2.3 Enforcement Client Settings
A NAP enforcement client uses the health state of a computer to request a certain level of access to a network. This is done using NAP protocol SoH ([TNC-IF-TNCCSPBSoH] section 3.5) and statement of health response (SoHR) ([TNC-IF-TNCCSPBSoH] section 3.6) messages exchanged between a client and a server to validate client conformance with corporate security policies.
Different types of mechanisms transport SoHs intended to manage the health of connected resources. These mechanisms, called enforcement clients, are configured from the NAP Group Policy and are listed in the following table.
|
Enforcement client |
<qec-id> value |
Description |
|---|---|---|
|
Dynamic Host Configuration Protocol (DHCP) |
79617 |
Enforces health policies when a client computer attempts to obtain an IP address from a DHCP server. The implementation is specified in section 2.3.1. |
|
Remote access |
79618 |
Enforces health policies when a client computer attempts to gain access to the network through a virtual private network (VPN) connection. The implementation is specified in section 2.3.2. |
|
Internet Protocol security (IPsec) |
79619 |
Enforces health policies when a client computer attempts to communicate with another computer using IPsec. The implementation is specified in section 2.3.3. |
|
Wireless EAPOL |
79620 |
Enforces health policies when a client computer attempts to access a network through an 802.1X wireless connection or an authenticating switch connection.<4> The implementation is specified in section 2.3.5. |
|
Remote desktop gateway (RDG) |
79621 |
Enforces health policies when a client computer attempts to gain access to an RDG. The implementation is specified in section 2.3.4. |
|
Extensible Authentication Protocol (EAP) |
79623 |
Enforces health policies when a client computer attempts to access a network through an 802.1X wireless connection or an authenticating switch connection. The implementation is specified in section 2.3.5. |
For more information on NAP enforcement clients, see [MSDN-NAP].
The NAP enforcement client settings are compounded from one registry entry per enforcement client that MUST be represented in the machine-specific Registry Policy file as follows:
Key: Software\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Qecs\<qec-id>
All the <qec-id> keys MUST have the following value:
Value: "Enabled" or one of the value names listed in the table in [MS-GPREG] section 3.2.5.1 specifying how the value is deleted.
Type: REG_DWORD.
Size: Equal to size of the Data field.
Data: A 32-bit unsigned integer.
|
Value |
Meaning |
|---|---|
|
0x00000000 |
Disables NAP enforcement. |
|
0x00000001 |
Enables NAP enforcement. |