Network Policy Server in Longhorn
Chat Topic: Network Policy Server in Longhorn
Date: Tuesday, April 10, 2007
Please note: Portions of this transcript have been edited for clarity.
kapil[MSFT] (Moderator):
Hello everyone - welcome to today’s chat!
kapil[MSFT] (Moderator):
We will begin the chat in about 10 min please keep the questions around and we will begin soon....
kapil[MSFT] (Moderator):
Today’s Chat topic is "Network Policy Server in Longhorn"
kapil[MSFT] (Moderator):
Your questions, comments and feedback are welcome. We’ll get started very soon.
kapil[MSFT] (Moderator):
The chat is in session. I will let the experts introduce themselves
Introductions
Chris Edson [MSFT] (Expert):
I'm Chris Edson, I work fairly extensively with NPS as a member of the Network Access Protection team. I've worked with most NAP enforcements, including 802.1x EAP-based wired and wireless enforcement.
Shashwat [MSFT] (Expert):
Hello everybody. I am a developer in NPS team. Welcome to the chat.
Joe Davies_MS (Expert):
I am Joe Davies, a technical writer for Windows networking technologies.
kapil[MSFT] (Moderator):
Hello every one. I am a member in the NPS test team.
Mark [MSFT] (Expert):
I'm in the test team, working on NAP & related technologies.
Ambrish [MSFT] (Expert):
Hello everyone this is Ambrish, EAP Developer on NPS/ENG team.
kapil[MSFT] (Moderator):
Please feel free to begin asking your questions and remember to check the “ask the experts” box before sending. Thanks.
Start of Chat
Eugene [MSFT] (Expert):
Q: When is the expected launch date for Longhorn, last I heard was 6 months after Vista's Release, which would put it in May sometime. Is it still on track?
A: The launch date for Longhorn is currently scheduled to the second half of 2007.
Ambrish [MSFT] (Expert):
Q: Are you supporting new EAP methods in NPS?
A: Not part of plan yet, but we are working on improving NPS support for new EAP methods, stay tuned for more updates
kapil[MSFT] (Moderator):
Just a Reminder - remember to check the “ask the experts” box before sending. Thanks!
Chris Edson [MSFT] (Expert):
Q: In the past, Microsoft has declined to document the underlying NAP protocols, e.g., RADIUS message formats. Is this still true?
A: I believe that the information on the protocols is available under license. Please contact NAPTalk@microsoft.com for more information.
Ambrish [MSFT] (Expert):
Q: What 802.1x EAP types will be supported for wireless?
A: currently there is inbox support for EAP-TLS, PEAP-MSCHAPV2 and PEAP-TLS in NPS for wireless authentication.
James McIllece [MS] (Expert):
Hi there, I'm James McIllece, the NPS technical writer on the Windows Server team.
kapil[MSFT] (Moderator):
Just a Reminder - remember to check the “ask the experts” box before sending. Thanks!
Sam Salhi [MSFT] (Expert):
Q: I assume you will be using RADIUS attributes to send NAP policies & status back and forth. Will you be publishing these RADIUS attributes?
A: Actually, the NAP status and SoH are all sent inside the secured channel inside of PEAP to prevent any tampering
Anthony L [MSFT] (Expert):
Q: Does NPS have any additional support for wireless authentication than what is provided by IAS?
A: Hi - Can you clarify? ie: what kind of additional support?
Chris Edson [MSFT] (Expert):
Q: So you are saying that the launch date is going to be sometime between Oct 2007- Mar 2008? That's quite a bit from the expected April 2007 - June 2007 release date. Why is there such a dramatic delay?
A: This question is really not covered by this hour's topic - we'll be happy to answer any NPS-related questions you have. For release date related information, please refer to information at: http://www.microsoft.com/windowsserver/longhorn/default.mspx
Eugene [MSFT] (Expert):
Q: What happens if an intruder is able to emulate all the responses and obtains a health certificate? How can this be identified and quarantined?
A: Today NAP is not a security solution per se, but rather a policy enforcement mechanism. If the client is not trusted then additional measures need to be taken.
