NAP Terminology

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

The following table displays a list of NAP-related terms used in this guide.



Access Control Server (ACS)

The Cisco implementation of a RADIUS solution. ACS is a required component of the NAP-NAC interoperability solution.

Authentication, authorization, and accounting (AAA) server

See Network Policy Server (NPS).

Boundary network

For IPsec, a logical portion of a network that can be accessed by computers in the restricted network and the secure network. Computers in the restricted network do not comply with health policies and have limited network access; computers in the secure network comply with health policies and have unlimited network access.

Connection request policies

Conditions and settings that validate requests for network access and govern where this validation is performed.

Deferred enforcement

A method that allows a noncompliant computer unlimited access until a specified date and time when network access becomes restricted. This provides a client computer additional time to remediate before the health requirement policy is enforced. Noncompliant NAP client computers are notified that access will be restricted on the specified date.

Enforcement mode

A degree of network access granted to noncompliant computers. There are three available enforcement modes: reporting mode, deferred enforcement, and full enforcement.

Exempted computer

A computer that is allowed full network access regardless of health state.

Exemption certificate

An X.509 certificate that exempts computers from NAP health checks. Server computers can use exemption certificates to participate in IPsec-protected communications on NAP-enabled networks that use IPsec enforcement.

Full enforcement

The process of evaluating client compliance with NAP and immediately enforcing restricted network access for noncompliant clients. Noncompliant NAP client computers are notified that their network access might be restricted.

Health certificate

An X.509 certificate that asserts the health compliance of a NAP client computer. A health certificate typically has a short lifetime on the order of days or hours.

Health certificate enrollment protocol (HCEP)

The protocol that the NAP client uses to request health certificates from the health registration authority (HRA).

Health policies

Conditions that define which SHVs are evaluated and how they are used in validating the health status of NAP-capable computers that attempt to connect to or communicate on the network.

Health Registration Authority (HRA)

A computer running Windows Server 2008 and Internet Information Services (IIS) that validates client health and obtains health certificates from a certification authority (CA) on behalf of compliant NAP client computers. HRA plays a central role in NAP Internet Protocol security (IPsec) enforcement.

Health requirement server

A server that communicates with a NAP health policy server and provides information that system health validators (SHVs) use to validate statements of health (SoHs) for compliance. For example, a NAP health policy server might have to contact a health requirement server such as an antivirus signature server to check for the version of the current signature file.

Host Credentials Authorization Protocol (HCAP)

A protocol for exchanging information between an AAA server and a server that contains information required to validate configuration data. The NAP-NAC interoperability solution uses HCAP for communication between NPS and ACS.

Internet Authentication Service (IAS)

See Network Policy Server (NPS).

Internet Protocol security (IPsec)

A framework for a set of protocols to manage security at the network or packet processing layer of the TCP/IP stack. Earlier approaches managed security at the application layer of the TCP/IP stack. A big advantage of IPsec is that administrators can manage security without requiring changes to applications or network infrastructure components.

NAP administration server

A component on a NAP health policy server that is responsible for receiving statements of health (SoHs) from NAP enforcement points, distributing SoHs to the appropriate system health validators (SHVs), and collecting SoH responses (SoHRs) from the SHVs and passing them to the NPS service for evaluation.

NAP enforcement client

A NAP client software component that integrates with network access or communication technologies, such as IPsec, 802.1X, VPN, DHCP, and Terminal Services Gateway (TS Gateway). The NAP enforcement client requests access to a network, communicates the NAP client's health status to the NAP enforcement point that is providing the network access, and communicates the restricted status of the client computer to other components of the NAP client architecture.

NAP enforcement method

A type of network access or communication that NAP can leverage to restrict network access or communication for noncompliant clients. The enforcement methods included with Windows Vista and Windows Server 2008 are those that protect Internet Protocol security (IPsec) traffic, 802.1X-authenticated connections, remote access virtual private network (VPN) connections, Dynamic Host Control Protocol (DHCP) address configurations, and Terminal Server Gateway connections.

