Now working on the project of implementation solutions of Microsoft Network Access Protection (NAP) in one large company. Microsoft NAP is planned to use together with Cisco network active equipment, for clients to access corporate network – the so-called scenario 802.1X Enforcement. Microsoft NAP is also planned to use with VPN servers to provide clients with access to the corporate network. The manual deployment of the Microsoft NAP infrastructure refers to the need of support by network equipment RADIUS attributes for VLAN assignment:

One layer 2 or layer 3 switch that supports 802.1X port-based authentication and RADIUS tunnel attributes for VLAN assignment.

It turns out not all Cisco equipment (not to mention other manufacturers such as 3Com, D-Link, etc.) supports modification IEEE 802.1X - VLAN Assignment. It was possible to clarify that the following Cisco devices should support this feature (the list not complete – only that it was possible to verify):

• 2940 IOS 12.1(22)EA4
• 2960 IOS 12.2(25)SED
• 2980 CatOS 8.4GLX
• 3550 IOS 12.1(14)EA1
• 3560 IOS 12.2(25)SED
• 3750 IOS 12.2(25)SED
• 4000 CatOS 8.4GLX or IOS 12.1(19)EW
• 4500 CatOS 8.4GLX or IOS 12.1(19)EW
• 6500 CatOS 7.2 or IOS 12.1(13)E4

On Cisco devices it is necessary to do following:

aaa authentication dot1x default group radius none
dot1x system-auth-control
!
interface FastEthernet0/5
switchport mode access
dot1x port-control auto
dot1x guest-vlan 50
spanning-tree portfast
!
radius-server host 10.1.200.254 auth-port 1812 acct-port 1813 key KEY

On the RADIUS-server (aka NAP) it is necessary to define following attributes for users:

Tunnel-Type [64] = VLAN
Tunnel-Medium-Type [65] = 802
Tunnel-Private-Group-Id [81] = NAME_OF_VLAN

This is what the problems with the network part. When you configure Microsoft NAP, there is a problem with the client part of the product. In general, Microsoft NAP works on operating systems starting with Microsoft Windows XP SP3 and higher. In Windows XP SP3 has everything you need to work with NAP, except the graphical console to configure NAP functions. This console, by and large, is not necessary in a corporate network – as all settings for the client computers are distributed centrally through Group Policy. So, for the correct operation of NAP requires that client computers will automatically run NAP Agent service – by default this service is disabled. Turn it on and others necessary for the NAP services through group policy is not difficult. However, if suddenly at customisation of a group policy, you accidentally or intentionally clicked on the Edit Security button (see picture), on Windows XP SP3 this operation will call failure at automatic start of NAP Agent service.

When testing NAP infrastructure had spent several hours for finding-out and addressing the reason of not correct NAP work, called by failure at start of NAP Agent service.
I hope for someone this information, when you deploy Microsoft Network Access Protection, will be useful.