Share via

3.2.4.1 Abstract Interface for Setting an SoHR

  • Article

SendRadiusAccessAccept: An abstract interface for setting a statement of health response (SoHR) message and additional information to be encapsulated in a RADIUS Access-Accept response that is sent from the NAP Policy Server back to the original RADIUS requestor. Encapsulating this information in the Access-Accept message is described in section 3.2.5.2. The interface is defined as follows:

 HRESULT SendRadiusAccessAccept(
     [in] SoHR message,
     [in] DWORD quarantineState,
     [in] DWORD extendedQuarantineState,
     [in] IPv4Filter ipv4Filter,
     [in] IPv6Filter ipv6Filter,
     [in] DWORD quarantineSessionTimeout,
     [in] DWORD quarantineGraceTime,
     [in] IPv4Address[] ipv4RemediationServers,
     [in] IPv6Address[] ipv6RemediationServers,
     [in] String dhcpQuarantineUserClass,
     [in] DWORD rdgDeviceRedirection,
     [in] DWORD afwZone,
     [in] DWORD afwProtectionLevel
 );

Unless otherwise specified, all multibyte elements are in host-byte order.

The following abstract type definitions are common to several parameters.

 enum LateBoundFlags
 {
     NoReplacement = 0x00,
     ReplaceSourceAddress = 0x01,
     ReplaceDestinationAddress = 0x04,
     ReplaceSourceMaskOrPrefix = 0x10,
     ReplaceDestinationMaskOrPrefix = 0x20,
 }
  
 enum ForwardAction
 {
     Forward = 0,
     Drop = 1
 }
  
 struct IPv4Address
 {
     Byte[4] bytes;
 }
  
 struct IPv6Address
 {
     Byte[16] bytes;
 }

The remainder of this section describes the individual parameters of the SendRadiusAccessAccept abstract interface.

message: Opaque binary data containing the SoHR message.

 struct SoHR
 {
     Byte[] bytes;
 }

quarantineState: A DWORD value that specifies the quarantine state, as described in [TNC-IF-TNCCSPBSoH] section 3.8.2.

extendedQuarantineState: A DWORD value that specifies the extended quarantine state, as described in [TNC-IF-TNCCSPBSoH] section 3.8.2.

ipv4Filter: An object of an IPv4Filter abstract type that specifies the network access scope of the endpoint. The IPv4Filter abstract type is defined as follows.

 struct Filter_IPv4
 {
     IPv4Address sourceAddress;
     IPv4Address sourceMask;
     IPv4Address destinationAddress;
     IPv4Address destinationMask;
     DWORD protocol;
     DWORD lateBoundFlags; // Bitwise combination of LateBoundFlags values
 }
  
 struct FilterSet
 {
     ForwardAction forwardAction;
     Filter_IPv4[] filters;
 }
  
 enum InfoType_IPv4
 {
     InputFilter = 0xffff0001,
     OutputFilter = 0xffff0002,
     SiteToSiteConnection = 0xffff0009
 }
  
 srtuct FilterSetEntry_IPv4
 {
     InfoType_IPv4 infoType;
     FilterSet_IPv4[] filterSets;
 }
  
 struct IPv4Filter
 {
     FilterSetEntry_IPv4[] filterEntries;
 }

For more information about the meaning of individual fields and values, see section 2.2.1.3.

ipv6Filter: An object of an IPv6Filter abstract type that specifies the network access scope of the endpoint. The IPv6Filter abstract type is defined as follows.

 struct Filter_IPv6
 {
     IPv6Address sourceAddress;
     DWORD sourcePrefixLength;
     IPv6Address destinationAddress;
     DWORD destinationPrefixLength;
     DWORD protocol;
     DWORD lateBoundFlags; // Bitwise combination of LateBoundFlags values
 }
  
 struct FilterSet_IPv6
 {
     ForwardAction forwardAction;
     Filter_IPv6[] filters;
 }
  
 enum InfoType_IPv6
 {
     InputFilter = 0xffff0011,
     OutputFilter = 0xffff0012
 }
  
 srtuct FilterSetEntry_IPv6
 {
     InfoType_IPv6 infoType;
     FilterSet_IPv6[] filterSets;
 }
  
 struct IPv6Filter
 {
     FilterSetEntry_IPv6[] filterEntries;
 }

For more information about the meaning of individual fields and values, see section 2.2.1.15.

quarantineSessionTimeout: A DWORD value that specifies the time, in seconds, that a restricted connection can remain in a restricted state before being disconnected.

quarantineGraceTime: A DWORD value that specifies the end of the time period during which a noncompliant endpoint can get full access before being moved to a restricted connection. The time is represented as the number of seconds since January 1, 1970 UTC.

ipv4RemediationServers: An array of objects of the IPv4Address abstract type (defined earlier in this section) that specifies the addresses of available IPv4 remediation servers.

ipv6RemediationServers: An array of objects of the IPv6Address abstract type (defined earlier in this section) that specifies the addresses of available IPv6 remediation servers.

dhcpQuarantineUserClass: A string that specifies the user class to be used when assigning an IP address to an endpoint that has been granted restricted access. This parameter is applicable only when the client is a DHCP server. Otherwise, it is ignored.

rdgDeviceRedirection: A DWORD value that specifies the device redirection options. For more information about possible values, see section 2.2.1.27. This parameter is applicable only when the client is an RDG server. Otherwise, it is ignored.

afwZone: A DWORD value that specifies the NAP zone, as described in [MS-HCEP]. This parameter is applicable only when the client is an HCEP server. Otherwise, it is ignored.

afwProtectionLevel: A DWORD value that specifies the NAP protection level, as described in [MS-HCEP]. This parameter is applicable only when the client is an HCEP server. Otherwise, it is ignored.

Remarks:

Note that the correlation ID is included in the SoHR as specified in [TNC-IF-TNCCSPBSoH]. The authentication is independent of the SoHR. It is handled by the underlying RADIUS protocol implementation and is outside the scope of this document.