Your network contains an Active Directory domain named contoso.com. The domain
contains three VLANs. The VLANs are configured as shown in the following table.
All client computers run either Windows 7 or Windows 8.
The corporate security policy states that all of the client computers must have the latest
security updates installed.
You need to implement a solution to ensure that only the client computers that have all of the
required security updates installed can connect to VLAN 1. The solution must ensure that all
other client computers connect to VLAN 3.
Solution: You implement the DHCP Network Access Protection (NAP) enforcement method.
Does this meet the goal?
A.
Yes
B.
No
I think that this is wrong answer. VLAN mean’s Layer 2 and I do not see how DHCP could help here.
see http://technet.microsoft.com/en-us/library/cc770861%28v=ws.10%29.aspx
802.1x with NAP have ability to place none compliant computers in different VLAN.
you are right, answer should be NO.
This answer is correct: https://technet.microsoft.com/en-us/library/cc733020%28v=ws.10%29.aspx
DHCP enforcement with NAP specifically is for WSHV. i.e. check if the machine meets the requirement of patches, antivirus, or firewall. If it doesn’t, assign it to a different DHCP scope and remediate it there.
I’m wrong… delete my comments. Emo and Wojtek are correct.
Answer is No
http://social.technet.microsoft.com/wiki/contents/articles/network-access-protection-using-dhcp-in-windows-server-2008-r2.aspx
1. IPSec: In this type of implementation, the client computer can communicate with only a limited number of servers until it demonstrates its compliance. Other administered systems will ignore network traffic from this client when it is non-compliant. Once compliance is proved, it is allowed unrestricted access. This implementation relies on Public Key Infrastructure (PKI) certificates and hence can get complex sometimes, but is the most secure.
2. 802.1x: In this type, over wired or wireless networks- the client’s access is restricted by network infrastructure services such as connection access points like routers and switches until the client demonstrates its compliance.
3. VPN: This type is used to restrict connections from remote clients that attempt to dial-in or VPN at the VPN server itself. Since it is used for remote connection restriction, we cannot use this for controlling access of local clients that are present on site.
4. DHCP: In this type, the DHCP server assigns an IPv4 address configuration to client that allows it limited access to the network until it demonstrates compliance. This is the easiest to deploy, but also the least secure.
5. TS Gateway: This helps ensure that clients meet the health policy requirements of your organization before they are allowed to connect to internal network resources through TS Gateway servers.
That would be the end of this article. Here youll come across some sites that we consider you will value, just click the hyperlinks.
But in question it says that the computers which will pass the first condition (security updates and etc.) will connect to VLAN1, but others will connect to VLAN3. With DHCP NAP enforcement you can detect such computers and redirect to VLAN3 with DHCP policy.
I think the answer is YES.
A different subnet doesn’t necessarily mean a different VLAN.
Within 802.1x, you are able to specifically configure a different VLAN.
With DHCP enforcement, you can only direct to a different subnet.
Answer is wrong. It should be B.