3.3.5.2.6 MS-AFW-Zone

This attribute is processed only by RADIUS clients that are configured to support NAP IPsec policies.

When a network access server (NAS) that understands this attribute receives it in an Access-Accept from a RADIUS server, it uses the value of this attribute to select which NAP zone (see [MS-HCEP] and [TNC-IF-TNCCSPBSoH]) to put an endpoint to (for example, secure zone, boundary zone, or quarantine zone).

The NAS then sends the NAP zone to the endpoint using a mechanism that is understood by both NAS and the endpoint (for example, HCEP, as documented in [MS-HCEP] section 3.2.5.2), and applies the IPsec policy according to the new zone to this endpoint.

Other NAS RADIUS clients ignore this attribute.

For more details about this attribute, see section 2.2.1.12.