Your network contains an Active Directory domain named contoso.com. The domain
contains three VLANs. The VLANs are configured as shown in the following table.
All client computers run either Windows 7 or Windows 8.
Goal: You need to implement a solution to ensure that only the client computers that have all
of the required security updates installed can connect to VLAN 1. The solution must ensure
that all other client computers connect to VLAN 3.
Solution: You implement the 802.1x Network Access Protection (NAP) enforcement method.
Does this meet the goal?
A.
Yes
B.
No
Correct answer: A
NAP supports a variety of what we call enforcement methods. In the NAP space, and enforcement method is simply a term that defines the way a machine connects to a network. In NAP, these are DHCP, 802.1x (wired or wireless), VPN, IPsec, or via a Terminal Services Gateway.
I don’t agree with the answer. Simply implementing this method does not ensure updates are applied. You have to create a Health Policy and make that a condition of connecting. Enforcing the connection method is simply that… enforcing that the computer talks a particular way… not the state of the computer when it connects to the network.
802.1x does NOT check security updates, antivirus, or firewall state as a health policy does. NAP can define MANY rules for allowing connections. Time of day, encryption, protocols… simply using NAP doesn’t solve the proposed problem.
Ignore me… Chris is right.
Whilst I would agree with A, my concern is how does WSUS ever get any updates itself, especially if it does not have any routing / internet access ?
That is not the question:
Goal: You need to implement a solution to ensure that only the client computers that have all
of the required security updates installed can connect to VLAN 1. The solution must ensure
that all other client computers connect to VLAN 3.
WSUS is not your responsibility in this question. They only ask to connect to VLAN 3 if… The rest is maybe problem of another department. Stick to the question.
How NAP can test that client has all updates if it cant connect to WSUS?