Share via


802.1x NAP Enforcement

In my last post I committed to coming back and giving you a more information on the many enforcement options available with Network Access Protection (VPN, DHCP, IPSEC, 802.1x).

 

With that in mind I thought I would start with 802.1x based Network Access Protection, let’s start by looking at the actors that are involved in a typical NAP deployment:

  • Client – The host whose health is being checked.
  • Network Access Device – The device provides access to the service, host or network.
  • Policy Server – The policy server used by the network access device to evaluate the clients request for access.

In the context of 802.1x based Network Access Protection, the client is a XP + NAP, VISTA or Longhorn host while the Network Access Device is the 802.1x capable access point or switch, and finally the Policy Server is the Longhorn Network Policy Server (NPS, formally known as IAS).

With the actors out of the way let’s talk about how the isolation takes place in this scenario, there are really three ways:

  1. RADIUS /w port shut-off
  2. RADIUS /w static VLAN assignment
  3. RADIUS /w dynamic VLAN assignment

With the 1st option if the client does not meet the policy being enforced by the Policy Server for that Network Access Device the port on the access device is just shut off.

With the 2nd option if the client does not meet the policy being enforced by the Policy Server the Network Access Device the port assigns a static VLAN that was both defined on the access point.

The 3rd option is the really interesting one where the VLANs are dynamically assigned by the Policy Server based on the health state of the client. This assignment happens by having the Policy Server pass identifiers to the Network Access Device (via RADIUS attributes) telling it which VLAN to assign the client to.

Now let’s walk through a basic 802.1x authentication scenario, in this scenario I want to walk you through just how the host gets quarantined.

Our client in this case plugs a domain joined notebook into the wall, that wall port is backed by a smart switch supports dynamic VLAN assignment.

The switch has been configured to require authentication and to send those requests to our Policy Server, it has also had several VLANS defined on it (in our case we will say they are 2 VLANS the healthy VLAN and the quarantine VLAN).

The Policy Server administrator has defined what “healthy” means for that particular Network Access Device and associated what VLANs to assign when a host is found to be healthy as well as which one to assign when the host is found to be unhealthy. To enable the exchange of health the Policy Server has also set up authentication to happen over PEAP.

When the client is challenged to authenticate to the network the NAP client gathers the “health state” of the client and provides it to the PEAP layer so it's passed along with any credentials needed by the inner EAP method.

Using all the information that was retrieved about the client (user principal, machine principal, machine health state) the request is evaluated against the policy on the Policy Server and based on this evaluation a VLAN identifier is passed back to the switch and the client is placed on the VLAN that was specified.

In a nutshell that’s 802.1x Network Access Protection, with the client on this restricted network it can only talk to other hosts that are in quarantine or those that are necessary to become conformant with policy.

This is a pretty big topic to cover so let me know if you have any questions,

 

Ryan M. Hurst
Lead Program Manager
Layer 2 Authentication and Authorization
Windows Enterprise Networking

Comments

  • Anonymous
    January 01, 2003
    I recently gave an overview of NAP at a Windows Server 2008 event.  For the purposes of the event

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    A couple weeks ago I wrote and told you about how 802.1x based Network Access Protection (NAP) works. This...

  • Anonymous
    January 01, 2003
    PingBack from http://cnnene.net/?p=726

  • Anonymous
    January 01, 2003
    Thanks Mudit.  The question was based on trying to leverage NAP with workgroup machines.  I have since learned that you can prompt the user for auth if the computer cannot be authenticated.

  • Anonymous
    September 18, 2006
    Would this scenario work if the NPS policy was set to enforce NAP but not to require authentication?  I'm thinking in terms of machines that are not domain members.

  • Anonymous
    September 25, 2006
    Michael -

    Unfortunately, 1x NAP requires an account to be authenticated before it gets access to the network. It could either be a user account or a machine account.

    However, if the problem is to avoid having a separate account for every individual (since authentication is not required in your scenario), you can use guest authentication.

    For instance, you can use PEAP-EAP-MSCHAPV2, enable guest account in NPS, set a basic password (could be empty if your policies permit it) and then configure each machine to use the empty username (will get mapped to guest account on the backend) and the guest account password.

    However, I might be able to help you better if you can explain your scenario better. For instance, why are you using 1x when you dont require authentication on your network.

    Thanks,
    Mudit Goel
    Development Manager,
    Windows Enterprise Networking Group