Network Access Protection (NAP) is a platform that provides policy enforcement components that help ensure that computers connecting to or communicating on a network comply with administrator-defined requirements for system health. Using DHCP NAP, you can choose to limit the access of computers that do not meet requirements to a restricted network. The restricted network contains resources needed to update computers so that they meet the health requirements for unlimited network access and normal communication.
With DHCP enforcement, a computer must be compliant to obtain an unlimited access IP address configuration from a DHCP server. For noncompliant computers, network access is limited by an IP address configuration that allows access only to the restricted network. DHCP enforcement enforces health policy requirements every time a DHCP client attempts to lease or renew an IP address configuration. DHCP enforcement also actively monitors the health status of the NAP client and renews the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant.
How DHCP Enforcement Works
The following process describes how DHCP enforcement works for a NAP client that is attempting an initial DHCP configuration:
- The NAP client sends a DHCP request message containing its
health state information to the DHCP server.
- The DHCP server sends the health state information of the NAP
client to the NAP health policy server.
- The NAP health policy server evaluates the health state
information of the NAP client, determines whether the NAP client is
compliant, and sends the results to the NAP client and the DHCP
server. If the NAP client is not compliant, the results include a
limited access configuration for the DHCP server and health
remediation instructions for the NAP client.
- If the health state is compliant, the DHCP server assigns an IP
address configuration for unlimited access to the NAP client and
completes the DHCP message exchange.
- If the health state is not compliant, the DHCP server assigns
an IPv4 address configuration for limited access to the restricted
network to the NAP client and completes the DHCP message exchange.
The NAP client can send traffic only to the remediation servers on
the restricted network.
- The NAP client sends update requests to the remediation
- The remediation servers provision the NAP client with the
required updates for compliance with health policy. The NAP client
updates its health state information.
- The NAP client sends a new DHCP request message containing its
updated health state information to the DHCP server.
- The DHCP server sends the updated health state information of
the NAP client to the NAP health policy server.
- Assuming that all the required updates were made, the NAP
health policy server determines that the NAP client is compliant
and instructs the DHCP server to assign an IPv4 address
configuration for unlimited access to the intranet.
- The DHCP server assigns an IP address configuration for
unlimited access to the NAP client and completes the DHCP message
For a list of Help topics providing related information, see Recommended tasks for the DHCP server role.
For updated detailed IT pro information about DHCP, see the Windows Server® 2008 documentation on the Microsoft TechNet Web site.