP Health Policy Server - NPS server with Health policies
System Health Agents (SHA) - monitors health of NAP client
Statement of Health (SoH) - produced by SHA to send to NAP agent
NAP agent - maintains health of of NAP client computer and communicates with NAP enforcement and SHA
Health Registration Authority(HRA) - server that obtains health certificates for compliant computers
Health requirements server - such as AV, WSUS, etc, provides current health state to NPS server
Remediation server - can update non-compliant computers

NAP connection process
NAP client connects to NAP network - each SHA validates system health and generates SoH
Nap client combines multiple SoH into SSoH and sends to NAP health policy server defined in the enforcement point
NAP health policy server uses the SHVs and health policies to determine client conformity
NAP HPS combines multiple SoH from the SHVS into SSoHR and sends back to client
If compliant, enforcement point allows connection. Noncompliant may be connected to remediation network
If status change, process repeats.

Note: NAP requires a Health Registration Authority(NPAS-Health) server and configured with Tools/Health Registration Authority in Server Manager.

4.3.1 Configure System Health Validators (SHVs)
 NPS - NAP - System Health Validators - Windows Security Health Validator
Settings:
Windows 8/7/vista: Firewall enabled, AV on/up to date, Spyware on/up to date,  Automatic Updating enabled, Restrict access that do not have all security updates installed based on minimum severity. Minimum number of hours since update has been checked. Force WU and/or WSUS usage.
XP has same settings except spyware

Error Codes:
Select how SHV reacts to certain error scenarios - compliant or noncompliant
SHV unable to contact required services
SHA unable to contact required services
SHA not responding to NAP client
SHV not responding
Vendor specific error code

4.3.2 configure health policies
Since health policies can be configured as network policy conditions, they can be created either for compliance or non-compliance

Select an existing template
Policy Name
Client SHV Checks:
Client passes all SHV Checks
Client fails all SHV Checks
Client passes one of more SHV Checks
Client fails one or more SHV CHecks
Client reported as transitional by one or more SHA
Client reported as infected by one or more SHA
Client report as unknown by one or more SHA

Check which SHVs are considered in this health policy. Default is Windows Security Health Validator.

Extra Note: I had trouble with getting the WSHV to work with a configuration other than using the Default Configuration. Also, it doesn't seem like you can use 2008 or 2012 as a client because of the lack of Security/Action Center.

4.3.3 configure NAP enforcement using DHCP and VPN
DHCP configuration:
If the DHCP server is remote, you must install NPS and configure it to radius proxy to the target NPS server and add the DHCP server as a radius client.
NAP must be enabled on all scopes on the dhcp server or individual scopes.
You then must create Connection/Network/and Health policies using DHCP as source "network access server".
NAP agent must be running and DHCP enforcement client must be enabled on the clients that will be enforced. See 4.3.5

VPN configuration:
Similar to  DHCP config except you must configure the VPN/RRAS as a radius server.
NAP agent must be running and EAP enforcement should be configured on the client for Windows 7+. For XP/Vista you should use the Remote Access enforcement. Security Center/Action Center should be running on the client.
PEAP must be used, which will require setting up certificates(I recommend setting up autoenroll using Workstation authentication for clients and RAS and IAS for servers. The NPS server must also have a certificate). This will require configuration on the client VPN connection for using PEAP to connect and configured for "Network Access Protection" enabled. Also, on the NPS server you must use the Connection Request Policy to override Network policy for Authentication Methods. The PEAP type must be configured for "Network Access Protection" enabled.

4.3.4 configure isolation and remediation of non-compliant computers using DHCP and VPN

 Isolation is configured in your noncompliant Network policies under Settings tab/NAP enforcement. Here you can set "Allow Limited Access" in combination with a Remediation Server group and/or troubleshooting url. The remediation group should contain system resources that would need to be accessed to update components including any dependent dhcp/dns/etc servers that would be needed.

4.3.5 configure NAP client settings
Enforcement clients can be configured with the napclcfg.msc tool or by using GP or netsh:



netsh commands used to troubleshoot:
determind local policy configuration of nap on the client
netsh nap client show config
determine group policy configuration of nap on the client(overrides local policy config):
netsh nap client show group
show state of client:
netsh nap client show state