NAP enforcement point

A server or network access device that uses NAP or can be used with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication for noncompliant NAP clients. HRAs, 802.1X switches and wireless access points, and NAP-enabled VPN, DHCP, and TS Gateway servers are examples of NAP enforcement points.

NAP enforcement server

A Windows Server 2008 component of the NAP architecture that enforces restricted network access for noncompliant NAP clients. NAP enforcement servers are also NAP enforcement points.

NAP health policy server

A server running NPS that is acting in the role of a NAP health evaluation server. The NAP health policy server has health policies and network policies that are used to evaluate compliance of NAP client computers.

NAP-ineligible computer

A computer that does not have the NAP Agent service installed and cannot provide its health status to NAP server computers. A computer running Windows XP that does not have Service Pack 3 installed is NAP-ineligible.

Network policy

Conditions, settings, and constraints to determine authorization for network connection attempts. Network policy replaces remote access policy in IAS.

Network Policy Server (NPS)

The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy. In the NAP architecture, the server running NPS includes the NAP administration server and the system health validator (SHV) components. The RADIUS clients are the NAP enforcement points such as DHCP servers, HRAs, VPN servers, TS Gateway servers, and 802.1X network access devices. NPS replaces Internet Authentication Service (IAS).

NPS proxy

A RADIUS proxy. For NAP, the NPS service can be configured to proxy health information between a NAP enforcement point and an NAP health policy server. For example, NPS proxy is configured on HRAs and NAP-enabled DHCP servers so that they can function as RADIUS clients to a NAP health policy server.

Perimeter network

A computer host or small network inserted as a neutral or boundary network between a private network and a public network such as the Internet. Firewalls isolate perimeter networks both from the Internet and from the private network. A perimeter network is also known as a screened subnet.

Registration authority

The entity that validates entitlement before issuing a credential in a public key infrastructure (PKI) based on the X.509 standard.

Remediation server

A server that noncompliant client computers can use to update their configurations in order to be compliant with health policy requirements. A server running Microsoft Systems Management Server (SMS) or a file transfer protocol (FTP) server that stores antivirus signatures can be remediation servers.

Remote Authentication Dial-in User Service (RADIUS)

A client/server protocol and software that enables network access servers that are configured as RADIUS clients to forward connection requests to a RADIUS server for authentication, authorization, and accounting (see RFC 2865). In Windows Server 2003, Internet Authentication Service (IAS) is the Microsoft implementation of a RADIUS server and proxy. In Windows Server 2008, the Microsoft implementation of a RADIUS server and proxy is NPS.

Reporting mode

The process of evaluating client compliance with NAP without enforcing restricted network access for noncompliant clients. Noncompliant NAP client computers are not notified of their health status.

Restricted network

For IPsec, a logical portion of the network where client computers that either do not meet health policy requirements or are not capable of asserting their health status are placed. Computers in the restricted network cannot initiate communication to resources in the secure network.

Secure network

For IPsec, a logical portion of a network that client computers can access if they either meet or are exempt from health policy requirements.

Statement of health (SoH)

A declaration from a system health agent (SHA) on a NAP-capable client computer that asserts its health status. SHAs create SoHs and send them to a corresponding system health validator (SHV) on a NAP health policy server.

Statement of health response (SoHR)

The validation of a statement of health (SoH) that a system health validator (SHV) produces and sends to the NAP administration server. The SoHR can contain remediation instructions.

System health agent (SHA)

A NAP-capable client software component that declares a computer's health state to a NAP Agent in a statement of health (SoH).

System health validator (SHV)

A NAP health policy server software counterpart to a system health agent (SHA). An SHV verifies the statement of health (SoH) made by its corresponding SHA.

For more information about key NAP concepts, see Network Access Protection Design Guide.