Your network contains an Active Directory domain named contoso.com. The domain
contains three VLANs. The VLANs are configured as shown in the following table.
All client computers run either Windows 7 or Windows 8.
The corporate security policy states that all of the client computers must have the latest
security updates installed.
You need to implement a solution to ensure that only the client computers that have all of the
required security updates installed can connect to VLAN 1. The solution must ensure that all
other client computers connect to VLAN 3.
Solution: You implement the DHCP Network Access Protection (NAP) enforcement method.
Does this meet the goal?
A.
Yes
B.
No
Wrong
802.1x Network Access Protection (NAP)is what is required
1
0
There are five basic ways in which NAP can be implemented:-
1. IPSec: In this type of implementation, the client computer can communicate with only a limited number of servers until it demonstrates its compliance. Other administered systems will ignore network traffic from this client when it is non-compliant. Once compliance is proved, it is allowed unrestricted access. This implementation relies on Public Key Infrastructure (PKI) certificates and hence can get complex sometimes, but is the most secure.
2. 802.1x: In this type, over wired or wireless networks- the client’s access is restricted by network infrastructure services such as connection access points like routers and switches until the client demonstrates its compliance.
3. VPN: This type is used to restrict connections from remote clients that attempt to dial-in or VPN at the VPN server itself. Since it is used for remote connection restriction, we cannot use this for controlling access of local clients that are present on site.
4. DHCP: In this type, the DHCP server assigns an IPv4 address configuration to client that allows it limited access to the network until it demonstrates compliance. This is the easiest to deploy, but also the least secure.
5. TS Gateway: This helps ensure that clients meet the health policy requirements of your organization before they are allowed to connect to internal network resources through TS Gateway servers.
0
0
802.1x is required
0
0
A short add-on to Sjoerd’s answer.
DHCP can be used for a NAP enforcement method by using different IP scopes, see https://technet.microsoft.com/en-us/library/cc772368.aspx for the explanation.
But in this example, it’s about different VLAN ID’s. Only 802.1x can achieve this goal because DCHP cannot assign VLAN ID’s
0
0
I think it hinges on whether the client computers are using DHCP or not. If they are, then DHCP NAP can control their connectivity to the other vlans.
I don’t think it matters whether the question specified vlans or subnets or networks. I also don’t think it matters that DHCP NAP can be bypassed by using static ip addresses.
In this question it doesn’t say whether the client computers use DHCP (although you’d expect that they would of course), so I went for No.
0
0