Sam Salhi [MSFT] (Expert):
Q: In the past, using Netsh was the only option to export/import policy configuration. Does NPS provide any type of configuration replication between multiple NPS Servers?
A: NETSH will continue to support importing/exporting of NPS configuration. However, not everything can be migrated due to the sensitivity of some of the data like SQL password and all.
Ambrish [MSFT] (Expert):
Q: What 802.1x EAP types will be supported for wireless?
A: for more information, please join us tomorrow for chat specifically on this topic: http://www.microsoft.com/communities/chats/vcs/07_0411_TN_EAPHost.ics
Chris Edson [MSFT] (Expert):
Q: In the past, Microsoft has declined to document the underlying NAP protocols, e.g., RADIUS message formats. Is this still true?
A: Correction - AskNAP@microsoft.com is the address to contact for protocol related information.
Shashwat [MSFT] (Expert):
Q: Like for instance if we want to do both machine and user authentication it was not possible to club both of them together... is there a change in this with NAP?
A: No, you can't do both machine and user authentication with in a single auth transaction. So you can't club them together even in NPS.
kapil[MSFT] (Moderator):
Just a Reminder - remember to check the “ask the experts” box before sending. Thanks!
Eugene [MSFT] (Expert):
Q: NAP checks a master policy at the first stage, then check other policies upon the result of the master policy. 1: check a policy first 2a: if the setp 1 returns opinion a, check additional policies A,B 2b: if the step 2 return opinion b, check policies C,D
A: What exactly is the question?
Ambrish [MSFT] (Expert):
Q: Hello, does 802.1x supplicant use health certificates yet or is there a plan for this ?
A: 1x supplicant does not have to use health cert. It can use normal user/machine cert for authentication and still have NAP as part of PEAP authentication, where health information will be sent as a PEAP-TLV. for more information join us tomorrow for a chat specifically for this topic: http://www.microsoft.com/communities/chats/vcs/07_0411_TN_EAPHost.ics
Chris Edson [MSFT] (Expert):
Ioan - are you referring to HRA-based IPSec NAP enforcement (when asking about CAs)?
James McIllece [MS] (Expert):
Q: NAP checks a master policy at the first stage, then check other policies upon the result of the master policy. 1: check a policy first 2a: if the setp 1 returns opinion a, check additional policies A,B 2b: if the step 2 return opinion b, check policies C,D
A: Actually NAP health policies are integrated with NPS network policy (which used to be called remote access policy in IAS). So NAP health checks are performed during the authorization process while NPS is checking the connection request against the configured network policies.
Shashwat [MSFT] (Expert):
Q: how is a NAC supplicant working with a NPS on 802.1x plan ? is this possible ?
A: Please take a look at this whitepaper - http://download.microsoft.com/download/d/0/8/d08df717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper.pdf . There is more information you can read on http://www.microsoft.com/technet/network/nap/default.mspx
Mark [MSFT] (Expert):
Q: Do you provide any kind of testing environment via VMs or similar to try NAP funcionalities or environment definition?.
A: Please send your request to AskNAP@microsoft.com; they may be able to provide information and/or assistance with this request.
Chris Edson [MSFT] (Expert):
Q: What happens if the CAs are down for some reasons? Is NAP still standing up ?
A: Is this referring to HRA-based IPSec NAP enforcement?
Matt [MSFT] (Expert):
Q: OK - so if NAP status and SoH are sent inside the PEAP tunnel - are you providing an extended EAP inner method in which to transmit these? This is not native to EAP-MSCHAPv2 are they? Or are you sending them after the PEAP authenticaiton?
A: The NAP status and SoH are sent as RADIUS Vendor Specific Attribute information.
James McIllece [MS] (Expert):
Q: Is user authentication enough to validate the health of non domain member machines?
A: NAP agent is a software component that runs on NAP-capable client computers, and it collects information from NAP System Health Agents on the local machine and then forwards that information to NPS as a Statement of Health. So even though user authentication is being performed, NPS still evaluates the Statement of Health and compares it to the configured health policies -- if everything matches up and the client computer configuration matches the requirements of health policy (and if the user is authenticated and authorized to connect), then the computer is allowed network access.
