2.1 Overview

The following figure shows the high-level interactions between the NAP components and other external services, such as the Authentication service, Active Directory service, and Group Policy service.

NAP interaction with other systems and components

Figure 9: NAP interaction with other systems and components

NAP affects the network layer in the system from a higher level. The following figure shows NAP operating on the client computer.

Client component relationship

Figure 10: Client component relationship

The NAP data link protocol controls client access to the network by operating between the client and a NEP. All system and user application networking on the client can be affected by the NAP data link protocol because the NAP data link protocol determines access to the network. NAP works with the authentication and authorization phases of the NAP data link protocol that runs when the client's networking subsystem is being initialized or reconfigured. At this time, the NAP client requests the health state from all system health agents (SHA) and creates a statement of health (SoH). The SoH is then encapsulated based on the NAP data link protocol and communicated to the NEP. The NEP asks the NPS to evaluate the client's SoH against the health policy for the network. The NPS generates an SoHR and sends the SoHR back to the NEP. The NEP can use the SoHR from the NPS to deny or restrict network access by the client. The NEP sends the SoHR back to the NAP client by using the NAP data link protocol. The following figure shows the interaction between the NAP client, NEP, and NPS.

Interaction between NAP client, NAP enforcement point, and NAP policy server

Figure 11: Interaction between NAP client, NAP enforcement point, and NAP policy server

NAP supports the following data link protocols:

  • IEEE 802.1x for wired and wireless LANS

  • L2TP and PPTP for VPN access, Authentication and Authorization supported by EAP [RFC3748]

  • DHCP for IP networks that use DHCP for IP configuration management of clients

  • IPsec for IP-based networks that support IPsec

  • Remote Desktop Gateway Server Protocol

For each NAP data link protocol, there is a corresponding method for transporting the SoH over the access protocol as follows:

  • IEEE 802.1x supporting EAP over LAN (EAPoL): SoH is encapsulated in PEAP over EAPoL

  • VPN protocols supporting EAP: SoH is encapsulated in PEAP over EAP

  • DHCP: SoH is encapsulated as DHCP options [MS-DHCPN]

  • IPsec: SoH is encapsulated in a certificate request and the SoH response (SoHR) is encoded in a certificate [MS-HCEP]

  • Remote Desktop: SoH is transported in the Remote Desktop Gateway Server Protocol [MS-TSGU]

NAP Policy Server (NPS)

NAP policy servers are RADIUS servers [RFC2865]. NAP provides mechanisms to encapsulate SoH requests/responses (SoHRs) on top of RADIUS exchanges between a NEP and NPS. An NPS can use Authentication Services [MS-AUTHOD], Active Directory service [MS-ADOD], and Group Policy servers [MS-GPOD] [MS-GPNAP] to evaluate a client's SoH. The NPS can also log NAP transactions.

When a NEP is communicating with an NPS, the NEP is acting as a RADIUS client and the NPS is acting as a RADIUS server. RADIUS has direct support for using EAP [RFC3579]. In the cases where the client/NEP communication is not transported over EAP, SoH messages are directly transported as RADIUS attributes. Note that these encapsulations place limits on the size of SoH messages.

NPSes support the extensible model for System Health Validators (SHVs) by using an API. Each SHV registers with a callback interface when it is configured into the NPS. When a RADIUS request contains an SoH that includes content for a particular SHV, the corresponding SHV is invoked by the NPS with that content as a parameter of the invocation. An SHV can send content back in its part of the response to the SoH request with information related to remediation of the client with respect to the SHA. In this manner, SOH is implicitly a transport for SHA/SHV communication through the SOH request/response protocol. Note that the SOH request/response mechanism is a simple, two-legged protocol: one request and one corresponding response [TNC-IF-TNCCSPBSoH].

Policy Backend Databases

There are several backend services used by the NPS. Authentication services [MS-AUTHSOD] are used to authenticate user and client machine identities. Active Directory service [MS-ADOD] is used to store user and machine based policies and to group users and machines into logical groupings to simplify administration. Group Policy servers [MS-GPOD] are used to configure, manage, and distribute policies across clients and replicated servers.