NAP is based on a Windows-only client that combines endpoint security checking with optional authentication. Out-of-the-box, the Microsoft NAP client uses Windows Security Center for its health check, giving a fairly basic set of endpoint security checks — anti-virus, anti-spyware, firewall, automatic patching. However, the NAP client’s health check can be swapped for any third-party health checker that is NAP compatible.

Microsoft NAP will work best in an all-Microsoft operating system environment where all devices are joined to a Windows domain. In those situations, the management of the NAP client can be handled through normal domain configuration tools. Without the convenience of domain configuration, setting up Microsoft NAP can be complicated, although there are third-party vendors, such as Cloudpath Networks that have worked to make this simpler.

Even with this additional help, though, there's no real support for tools such as captive portals, guest management and MAC-based authentication within NAP. If your NAC deployment requires these, you’ll have to build additional mechanisms on top of what Microsoft provides.

Network Policy Server (NPS) is a RADIUS server, which gives NAP the ability to operate in an 802.1X environment with network edge enforcement. Although NPS does have generic RADIUS capabilities to deliver VLAN and ACL information to switches in an 802.1X scenario, the facilities to manage these settings in NPS are fairly primitive, which makes it really only suitable for VLAN assignment as an access control enforcement technique.

However, NAP and NPS can enforce access controls through other mechanisms because of the close ties between the NAP client and Windows. DHCP-based enforcement (assuming you are using Microsoft’s DHCP server) is still available. Microsoft’s own VPN server (Routing and Remote Access Server) is also tied to NAP, so users connecting through RRAS can have differentiated access based on the state of their endpoint security at connection time.

And, in a pure Windows environment on a LAN with everyone playing by the same rule book, you can use IPsec as an enforcement mechanism.


Microsoft's NAP is certainly not the most functional NAC strategy we tested, but it has a huge advantage over every other strategy: it's built-in to Windows. Savvy network managers will look for ways to work around NAP's weaker spots, while taking advantage of the strong parts of the architecture, such as the built-in client and easy integration with Windows.