Share via

3.2 Example 2: Validate Health of NAP Client for DHCP Communication

  • Article

This example demonstrates the use case described in sections 2.5.1 and 2.5.3.

The sequence described in this example details how DHCP enforcement works for a NAP client that has only a single SHA.

 Prerequisites

  • The underlying network infrastructures, such as the data link protocols (i.e., Ethernet or WiFi), name and address resolution, and routing services, are configured correctly.

  • The NAP client is enabled and correctly configured by the client administrator.

  • The DHCP server is NAP enabled.

  • Preconditions have been satisfied, as defined in [MS-RNAP] section 1.5.

 Initial System State

The Client computer either does not have an IPv4 address or has to renew its IPv4 address.

 Final System State

The client obtains the IPv4 address.

This example is divided into two tasks:

  1. Request and obtain an IPv4 address for network access.

  2. Request and obtain an IPv4 address after remediation.

This task explains the steps involved in obtaining an IPv4 address for a compliant client.

Sequence diagram detail for Task 1

Figure 20: Sequence diagram detail for Task 1

Sequence of Events

  1. When the NAP client starts, it sends a NAP-SoH (NAP Statement of Health) message ([MS-DHCPN] section 2.2.1.1) within the vendor-specific option ([RFC2132] section 8.4) in a DHCPDISCOVER message to determine whether the DHCP server is NAP-enabled.

  2. A NAP-enabled DHCP server receives the DHCPDISCOVER message that includes the NAP-SoH. The DHCP server then indicates that it supports NAP by responding with a DHCPOFFER message that includes a NAP-SoH containing the text "NAP" inside the vendor-specific option ([RFC2132] section 8.4).

  3. The NAP client sends a DHCPREQUEST message to the selected DHCP server. The message contains the SoH [TNC-IF-TNCCSPBSoH] within the NAP-SoH option that is encapsulated inside the DHCP vendor-specific option.

  4. The DHCP server passes the SoH information to the NPS server to determine whether the SoH is valid. The DHCP server acts as a RADIUS [RFC2865]) client with NAP extensions [MS-RNAP] to communicate with the NPS.

  5. The NPS server evaluates the SoH of the NAP client and determines that the NAP client is compliant.

  6. The NPS server sends the SoH response (SoHR) [TNC-IF-TNCCSPBSoH] to the DHCP server indicating that the NAP client is compliant. The NPS uses RADIUS [RFC2865]) with RNAP [MS-RNAP].

  7. The DHCP server assigns the client computer a complete IPv4 address configuration. The client computer is given an IPv4 address that has access to the enterprise network, as defined by the group policy.

  8. The DHCP server responds with the network configuration options and includes an appropriate SoH response (SoHR) (obtained from the health policy server) in the DHCP acknowledgment message (DHCPACK).

  9. The NAP client can access to the enterprise network.

This task explains the message exchange between the NAP client, the DHCP server, the NPS, and the remediation server when a noncompliant NAP client requests an IPv4 address.

Sequence diagram detail for Task 2

Figure 21: Sequence diagram detail for Task 2

Sequence of Events

  1. When the NAP client starts, it sends an NAP-SoH ([MS-DHCPN] section 2.2.1.1) within the vendor-specific option ([RFC2132] section 8.4) in a DHCPDISCOVER message to determine whether the DHCP server is NAP-enabled.

  2. A NAP-enabled DHCP server receives the DHCPDISCOVER message that includes the NAP-SoH. The DHCP server then indicates that it supports NAP by responding with a DHCPOFFER message that includes a NAP-SoH containing the text "NAP" inside the vendor-specific option ([RFC2132] section 8.4).

  3. The NAP client sends a DHCPREQUEST message to the selected DHCP server. The message contains the SoH [TNC-IF-TNCCSPBSoH] within the NAP-SoH option that is encapsulated inside the vendor-specific option.

  4. The DHCP server passes the SoH information to the NPS server to determine whether the SoH is valid. The DHCP server uses a RADIUS request [RFC2865] with RNAP [MS-RNAP].

  5. The NPS server evaluates the SoH of the NAP client and determines that the NAP client is non-compliant with the enterprise network policy.

  6. The NPS server sends the SoH response (SoHR) [TNC-IF-TNCCSPBSoH] to the DHCP server indicating that the NAP client is non-compliant. The NPS uses a corresponding RADIUS response [RFC2865] with RNAP [MS-RNAP]. The NPS server sends a set of IPv4 packet filters corresponding to the IPv4 address of the remediation server group to restrict the traffic of the DHCP client.

  7. The DHCP server assigns the NAP client an IP address configuration. The NAP client's access can be restricted to the IPv4 addresses of the remediation servers.

  8. The DHCP server responds with the network configuration options and includes an appropriate SoH response (SoHR) (obtained from the health policy server) in the DHCP acknowledgment message (DHCPACK).

  9. The NAP client communicates with the remediation server to obtain the required updates and configuration instructions.

  10. The NAP client updates its health status by calling the SHAs and constructing a new SoH. The NAP client sends a new NAP-SoH to discover NAP-enabled DHCP servers, as described in step 1.  The NAP client can also use DHCPREQUEST to check if the server is NAP-enabled.

  11. A NAP-enabled DHCP server receives the DHCPDISCOVER message and responds, as described in step 2. If the NAP client has sent DHCPREQUEST in step 10, then a NAP-enabled server indicates that it supports NAP by responding with a DHCPACK message that includes a NAP-SoH containing the text "NAP ([MS-DHCPN] section 3.2.5.2.4).

  12. The NAP client sends a new DHCPREQUEST message with an updated SoH to the selected DHCP server, as described in step 3.

  13. The DHCP server passes the updated SoH information to the NPS, as described in step 4.

  14. The NPS server evaluates the updated SoH of the NAP client and determines that the NAP client is compliant.

  15. The NPS server sends the SoH response (SoHR) [TNC-IF-TNCCSPBSoH] to the DHCP server indicating that the NAP client is compliant. The NPS uses RADIUS [RFC2865] with RNAP [MS-RNAP].

  16. If the client's health state is compliant with the enterprise network policy, the DHCP server assigns an IPv4 address configuration for enterprise network access to the NAP client. The NAP client is given an IPv4 address that has access to the network, as defined by the group policy.

  17. The DHCP server responds with the network configuration options and includes an appropriate SoH response (SoHR) (obtained from the health policy server) in the DHCP acknowledgment message (DHCPACK).