Chris Edson [MSFT] (Expert):
Q: What happens if the CAs are down for some reasons? Is NAP still standing up ?
A: All clients who would otherwise be granted Health Certificates will instead receive errors back from the HRA in the case where the CAs are returning errors or are down. For this reason, having a robust and/or redundant CA infrastructure would be important.
Anthony L [MSFT] (Expert):
Q: Does NAP a similar technology to query the status of health from dut to supplicant as in EAPoUDP and that can be controlled by NPS ?
A: Hi - Can you clarify your question a bit?
Shashwat [MSFT] (Expert):
Q: Morning - At a high level what is the relationship to SSTP / Longhorn / Vista? Is this going to provide SSL VPN's on the fly for Vista Clients?
A: Please query RAS newsgroup for this question. They might be able to answer it better.
Ambrish [MSFT] (Expert):
Q: will NPS able to control access for PPP clients and impose NAP as well? (EAPHost API)? Will PPP protocol be enhanced so EAP methods will be used (EAP-TLS)
A: Currently only PEAP based authentications can support NAP. For more information, please join tomorrow for chat specifically for this topic: http://www.microsoft.com/communities/chats/vcs/07_0411_TN_EAPHost.ics
Sam Salhi [MSFT] (Expert):
Q: As far i know, currently IAS needs an Enterprise CA PKI for EAP-TLS. Does this still stands for NPS or a stand-alone CA can be used ?
A: You don't really need an Enterprise CA for EAP-TLS, But it simplifies the process of certificate mapping to user accounts in AD. For all practical purposes this is the best way to deploy EAP-TLS and not having management nightmares since Enterprise CA will take care of auto-renewal, certificate mapping, and updates
Chris Edson [MSFT] (Expert):
Q: Q:[11] yes, I know it. but can it perform additional checks upon the perviouse check's result?
A: Policies at each stage (Connection Request Policies, or Network Policies) are matched on a 1-1 basis - once you match a policy for that stage, that is the only policy in that stage that gets enforced.
Eugene [MSFT] (Expert):
Q: What network components are enforcing policy in the NAC/NAP architecture? Are you sending any policy information in the RADIUS Access-Accept/Access-Reject to the access point or RADIUS client?
A: NAP can be enforced by DHCP, 802.1x, VPN and IPSec. Please, refer to www.microsoft.com/technet/network/nap/default.mspx for more information.
Eugene [MSFT] (Expert):
Q: What network components are enforcing policy in the NAC/NAP architecture? Are you sending any policy information in the RADIUS Access-Accept/Access-Reject to the access point or RADIUS client?
A: Also, no policy information is sent to RADIUS clients. Only the result of policy decision is sent.
kapil[MSFT] (Moderator):
Just a Reminder - remember to check the “ask the experts” box before sending. Thanks!
Ambrish [MSFT] (Expert):
Q: Can health certificates be accessed for subsequent authentication requests? Are they available in the user's certificate store? Or are they only available for the machine to use for IPsec?
A: health certificates are available in machine store, potentially they can be used for authentication but that is not a preferred way. Because health certs are short-lived certs and using them for auth will unnecessarily cause increased number of authentications. For more information, please join tomorrow for chat specifically for this topic: http://www.microsoft.com/communities/chats/vcs/07_0411_TN_EAPHost.ics
James McIllece [MS] (Expert):
Q: the hardware needed to support NAP needs to be modified ( OS/IOS/* upgraded) ?
A: The server and client hardware will have to support the minimum hardware requirements for the respective operating systems.
Chris Edson [MSFT] (Expert):
Q: Q[17]. EAPoUDP is checking periodically the status of a host,directly fro router, without going to NPS ( well..). Is NAP having same protocol or another?
A: EAPoUDP is a Cisco technology - I don't know if I understand the question. But as far as the NAP/NAC Integrated Architecture, can you take a look at the information located at: http://www.microsoft.com/technet/network/nap/default.mspx under the heading: Microsoft NAP - Cisco NAC Interoperability, and see if it answers your questions?
