Microsoft offers free, basic NAC for Windows-only shops

Despite the fact that Network Access Control (NAC) hasn’t yet lived up to its initial promise, NAC is very much alive, as evidenced by the fact that 12 vendors participated in our NAC test, including industry leaders Microsoft, HP, Juniper, McAfee, Symantec and Alcatel-Lucent.

Vendor: Microsoft Network Access Protection (NAP), including the NAP client and Network Policy Server (NPS) NAP client is included with all versions of Windows (XP, Windows Vista and Windows 7); NPS is included with Windows 2008 server Free to Windows shops, built into products that most enterprises already have Windows-only, features are relatively primitive


Pricing (1,000 users):



Review: Network Access Protection (NAP) is the term Microsoft uses for a suite of enforcement mechanisms closely tied to endpoint security compliance.

NAC: What went wrong?

NAP is based on a Windows-only client that combines endpoint security checking with optional authentication. Out-of-the-box, the Microsoft NAP client uses Windows Security Center for its health check, giving a fairly basic set of endpoint security checks — anti-virus, anti-spyware, firewall, automatic patching. However, the NAP client’s health check can be swapped for any third-party health checker that is NAP compatible.

Microsoft NAP will work best in an all-Microsoft operating system environment where all devices are joined to a Windows domain. In those situations, the management of the NAP client can be handled through normal domain configuration tools. Without the convenience of domain configuration, setting up Microsoft NAP can be complicated, although there are third-party vendors, such as Cloudpath Networks that have worked to make this simpler.

Even with this additional help, though, there's no real support for tools such as captive portals, guest management and MAC-based authentication within NAP. If your NAC deployment requires these, you’ll have to build additional mechanisms on top of what Microsoft provides.

Network Policy Server (NPS) is a RADIUS server, which gives NAP the ability to operate in an 802.1X environment with network edge enforcement. Although NPS does have generic RADIUS capabilities to deliver VLAN and ACL information to switches in an 802.1X scenario, the facilities to manage these settings in NPS are fairly primitive, which makes it really only suitable for VLAN assignment as an access control enforcement technique.

Read daily Microsoft news

However, NAP and NPS can enforce access controls through other mechanisms because of the close ties between the NAP client and Windows. DHCP-based enforcement (assuming you are using Microsoft’s DHCP server) is still available. Microsoft’s own VPN server (Routing and Remote Access Server) is also tied to NAP, so users connecting through RRAS can have differentiated access based on the state of their endpoint security at connection time.

And, in a pure Windows environment on a LAN with everyone playing by the same rule book, you can use IPsec as an enforcement mechanism.

Microsoft's NAP is certainly not the most functional NAC strategy we tested, but it has a huge advantage over every other strategy: it's built-in to Windows. Savvy network managers will look for ways to work around NAP's weaker spots, while taking advantage of the strong parts of the architecture, such as the built-in client and easy integration with Windows.

Return to main test.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.