Network Access Protection with DHCP Step-By-Step Guide

Network Access Protection or NAP is a service which validates the health status of different type of clients which intend to use some specific services on the network. Once the client is trying to use the service, its health status is checked by using the health validation agent of NAP service installed on NAP server and if approved, the client is allowed to use that service.

One of the services that can be well-integrated with NAP is DHCP. If the client trying to receive an IP address does not pass the health validation check, it is not allowed to receive an IP address and therefore is not able to connect to the network.

Of course one of the disadvantages of using DHCP integrated with NAP is that it could be easily bypassed if the client avoided using a dynamic IP address configuration and the user set its IP address manually and joined the network. This actually would all go back to how much privilege is given to the user to be able to change its IP address manually. For this part, we would not talk about in this post as we would try to solely focus on the DHCP and NAP configuration both on the DHCP and NAP Servers and also on the client.

First of all we need to install Network Policy Server Role. Open up Server Manager and click on Add Roles and then from the roles check Network Policy and Access Services and click Next. Then from the available Role Services, check Network Policy Server, click Next and then Install:

Then from the Administrative Tools, click on Network Policy Server and then in the new windows click on Configure NAP:

From the Network Connection Methods, choose Dynamic Host Configuration Protocol (DHCP) and then choose a name for the Policy:

Since we do not have a Radius Server in our scenario, click Next again and in the next step click on Add and then give a name to the specified DHCP Scope:

Click Next again so that this policy will be applied to all the users. Click Next again and in the new window you should specify a remediation server by clicking on the New Group.

In the new Window, give it a name like Rem-Server. Click on Add and then give the IP address of the Remediation Server. Here I entered

Notes: A remediation server is the server that gives non-compliant computers (Unhealthy computers) the needed patches and updates to change their status to compliant and healthy.

After you added the New Group, then do not enter any URL as the Troubleshooting URL since in this scenario we do not need one and then click Next and then click Next again and then click Finish.

Then on the Network Policy Server console and under Network Access Protection click on System Health Validators  and then on the right hand side right click on Windows System Health Validator and click Properties:

in the new Windows click on Configure:

and then in the following Windows you can specify what tests you need to be run on different types of clients (Windows Vista and Windows XP):

I let them all on and then click OK twice and finish it all.

And then on the server click on Run and type mmc and then from the File menu, choose Add/Remove Snap-in and then choose NAP Client Configuration and click Add and then choose the local computer and click on OK twice to open the following console.

On the left pane, click on NAP Client Configuration and then Enforcement Clients and then on the right right click on DHCP Quarantine Enforcement Client and click Enable.

Now you are done with the NAP Configuration on the server and you have to move to your Domain Controller and if you want this policy to be applied to all the computers, make some modification on the default domain policy using Group Policies.

So on the domain controller open up Group Policy Management Console from the administrative Tools and then right click on the Default Domain Policy and click Edit:

Go to Computer Configuration->Windows Settings->Security Settings->Network Access Protection->NAP Client Configuration->Enforcement Clients and then from the right hand side right click on DHCP Quarantine Enforcement Client and click Enable.

Then Go to Computer Configuration->Windows Settings->Security Settings-> System Services and then on the right hand side double click on Network Access Protection Agent and from this Window apply the following configuration:

Then go to your DHCP Server and open up DHCP from the administrative Tools, and we assume that you already have one scope:

Right click on the scope name and then click Properties and then go to the Network Access Protection tab and click on Enable for this scope and then click OK.

and then go to the scope Options and right click on it and then choose Configure Options and go to the Advanced Tab and from the User Class choose Default Network Access Protection Class and then in the options check DNS Server and add a DNS Server IP Address and then click OK.

Now you are done and everything works fine. All you need to do is to go to your client and disable the firewall or disable your antivirus program or do something which makes your client NOT HEALTHY and then you will see that you will get an IP Address from the DHCP Server but this time with a DNS address of

You want to learn more about Network Access Protection and see more scenarios such as integration with VPN? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book.

To get more information about the book click on the book below:


That was all and I hope it was useful for you


7 thoughts on “Network Access Protection with DHCP Step-By-Step Guide

  1. dude
    with using cisco ip source verify even if a user change its ip address the switch does not any traffic pass. the switch allow only source ip address that gained their address from dhcp server.

Leave a Reply

Your email address will not be published. Required fields are marked *