Eugene [MSFT] (Expert):
Q: the hardware needed to support NAP needs to be modified ( OS/IOS/* upgraded) ?
A: Not really. As long as you have Vista on the client (or XP and the upcoming down-level NAP client) + any 802.1x compliant switch, it should just work.
Shashwat [MSFT] (Expert):
Q: In IAS if a client fails to meet the requirements of the policy on the top, it is denied access to the network and the policies further down in the list are not processed. Is that true for NAP as well?
A: It depends on how you configure your policies. In general, for health policies you would grant access but have different quarantine states in the policies depending on the health of the client. But the top policy denies access then policies below it won't be processed.
Sam Salhi [MSFT] (Expert):
Q: What options are available to dynamically exclude devices based on criteria such as a mac address. For example would I have to create a (.Net DLL) to query a datastore of excluded devices? Or is their other ways to handle excluded devices (printers etc).
A: SSTP has the option to do NAP checks but it will require them to run PEAP authentication
Eugene [MSFT] (Expert):
Q: If The NAP status and SoH are available as RADIUS Vendor Specific Attribute information, do that mean an approved NAC enforcement point can query the RADIUS server for the attribute and thereby get the SOH status?
A: Not sure what you mean by this. RADIUS server does serve any queries for attributes; it will only inform the enforcement point about the results of NAP policy evaluation for a client.
Chris Edson [MSFT] (Expert):
Q: If The NAP status and SoH are available as RADIUS Vendor Specific Attribute information, do that mean an approved NAC enforcement point can query the RADIUS server for the attribute and thereby get the SOH status?
A: Can you take a look at the information located at: http://www.microsoft.com/technet/network/nap/default.mspx under the heading: Microsoft NAP - Cisco NAC Interoperability, and see if it answers your questions?
Sam Salhi [MSFT] (Expert):
Q: Will NAP be applied to SSTP connections?
A: SSTP has the option to do NAP checks but it will require them to run PEAP authentication
Shashwat [MSFT] (Expert):
Q: Q[28] so there is no need to pgrade routers/switches to support NAP? This is good news, as for NAC, one needs to upgrade IOS/CatOS!
A: Excellent.
kapil[MSFT] (Moderator):
We have about 30 minutes left for today’s chat
kapil[MSFT] (Moderator):
Just a Reminder - remember to check the “ask the experts” box before sending. Thanks!
Sam Salhi [MSFT] (Expert):
Q: What options are available to dynamically exclude devices based on criteria such as a mac address. For example would I have to create a (.Net DLL) to query a datastore of excluded devices? Or is their other ways to handle excluded devices (printers etc).
A: Correction, the previous answer was for a different question. The same mechanism is still valid. MAC address for devices is still possible. But by default all dynamic devices will be denied by default. As far as devices that are not NAP aware, there are two ways to exempt them from performing NAP checks (through policy, or through the port itself)
Anthony L [MSFT] (Expert):
Q: Q[17]. EAPoUDP is checking periodically the status of a host, directly fro router, without going to NPS ( well..). Is NAP having same protocol or another?
A: I think the crux of this question is whether or not NPS needs to be involved in all health checks. The answer is no - for example, possession of a health cert can suffice for proof of health. The certs are short-lived and are periodically refreshed with a full health check (where NPS would be involved). Does that answer the question? Is there a specific requirement you have?
Chris Edson [MSFT] (Expert):
Q: is there an equivalent of tokens (SPT/APT) used in NAC? Is NPS able to map them (if any) to ones defined by Cisco?
A: Sorry to say this again, but please refer to http://www.microsoft.com/technet/network/nap/default.mspx under the heading: Microsoft NAP - Cisco NAC Interoperability. If you have additional questions about how this integration works, please contact AskNAP@microsoft.com.
