2.5.1 Health Validation

  • Article

Client Computer Health Validation use case

Figure 15: Client Computer Health Validation use case

Context of Use: Applies when the NAP client is attempting to connect to a network.

Goal: Evaluate the NAP client's state of health.

Actors

  • NAP client

The NAP client is the primary actor which triggers this use case. The NAP client is a Client computer that performs the network access use case by performing the role of the client in the authentication and authorization processes of the NAP data link protocols.

The NPS uses the authentication information and SoH of the NAP client to determine whether or not the Client computer meets the requirements for network access.

Stakeholders

  • Client computer

The Client computer is used to access and manipulate protected network resources. Client computers use the NAP protocols to communicate with the network to gain generic access to the network.

Preconditions

  • The Client computer and the NPS can communicate with each other.

  • The NAP-related policies are expressed in a policy database used by the NPS.

  • The NPS can communicate with Authentication Services and Active Directory.

Main Success Scenario

  1. Trigger: The NAP client accumulates the SoH from a collection of SHAs including the Windows SHA [MS-WSH] and sends the SoH to the NPS.

  2. The NPS validates the Client computer's health and sends the success SoHR message.

Extensions: None.

Alternate Scenario - Health Validation Failure

  1. Trigger: The following scenario occurs when NAP health validation fails due to poor health of the NAP client as evaluated by the NPS.

  2. The NPS communicates an SoH response (SoHR) to the NAP enforcement point (NEP) indicating which portions of the NAP client's health have failed verification.

  3. The NEP communicates the SoH response (SoHR) back to the NAP client.

  4. The NEP provides sufficient network connectivity to the NAP client to allow the NAP client to perform remediation using limited network resources.

  5. The NAP client uses the information in the SoH response (SoHR) to perform appropriate remediation.

  6. The NAP client re-attempts NAP with the NEP to gain full permission to the network.

Post-Condition: The NEP has state that grants the Client computer network access.