3.3.5.2.4 MS-Quarantine-State
When a network access server (NAS) receives this attribute, it assigns the restrictive state specified by this attribute (see [TNC-IF-TNCCSPBSoH]) to the endpoint requesting access.
This attribute indicates the level of network access that the RADIUS server authorizes to the endpoint.
When an RNAP-aware DHCP server receives this attribute from an RNAP server in an Access-Accept message, it gives access rights accordingly to the endpoint requesting network access (for example, gives full access or restricted access).
If the value of the MS-Quarantine-State VSA indicates a restricted state, the RADIUS client MUST restrict the endpoint's network connectivity accordingly to locally configured policy and according to the following rules:
The VPN server and Dial-up server MUST block all IP packets from the endpoint except for those specified in the MS-IPv4-Remediation-Servers (see section 3.3.5.2.9) and MS-IPv6-Remediation-Servers (see section 3.3.5.2.10) VSAs (if received).
The DHCP server MUST assign host-specific routes to the DHCP client for the IP addresses specified in the MS-IPv4-Remediation-Servers (see section 3.3.5.2.9) and MS-IPv6-Remediation-Servers (see section 3.3.5.2.10) VSAs (if received). The DHCP server MUST NOT assign the client a default gateway.
The health registration authority (HRA) MUST NOT issue a certificate to the endpoint.
If the value of the MS-Quarantine-State VSA is either "Full Access" or "On Probation", the RADIUS client MUST NOT restrict the network connectivity of the endpoint.
If the value of the MS-Quarantine-State VSA is "On Probation", the RADIUS client MUST do the following:
The VPN or Dial-Up Server MUST disconnect the endpoint after the time specified in the MS-Quarantine-Grace-Time elapses.
The DHCP server MUST ensure that the DHCP lease expires for the endpoint before or at the same time specified in the MS-Quarantine-Grace-Time (see section 3.3.5.2.5) VSA.
The HRA MUST ignore this attribute.
For more details about this attribute, see section 2.2.1.9.