James McIllece [MS] (Expert):
Q: can i define new apllciations that i want to check for in NPS (in beta 2 of Longhorn, i can select for antivirus/firewall)
A: In Longhorn you use the Windows Security Health Validator (SHV) to check firewall status, etc. To monitor other applications they must be NAP compliant and the application vendor must provide an SHA for installation on clients and an SHV for installation on NPS servers.
kapil[MSFT] (Moderator):
Q: What NPS logging method is used in your NPS/IAS depolyment? Are these NPS logs used for billing purposes?
Sam Salhi [MSFT] (Expert):
Q: So how do we exclude devices that can't authenticate PEAP..Unix Servers without a supplicant or dumb devices (terminals, etc.). (forgot to hit ask to experts).
A: You can create a policy to deal with non-nap aware devices/PCs/down-level ...etc that will set them in the right state
Anthony L [MSFT] (Expert):
Q: If the client's SOH changes, will the Longhorn RADIUS server send out dynamic updates per RFC 3576? RFC3576 describes two new RADIUS messages, Disconnect and Change-of-Authorization (CoA), which can be sent arbitrarily from the RADIUS server to a PEP.
A: NPS does not support dynamic authorization today, but it is on our radar. Do you have any specific requirements for it?
Chris Edson [MSFT] (Expert):
Q: When a device is put into quarantine using DHCP, it carries out a number of steps and implements the static host routes for the remediation servers. Is most of that that logic in the NAP client, or does the NAP client just do what the DHCP packet says?
A: The SOHResponse (health response) is passed from NPS to the client (via DHCP protocol), where the health response is then plumbed through to display to the user. However, the enforcement is handled at the server - the DHCP Server is given the health state + a list of addresses the client needs access to, and the DHCP Server then calculates the static routes, and then passes those to the DHCP client as DHCP options. The DHCP client then plumbs the options as it would any other DHCP option during normal operations.
Shashwat [MSFT] (Expert):
Q: Are there any vendors that have publicly available NAP agents in beta that you can tell us about ?
A: Yes. Please take a look at http://www.microsoft.com/technet/network/nap/default.mspx. There is a link for Partners at the bottom. You should be able to get more information there.
James McIllece [MS] (Expert):
Q: Can you point me to somewhere I can find out how to define a policy to deal with non NAP aware devices (or even devices not in any LDAP (or AD) Directory) ?
A: You can create policies that enforce NAP and you can create policies that do not enforce NAP -- so if you want to allow network access to non-NAP capable devices, you just create a network policy that does not enforce NAP. NPS evaluates all network policies until it finds one that matches the connection request, so if the first policies in the ordered list of policies enforce NAP and later policies do not enforce NAP, it will still find the correct policy for the connection request.
Chris Edson [MSFT] (Expert):
Q: what is the re-authentication/full re-validation period and its equivalent in various formats? can i define policies specifically with different timings? (Re-auth DHCP at every 20 minutes/ and so on)
A: Not sure if I fully understand this question, but here's my answer to what I think you are asking: Re-validation can happen for a number of reasons, and can depend on the enforcement method, as well. For DHCP, re-validation can happen any time you renew your IP, as well as whenever a health-related change occurs (SHAs can re-trigger validation; or NAP agent can trigger when probation time expires). For HRA/IPSec, health changes trigger, as well as impending certificate expiration. For 802.1x PEAP-based, the switche's re-auth interval can trigger, or any health-related change. Hopefully this answers your question adequately.
Anthony L [MSFT] (Expert):
Q: Still haven't worked with MS NAP but is there any chance to control that a client doesn't have more than one NIC wired or wireless enabled when connecting to my network?.
A: Yes, this is certainly possible though a SHA/SHV (System Health Agent/System Health Validator). Microsoft does not natively provide this capability in a SHA/SHV today.
kapil[MSFT] (Moderator):
Q: The NAP platform architecture guide is dated May 23, 2006. Are there any updates to this planned, since Vista has now shipped and now Longhorn may have changed some things?
A: Please contact the asknap@microsoft.com alias with this query for a response.
kapil[MSFT] (Moderator):
We have about 10 minutes left for today’s chat. If you have any last minute questions, please submit them asap. The Experts will answer as many questions as they can in the time remaining. Thanks!
