2.3 Enforcement Client Settings

A NAP enforcement client uses the health state of a computer to request a certain level of access to a network. This is done using NAP protocol SoH ([TNC-IF-TNCCSPBSoH] section 3.5) and statement of health response (SoHR) ([TNC-IF-TNCCSPBSoH] section 3.6) messages exchanged between a client and a server to validate client conformance with corporate security policies.

Different types of mechanisms transport SoHs intended to manage the health of connected resources. These mechanisms, called enforcement clients, are configured from the NAP Group Policy and are listed in the following table.

Enforcement client

<qec-id>  value

Description

Dynamic Host Configuration Protocol (DHCP)

79617

Enforces health policies when a client computer attempts to obtain an IP address from a DHCP server. The implementation is specified in section 2.3.1.

Remote access

79618

Enforces health policies when a client computer attempts to gain access to the network through a virtual private network (VPN) connection. The implementation is specified in section 2.3.2.

Internet Protocol security (IPsec)

79619

Enforces health policies when a client computer attempts to communicate with another computer using IPsec. The implementation is specified in section 2.3.3.

Wireless EAPOL

79620

Enforces health policies when a client computer attempts to access a network through an 802.1X wireless connection or an authenticating switch connection.<4> The implementation is specified in section 2.3.5.

Remote desktop gateway (RDG)

79621

Enforces health policies when a client computer attempts to gain access to an RDG. The implementation is specified in section 2.3.4.

Extensible Authentication Protocol (EAP)

79623

Enforces health policies when a client computer attempts to access a network through an 802.1X wireless connection or an authenticating switch connection. The implementation is specified in section 2.3.5.

For more information on NAP enforcement clients, see [MSDN-NAP].

The NAP enforcement client settings are compounded from one registry entry per enforcement client that MUST be represented in the machine-specific Registry Policy file as follows:

Key: Software\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Qecs\<qec-id>

All the <qec-id> keys MUST have the following value:

Value: "Enabled" or one of the value names listed in the table in [MS-GPREG] section 3.2.5.1 specifying how the value is deleted.

Type: REG_DWORD.

Size: Equal to size of the Data field.

Data: A 32-bit unsigned integer.

Value

Meaning

0x00000000

Disables NAP enforcement.

0x00000001

Enables NAP enforcement.