Export (0) Print
Expand All

3.3.3 Interactions Between Computers and Devices in a NAP-Enabled Network

MS-NAPSO

Figure 4: Interactions between NAP platform components

The interactions for the computers and devices of a NAP-enabled network infrastructure are the following:

  • Between a NAP client and a health policy server

    The NAP client uses the Hypertext Transfer Protocol (HTTP) or an HTTP over Secure Sockets Layer (SSL) protected session to send its current system health state to the health policy server and request a health certificate. The HRA uses a Health Certificate Enrollment Protocol (HCEP) protocol to send an SoHR message and remediation instructions (if the NAP client is noncompliant) and health certificate if the NAP client is compliant.

  • Between a NAP client and an 802.1X network access device (an Ethernet switch or a wireless access point)

    The NAP client acting as an 802.1X client uses PEAP messages sent over EAP over LAN (EAPOL) to perform authentication of the 802.1X connection and to indicate its current system health state to the NAP health policy server. An 802.1X client is also known as an 802.1X supplicant. The NAP health policy server uses PEAP messages to either indicate remediation instructions (because the 802.1X client is noncompliant) or that the 802.1X client has unlimited access to the network. PEAP messages between the 802.1X client and NAP health policy server are routed through the 802.1X network access device.

  • Between a NAP client and a VPN server

    The NAP client acting as a VPN client uses Point-to-Point Protocol (PPP) messages to establish a remote access VPN connection and PEAP messages over the PPP connection to indicate its current system health state to the NAP health policy server. The NAP health policy server uses PEAP messages to either indicate remediation instructions (because the VPN client is noncompliant) or that the VPN client has unlimited access to the intranet. PEAP messages between the VPN client and NAP health policy server are routed through the VPN server.

  • Between a NAP client and a DHCP server

    The NAP client acting as a DHCP client uses DHCP messages to obtain a valid IPv4 address configuration and to indicate its current system health state. The DHCP server uses DHCP messages to allocate either an IPv4 address configuration for the restricted network and indicate remediation instructions (if the DHCP client is noncompliant), or an IPv4 address configuration for unlimited access (if the DHCP client is compliant).

  • Between a NAP client and a TSG server

    The NAP client, acting as a TSG client, uses messages sent over HTTPS to obtain a connection to the server. The TSG server uses messages sent over HTTPS to allow the connection (if the TSG client is compliant) or deny the connection (if the TSG client is noncompliant).

  • Between a NAP client and a remediation server

    While the NAP client has unlimited access to the intranet, it accesses the remediation server to ensure that it remains compliant. For example, the NAP client periodically checks an antivirus server to ensure that it has the latest antivirus signature file or a software update server, such as Windows Server Update Services, to ensure that it has the latest operating system updates.

    If the NAP client has limited access, it can communicate with the remediation server to become compliant, based on instructions from the NAP health policy server. For example, if during the health validation process the NAP health policy server determined that the NAP client does not have the most current antivirus signature file, the NAP health policy server instructs the NAP client to update its local signature file with the latest file that is stored on a specified antivirus server.

  • Between one NAP health policy server and another NAP health policy server

    A NAP health policy server can forward messages using RADIUS to another NAP health policy server, i.e. it can act as a RADIUS proxy (this includes any authentication). The first NAP health policy server sends RADIUS messages to the second NAP health policy server which then processes the statement of health messages and then sends back Access-Accept or Accept-Reject based on the outcome of RADIUS authentication which contain the corresponding SoHR message. The first NAP health policy server in the chain receives back a RADIUS message which includes both an SoHR message and a policy decision which it then forwards to the corresponding PEP.

  • Between an HRA and a Certificate Authority

    A Health Registration Authority uses X.509 certificates obtained from a certificate authority to satisfy the request for a certificate using HCEP from compliant NAP clients.

  • Between a NAP client and an HRA

    The NAP client uses the HyperText Transfer Protocol (HTTP) or an HTTP over Secure Sockets Layer (SSL) protected session to send its current system health state to the HRA and request a health certificate. The HRA uses HTTP or the protected HTTP over SSL session to send remediation instructions (if the NAP client is noncompliant) or a health certificate to the NAP client.

  • Between an 802.1X network access device and a NAP health policy server

    The 802.1X network access device sends RADIUS messages to transfer PEAP messages sent by an 802.1X NAP client.

    The NAP health policy server sends RADIUS messages to:

    • Indicate that the 802.1X client has unlimited access because it is compliant.

    • Indicate a limited access profile to place the 802.1X client on the restricted network until it performs a set of remediation functions. A limited access profile can consist of a set of IP packet filters or a virtual LAN (VLAN) identifier (ID) to confine the traffic of a noncompliant 802.1X client.

    • Send PEAP messages to the 802.1X client.

  • Between a VPN server and a NAP health policy server

    The VPN server sends RADIUS messages to transfer PEAP messages sent by a VPN-based NAP client. The NAP health policy server sends RADIUS messages to:

    • Indicate that the VPN client has unlimited access because it is compliant.

    • Indicate that the VPN client has limited access through a set of IP packet filters that are applied to the VPN connection.

    • Send PEAP messages to the VPN client.

    Like the HRA, the VPN server uses the NPS as a RADIUS proxy to exchange RADIUS messages with the NAP health policy server.

  • Between a DHCP server and a NAP health policy server

    The DHCP server sends RADIUS messages to the NAP health policy server that contains the DHCP client's system health state.

    The NAP health policy server sends RADIUS messages to the DHCP server to:

    • Indicate that the DHCP client has unlimited access because it is compliant.

    • Indicate that the DHCP client has limited access until it performs a set of remediation functions.

    A DHCP server can use the NPS as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.

  • Between a TSG server and a NAP health policy server

    The TSG server sends RADIUS messages to the NAP health policy server that contains the TSG client's system health state.

    The NAP health policy server sends RADIUS messages to the TSG server to:

    • Indicate that the TSG client has unlimited access because it is compliant.

    • Indicate that the TSG client has limited access until it performs a set of remediation functions.

    A TSG server can use the NPS as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.

  • Between a DHCP server and a NAP health policy server

    When performing network access validation for a NAP client, the NAP health policy server might have to contact a health requirement server to obtain information about the current requirements for system health. For example, the NAP health policy server might have to contact an antivirus server to check for the version of the latest signature file or to contact a software update server to obtain the date of the last set of operating system updates. The following figure summarizes these interactions.

    The exception to this set of interactions is when a Windows-based NAP enforcement point (the HRA, the VPN server, or the DHCP server) is also acting as a NAP health policy server. In this case, the NAP enforcement point and the NAP health policy server is the same computer. This configuration is appropriate for a small network configuration in conjunction with a single-server networking infrastructure device. However, on an enterprise network, there are usually multiple DHCP servers and typically multiple VPN servers. In this case, using a separate NAP health policy server allows centralization of the configuration of network access and system health requirement policies, rather than configuring them at each NAP enforcement point.

 
Show:
© 2014 Microsoft