Anthony L [MSFT] (Expert):
Q: No current requirements for RFC3576 dynamic authorization support, but it's on our radar too. We'll talk.
A: Sounds good
Shashwat [MSFT] (Expert):
Q: can NPS deploy PBACLs to router/switch natively or there must be plug-ins developed?
A: NPS doesn't support it out of the box. However, you can configure VSAs in the policies by which switch can be controlled. Or you might want to take a look at integrated NAP-NAC architecture to see you can use it to achieve your goal.
Shashwat [MSFT] (Expert):
Q: Could a SHA/SHV be written that made use of the authenticated user identity?
A: NPS doesn't pass the user identity that it authenticates to the SHVs. So the answer would be no, if that's what you were looking for.
kapil[MSFT] (Moderator):
Please note we have the EAPHOST web chat scheduled for tomorrow. Please do attend
kapil[MSFT] (Moderator):
http://www.microsoft.com/communities/chats/vcs/07_0411_TN_EAPHost.ics
kapil[MSFT] (Moderator):
for details please goto http://www.microsoft.com/technet/community/chats/default.mspx
Shashwat [MSFT] (Expert):
Q: Is is possible to combine Vista/LH QOS policy with NAP health, such that only healthy clients are authorized to mark traffic ?
A: It can't be done with out-of-box. You can write SHA/SHV to do that. If you want to know more about support/integration with AP please mail asknap@microsoft.com
Matt [MSFT] (Expert):
Q: Do networking changes by a user on a client machine (i.e. manually adding a default route when put into quarantine) trigger a new health check?
A: The current out-of-box SHA on the system does not monitor this. Using the NAP SDK, an SHA can be written to monitor this and trigger a health check.
Chris Edson [MSFT] (Expert):
Q: is HRA offering templates and these can be edited (validity period/etc)?
A: We do not provide templates for health certificates currently, but please take a look at Beta 3 when it releases and provide feedback on the new functionality provided in Beta 3...
kapil[MSFT] (Moderator):
We have about 3 minutes left for today’s chat. If you have any last minute questions, please submit them asap. The Experts will answer as many questions as they can in the time remaining. Thanks!
kapil[MSFT] (Moderator):
Well that wraps it up for today’s chat. Thanks to everyone for participating, and also thanks to the Experts for being here to answer everyone’s questions
Shashwat [MSFT] (Expert):
Q: I have a large enterprise interested in deploying NAP/IPsec and they would like health certs to have the private key protected by the TPM. Is that possible today or being planned ?
A: Please mail asknap@microsoft.com with your question.
kapil[MSFT] (Moderator):
We will post the transcript from today’s chat here in the next few days: http://www.microsoft.com/technet/community/chats/trans/default.mspx#E4FACGreat attendance today and many good questions! Thanks all for attending, and please keep an eye out for more NPS/EAP/NAP related TechNet Web Chats in the future!
Have a great day everyone!
James McIllece [MS] (Expert):
Q: Re Q[40] - How would real-time changes in the clients status be evaluated and new policy decisions enforced if it relies on RADIUS/PEAP authentication to communicate the status and policy results?
A: Events on the client computer can trigger a health check outside of the authentication process. Also, autoremediation allows NAP agent on the client to (for example) re-enable the firewall if a user turns it off.
kapil[MSFT] (Moderator):
Please plan to attend tomorrow’s chat on EAPHOST
kapil[MSFT] (Moderator):
Useful NPS links...If you have further questions please contact out team via the newsgroupmicrosoft.public.internet.radiushttp://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.internet.radius
kapil[MSFT] (Moderator):
Thanks all for the participation
Chris Edson [MSFT] (Expert):
Q: Re Q[40] - How would real-time changes in the clients status be evaluated and new policy decisions enforced if it relies on RADIUS/PEAP authentication to communicate the status and policy results?
A: Any SHA can re-trigger health evaluation based on the items that the SHA monitors.
James McIllece [MS] (Expert):
Thanks everybody for all your great questions!
Shashwat [MSFT] (Expert):
Thanks everybody for attending the chat and all the great questions. Goodbye.