3.1 Example 1: Validate Health of NAP Client for IPsec Communication

This example demonstrates the use cases described in sections 2.5.1 and 2.5.3.

The sequence described in this example details how IPsec enforcement is applied to a NAP client that has only a single SHA.

Prerequisites

  • The underlying network infrastructures, such as the NAP data link protocol, name and address resolution, and routing services, are configured correctly.

  • The NAP client is enabled and correctly configured.

  • Preconditions have been satisfied, as defined in [TNC-IF-TNCCSPBSoH] and [MS-RNAP] section 1.5.

Initial System State

There is no health certificate issued for the NAP client.

Final System State

A health certificate is obtained by the NAP client that can be used for NAP with Internet Key Exchange (IKE) [RFC2409] [MS-IKEE] to establish mutual authentication and to enable authorization of communication between the client and network server. The sequence diagram below illustrates the client health validation for the NAP client.

This example is divided into two tasks:

  1. Obtain a health certificate and gain authorization using the health certificate via IKE, and use IPsec transports for the client and server.

  2. Upon failure to obtain a health certificate, perform remediation and retry obtaining the health certificate.

Sequence diagram detail for Task 1

Figure 18: Sequence diagram detail for Task 1

Sequence of Events

  1. When the NAP client starts, it sends its current SoH [TNC-IF-TNCCSPBSoH] as a payload to the HCEP Request message ([MS-HCEP] section 2.2.1), indicating its current health state to the HRA.

  2. The HRA passes the SoH information to the NPS using RADIUS to enable evaluation of the SoH. The HRA uses RADIUS [RFC2865]) with the Vendor-Specific RADIUS Attributes for Network Access Protection (NAP) Data Structure (RNAP) [MS-RNAP].

  3. The NPS server evaluates the SoH of the NAP client and determines that the NAP client is compliant with the enterprise network policy.

  4. The NPS server sends the SoH response (SoHR) [TNC-IF-TNCCSPBSoH] to the HRA indicating that the NAP client is compliant. The HRA uses RADIUS [RFC2865]) with RNAP [MS-RNAP].

  5. HRA obtains an X.509-based health certificate for the NAP client. The HRA requests a certificate authority (CA) to issue a certificate. The Microsoft implementation of the HRA uses the Windows Client Certificate Enrollment Protocol [MS-WCCE] to request and receive the certificate. This health certificate is used in conjunction with IPsec settings to authenticate the NAP client when it initiates IPsec-protected communication with other compliant NAP clients on an intranet.

  6. The HRA sends an HCEP response, the payload of which contains an SoH response (SoHR) [TNC-IF-TNCCSPBSoH], and if the client is compliant with health policies, it also includes a PKCS #7 message [RFC2315] with possibly an X.509 certificate [RFC3280].

  7. The NAP client initiates an IPsec communication with a server (Application/File Server) which has obtained a health certificate. Both computers authenticate each other using Internet Key Exchange (IKE), as specified in [MS-IKEE] and their respective health certificates. Both IPsec peers validate each other's certificate and do a secret key exchange which is subsequently used to sign and/or encrypt the IPsec communication.

  8. The NAP client and Application/File server start communicating and the data traffic is protected by using IPsec.

This task explains the message exchange between the NAP client, the HRA, the NPS, and the remediation server when a non-compliant NAP client requests a health certificate.

Sequence diagram details for Task 2

Figure 19: Sequence diagram details for Task 2

Sequence of Events

  1. When the NAP client starts, it sends its current SoH [TNC-IF-TNCCSPBSoH] as a payload to the HCEP Request message ([MS-HCEP] section 2.2.1) indicating its current health state to the HRA.

  2. The HRA passes the SoH information to the NPS server so that the SoH can be evaluated. The HRA uses RADIUS [RFC2865] with RNAP [MS-RNAP].

  3. The NPS server evaluates the SoH of the NAP client and determines that the NAP client is non-compliant with the enterprise network policy.

  4. The NPS server sends the SoH response (SoHR) [TNC-IF-TNCCSPBSoH] to the HRA indicating that the NAP client is non-compliant. The SoH response (SoHR) includes health remediation instructions. The HRA uses RADIUS [RFC2865] with RNAP [MS-RNAP].

  5. The HRA sends an HCEP response to the NAP client, the payload of which contains an SoH response (SoHR) [TNC-IF-TNCCSPBSoH].

  6. The NAP client communicates with the remediation server to obtain the required updates. For example, the SHA might call the Microsoft Windows Server Update Service and obtain the latest operating system or it might call the Windows Security Service and enable the firewall.

  7. The NAP client updates its health status by invoking the SHAs and constructing a new SoH.

  8. The NAP client sends a new SoH request to the HRA, as described in step 1.

  9. The HRA passes the SoH request to the NPS, as described in step 2.

  10. The NPS server evaluates the SoH of the NAP client and verifies that the NAP client is compliant.

  11. The NPS server sends the SoH response (SoHR) [TNC-IF-TNCCSPBSoH] to the HRA indicating that the NAP client is compliant. The HRA uses RADIUS [RFC2865]) with RNAP [MS-RNAP].

  12. The HRA creates an X.509-based health certificate for the NAP client. The HRA requests a CA to issue a certificate. The Microsoft implementation of the HRA uses the Windows Client Certificate Enrollment Protocol [MS-WCCE] to request and receive the certificate. This health certificate is used in conjunction with IPsec settings to authenticate the NAP client when it initiates IPsec-protected communication with other compliant NAP clients on an intranet.

  13. The HRA sends an HCEP response to the NAP client, the payload of which contains an SoH response (SoHR) [TNC-IF-TNCCSPBSoH], and if the client is compliant with health policies, it also includes a PKCS #7 message [RFC2315] with possibly an X.509 certificate [RFC3280].

  14. The client computer initiates an IPsec communication with a server (Application/File Server) which has obtained a health certificate. Both computers authenticate each other using Internet Key Exchange (IKE), as specified in [MS-IKEE] and their health certificates. Both IPsec peers validate each other's certificate and do a secret key exchange which is subsequently used to encrypt the IPsec communication.

  15. The NAP client and Application/File server start communicating and the data traffic is protected using IPsec.

Show: