1.1 Conceptual Overview
The Windows client/server operating systems implement a set of NAP protocols. These protocols are used when a client attempts to gain access to an enterprise network, such as an enterprise-based wireless LAN, VPN server, or an enterprise-wired Ethernet that is using DHCP or IEEE 802.1x [IEEE802.1X]. A goal of NAP is to allow enterprise network access to client systems that are properly configured and have performed security checks, such as anti-virus scanning with up-to-date anti-virus signatures.
The IETF defines an architecture for network access based on the following three considerations:
Data link protocols (Point-to-Point Protocol (PPP) as defined in [RFC1661] and Layer Two Tunneling Protocol (L2TP) as defined in [RFC2661])
Authentication, Authorization, and Accounting (AAA) Protocols as defined in [RFC2903] (Remote Authentication Dial-In User Service (RADIUS) as defined in [RFC2866] and DIAMETER protocols)
Policy Control ([RFC2748])
In the IETF architecture, there are well-defined roles for the following:
Client: Requests network access from a policy enforcement point (PEP).
PEP: Performs network access control.
Policy decision point (PDP): Makes access control decisions.
Common deployment of the IETF architecture consists of a host computer acting as a client, a dial-up network access server (NAS) acting as a PEP, and a RADIUS server supplying the role of a PDP. In the dial-up case, the Network Access Protocol between the client and the PEP is PPP as specified in [RFC1661]. The process of authentication and authorization runs logically end-to-end between the client and the PDP. The actual protocol mechanisms are hop-by-hop where the client only communicates with the NAS data link protocols and the NAS communicates with the RADIUS server to perform the actual authentication and authorization decisions.

Figure 1: IETF architecture for network access
NAP is a minor extension of the IETF network access architecture. The primary extension is the introduction of client health evaluation as part of the process of determining network access. NAP uses underlying standards-based protocols for network access. NAP uses the authentication and authorization extension mechanisms of the data link protocols to implement the NAP health evaluation process. As such, the NAP architecture extends the IETF roles as follows:
NAP enforcement point (NEP, an instance of a PEP): Performs network access control.
NAP health policy Server (NPS) (an instance of a PDP): Formulates access control decisions, including health state evaluation.
NAP client: Requests network access from the corresponding NEP/PEP, including client health information.
A secondary extension of NAP is that improperly configured clients or clients without a recent security scan can be directed to reconfigure their software or run up-to-date security software before the clients are allowed access to the enterprise network. This process is called remediation.
The NAP protocols allow verification of user and machine identities and checking a client's health state prior to allowing the client access to network resources. The health state can include the proper configuration of software, proper updates of systems software, access limits for specific hardware platforms, and executing security checking software on the client, such as anti-virus software and anti-malware to verify that a client computer is safe to use the network.
NAP has a pluggable architecture that allows client and server plug-ins to contribute to the evaluation of the client's statement of health (SoH). A client plug-in is called a system health agent (SHA) and the corresponding server side plug-in is called a system health validator (SHV). Windows-specific SHA and SHVs are described in [MS-WSH]. Other software packages, such as anti-virus software, can install an SHA to perform virus scanning and an SHV to keep track of the current version of signature files and acceptable results from a client scan.

Figure 2: NAP extension to IETF architecture for network access
NAP introduces the primary NAP protocol, the Protocol Bindings for SoH [TNC-IF-TNCCSPBSoH], which operates between the NAP client and the NAP policy server. The client determines its state of health and then uses the SoH protocol to request validation of its health state by the NAP policy server. The SoH protocol is designed as a simple request/response protocol to work end-to-end between the NAP client and NAP policy server. It is designed to be encapsulated and transported by the NAP data link protocols in a hop-by-hop manner so that intervening NASes can establish network access state based on the results of the SoH protocol running between the NAP client and NAP policy server. Network access state can include allowing full enterprise network access or allowing only partial connectivity so that the NAP client has access to only those servers required for remediation. The Vendor-Specific RADIUS Attributes for Network Access Protection (NAP) Data Structure (RNAP) [MS-RNAP] allows the NAP communication to NAP policy servers.