3.2.5.2.2 Processing the SoH-Response from the Health Policy Server
The SoH-Response from the health policy server as well as the type of the encapsulating RADIUS server packet received comes as part of RADIUS [RFC2865] and the Microsoft RADIUS Attributes for Network Access Protection [MS-RNAP]. If the SoH-Response from the health policy server is encapsulated in a RADIUS server packet of type Access-Reject as specified in section 4.3 of [RFC2865], the incoming DHCPREQUEST message is not processed any further and no response is sent to the DHCP client.
If the RADIUS server packet is of type Access-Accept as specified in section 4.2 of [RFC2865], this will trigger the creation of a DHCPACK containing the SoH-Response and the NAP-CoID (section 2.2.1.3) option as it was received in the DHCPREQUEST message packet. The NAP-SoH (section 2.2.1.1) and NAP-CoID (section 2.2.1.3) options are appended to the DHCPACK message packet by calling DhcpAppendVendorSpecificOption ([MS-DHCPE] section 3.2.7.1). The SoH-Response can contain information as to whether the client has normal access to the network or whether the client has been quarantined, as specified in [TNC-IF-TNCCSPBSoH].
If, in the SoH-Response from the health policy server, the qState field of the MS-Quarantine-State attribute ([TNC-IF-TNCCSPBSoH] section 3.8.2) is 3, the client is noncompliant with the NAP health policies. In such a case, the DHCP server MUST ignore the user class value sent by the client and instead use the "Default Network Access Protection Class" ([MS-DHCPM] section 3.1.1.8) user class. That is, the network configuration options sent to the client MUST be selected from the default NAP user class (instead of the default user class or the client-provided user class). The option values corresponding to the "Default Network Access Protection Class" ([MS-DHCPM] section 3.1.1.8) user class are obtained by using the procedure DhcpGetNetworkConfigurationForClient (section 3.2.7.1). In addition, it overrides three option values. The Router option (DHCP option 3, as specified in [RFC2132] section 3.3) MUST be set to the value 0.0.0.0, and the Subnet Mask option (DHCP option 1, as specified in [RFC2132] section 3.3) MUST be set to the value 255.255.255.255. The Microsoft Classless Static Route option MUST be configured with static routes to the IPv4 addresses of the NAP remediation servers by calling DhcpAppendCSROption ([MS-DHCPE] section 3.2.7.2).
Also, if the DHCP client is being quarantined, the DHCP server SHOULD include the DHCPv4Scope.ScopeInfo.SubnetMask element, which is a shared element (see [MS-DHCPM] section 3.1.1.2) (as specified in [RFC2132] section 3.3) in the NAP-Mask (section 2.2.1.2) option. It MUST also include the IPv6 addresses of the NAP remediation servers in the NAP-IPv6 (section 2.2.1.4) option if the addresses are received in the Attribute-Specific Value field of the MS-IPv6-Remediation-Servers attribute ([MS-RNAP] section 2.2.1.17) of the encapsulating RADIUS packet. The NAP-Mask (section 2.2.1.2) option and NAP-IPv6 (section 2.2.1.4) option are appended to the DHCPACK message packet by calling DhcpAppendVendorSpecificOption ([MS-DHCPE] section 3.2.7.1). If there are no IPv6 addresses of the NAP remediation servers, the DHCP server SHOULD NOT include the NAP-IPv6 option in the message.
If the SoH-Response from the health policy server indicates that the client is compliant with the NAP health policies, the DHCPREQUEST is processed as a normal DHCPREQUEST and the network configuration (option values) is to be sent to the client as specified in section 1.4 (point 5).