Host Credential Authorization Protocol

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Host Credential Authorization Protocol (HCAP) allows you to integrate your Microsoft Network Access Protection (NAP) solution with Cisco Network Admission Control. When you deploy HCAP with Network Policy Server (NPS) and NAP, NPS can perform the authorization of Cisco 802.1X access clients, including the enforcement of NAP health policy, while Cisco authentication, authorization, and accounting (AAA) servers perform authentication.

To deploy a HCAP server, you must do the following:

  1. Deploy NAP-capable client computers. Configure client computers to use Cisco EAP-FAST as the authentication method for network access.

  2. Using NAP deployment documentation, deploy NAP, which includes configuring client computers with system health agents (SHAs) and NPS servers with the corresponding system health validators (SHVs).

  3. Using Cisco deployment documentation, deploy Cisco Network Admission Control.

  4. Using the Add Roles wizard from Server Manager, install HCAP server. HCAP server is a role service of the Network Policy and Access Services server role. When you install HCAP server, the additional required components, Internet Information Services (IIS) and NPS, are installed on the same computer. In addition, a server certificate is autoenrolled to the server running IIS to allow Secure Sockets Layer (SSL) connections between IIS and the Cisco AAA server.

  5. Configure IIS to listen to specified IP addresses to allow Cisco AAA servers to send authorization requests.

  6. Configure the Cisco AAA server with the URL of the server running HCAP, NPS, and IIS so that the Cisco AAA server can send authorization requests to NPS.

  7. Configure NPS on the HCAP server as a RADIUS proxy to forward authorization requests to NPS servers that are members of one or more remote RADIUS server groups. Optionally, you can configure NPS on the HCAP server as a RADIUS server to process authorization requests locally.

  8. Configure NPS servers as RADIUS servers to perform authorization, which includes deploying NAP and creating health policy in NPS. If the NPS-HCAP server is a RADIUS proxy that forwards connection requests to NPS RADIUS servers in remote RADIUS server groups, you must configure the RADIUS proxy as a RADIUS client on each RADIUS server.

  9. On NPS RADIUS servers, configure network policy with NAP health policy. If desired, network policy conditions can include HCAP-Group-Name and HCAP-Location-Group for NAP interoperability with Cisco Network Admission Control. In addition, you can use the Extended State condition in network policy to specify the extended state of the client computer that is required to match the network policy. Extended states are elements of Cisco Network Admission Control, and include Transitional, Infected, and Unknown. By using this network policy condition, you can configure NPS to authorize or reject access based on whether the client computer is in one of these states.

Authentication and authorization process

After deploying both Cisco Network Admission Control and NPS with NAP, the authentication and authorization process works as follows:

  1. The client computer attempts to access the network. The client can attempt to connect through an 802.1X authenticating switch or through an 802.1X wireless access point that is configured as a RADIUS client to the Cisco AAA server.

  2. After the Cisco AAA server receives the connection request from the network access server or router, the Cisco AAA server requests statement of health (SoH) data from the client by sending an EAP-Type Length Value (EAP-TLV).

  3. SHAs on the client computer report health status to NAP Agent on the client, and NAP Agent creates an SoH, which it sends to the Cisco AAA server.

  4. The Cisco AAA server forwards the SoH using HCAP to the NPS proxy or server along with the client computer's user ID, machine ID, and location.

  5. If the NPS-HCAP server is configured as a RADIUS proxy, NPS forwards the authorization request to the appropriate remote RADIUS server group. (This determination is made with the evaluation by NPS of the configured connection request policies.) If the NPS-HCAP server is configured as a RADIUS server, the NPS-HCAP server processes the authorization request.

  6. NPS evaluates the SoH against configured network policy and, if a matching network policy is found, creates a statement of health response (SoHR) to be sent back to the client. This, along with the NAP enforcement state and extended state information, is then sent back to the Cisco AAA server using HCAP.

  7. The Cisco AAA server evaluates the NAP enforcement state against Cisco Network Admission Control policy and determines the network access profile.

  8. The Cisco AAA server sends the network access profile to the network access server (the switch, AP, or router). The network access profile contains the information that instructs the network access server whether to allow full access, restrict access, or deny access to the client computer.

  9. The Cisco AAA server sends the SoHR back to the client computer.

  10. If the client configuration does not comply with health policy and the SoHR instructs the client to remediate, then the client attempts to take the required actions, such as downloading software updates or changing configuration settings. After remediation, the client attempts to access the network again, and the authentication and authorization process is repeated.

Additional references

For more information, see Network Access Protection at and