World of Network Access Protection (November 13, 2006)
Chat Topic: World of Network Access Protection (NAP)
Date: Monday, November 13, 2006
Please note: Portions of this transcript have been edited for clarity.
Christian (Moderator):
Hello everyone - welcome to today’s chat!
Christian (Moderator):
Today’s Chat topic: World of Network Access Protection (NAP)
Christian (Moderator):
We are pleased to welcome our Experts for today’s chat. I will have them introduce themselves now…
Introductions
Chris Edson [MSFT] (Expert):
Hello. My name is Chris Edson, and I’m a longtime member of the NAP Test team. As everyone, I’m looking forward to the release of both Windows Vista and the forthcoming Longhorn Server.
Jeff Sigman [MSFT] (Expert):
Hello everyone! My name is Jeff Sigman. I am the Release Manager for Network Access Protection. Thanks for joining us today for our chat on Network Access Protection (NAP). We are excited about shipping NAP in Windows Vista, and working hard to release NAP for Longhorn Server in the next year. I hope you brought all of your tough questions for us today.Please be sure to check out the NAP blog - http://blogs.technet.com/nap
Barry [MSFT] (Expert):
Hi my name is Barry and I am an Engineer responsible for deployment of System Center Operations Manager(MOM).
Greg Lindsay [MS] (Expert):
Hi, my name is Greg Lindsay and I am a technical writer for NAP.
Kapil[MSFT] (Moderator):
Hello every one. My name is Kapil and I Work on the Network POlicy Server Test team.
Kevin Rhodes [MSFT] (Expert):
Hi everyone. My name is Kevin Rhodes. I am the Program Manager for Network Access Protection. Thanks for coming.
Howard Lee [MSFT] (Expert):
I’m Howard Lee, the organizer of this web-chat. Thank you all for joining our chat today. I am a Software Design Engineer in Test at the Enterprise Networking Group for almost 3 years and I own test libraries, tools, and automations for NAP IPSec to support client side and server side testing.
atacanc[MSFT] (Expert):
Atacan Conduroglu.I have been working on Network Access Protection project as a test engineer. I do specialize in the Graphical User Interface components of the NAP.
Start of Chat
Jeff Sigman [MSFT] (Expert):
Q: Is it true that NAP will not be "fully implemented" until Windows LongHorn is released?
A: This is correct. We shipped the NAP client-side pieces on Vista. We will be shipping the Server-side of NAP on Longhorn Server in the next year, as well as additional NAP client releases for XP SP2+ and Windows Server 2003.
Barry [MSFT] (Expert):
Q: What should we be doing now to prepare our selves and our environment for implementing NAP
A: Have you read the information on our web-site? What enforcement are you considering implementing?
Howard Lee [MSFT] (Expert):
Q: Did Microsoft publish IKEv1 extensions to carry SOH messages?
A: We didn't extend IKE to carry SOH messages. Instead we enroll health certificate out of band and use health certificates in IKE.
Kevin Rhodes [MSFT] (Expert):
Q: Can you explain how the NAP client pieces can be used prior to Longhorn? Is it possible to define and enforce access policies?
A: The NAP client components are included with Vista but NAP also requires server components that are included with Windows Longhorn. Prior to the Longhorn server release you can use the client pieces for beta testing and pilots with beta versions of Longhorn servers. It is not possible to define NAP health and enforcement policies without Longhorn Server.
Ambrish Verma [MSFT] (Expert):
Q: Where can we find the formats of SoH and SoHR messages?
A: They are published as part of NAP APIs, you can find SOh and SOHR format on msdn. Following link should be useful: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/nap/nap/nap_structures.asp
Ambrish Verma [MSFT] (Expert):
Q: where can I find links to information on your wenbsite etc regarding nap
A: Following link should be useful: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/nap/nap/nap_structures.asp
Kevin Rhodes [MSFT] (Expert):
Q: where can I find links to information on your wenbsite etc regarding nap
A: A great place to start researching Microsoft NAP is at the NAP website at http://www.microsoft.com/technet/itsolutions/network/nap/default.mspx
Chris Edson [MSFT] (Expert):
Q: The Cisco integration with the Vista client... is the Cisco Clean Access Agent part of Vista or are the two just going to be able to coexist? Can you eloborate on how they are "integrated" and help each other out?
A: NoNo, the NAP/NAC integration uses the built-in NAP client that comes with Windows Vista. Cisco’s EAP-Fast and EAP-over-UDP will be integrated into Windows and will be able to use the NAP Client to support the Microsoft Statement of Health (SOH). All SOHs are forwarded to the Microsoft NPS for evaluation of health state. Please refer to the NAP/NAC Interoperability Whitepaper - it can be found at http://www.microsoft.com/nap.
atacanc[MSFT] (Expert):
Q: Are sample network traces of common activities available to assist developers?
A: Microsoft does not publish network traces of common NAP traffic. But we do have step by step setup guides on web for setting up NAP end-to-end and Network Monitor(netmon) can be used in an end-to-end setup to sniff the network traces.
Greg Lindsay [MS] (Expert):
Q: setting a baseline and not allowing access to those computers not meeting the basline, as far as enforcement, this is what I am interested in, what enforcement is available and what compatabilities to look for in hardware purchases
A: NAP uses 4 enforcement technologies: IPsec, 802.1X, VPN, and DHCP. You can use one of these methods, or combine them. There are several vendors partnering with MS to deliver NAP solutions. Cisco is a major player. What sort of network access method are you looking to control?
Barry [MSFT] (Expert):
Q: The Cisco integration with the Vista client... is the Cisco Clean Access Agent part of Vista or are the two just going to be able to coexist? Can you eloborate on how they are "integrated" and help each other out?
A: see response from Chris Edson
Chandra Nukala (Expert):
Q: Besides the NPS, are there any other RADIUS servers that support NAP on the server side?
A: Currently none. There are no other RADIUS servers that support NAP on the server side.
Greg Lindsay [MS] (Expert):
Q: What are the differences between a NAP ready and a non-NAP ready remote client. e.g. an 802.1x client.
A: A NAP ready client has the NAP Agent installed. Vista has this out of the box. There will be support for XP SP2 as well, but it requires installing the NAP client software.
Kapil[MSFT] (Moderator):
Q: What EAP types will you be supporting in this release? I heard there was some talk of removing some of the less secure EAP types (ie MD5).
A: EAP MSCHAPv2, EAP-TLS, PEAP-MSCHAPv2, PEAP-TLS. EAP-MD5 is disabled by default and can be enabled with a registry key. For NAP PEAP MSCHAPv2 and PEAP TLS can be used in the VPN and 1x enforcements.
Kevin Rhodes [MSFT] (Expert):
Q: Did Microsoft publish IKEv1 extensions to carry SOH messages?
A: No.
Ambrish Verma [MSFT] (Expert):
Q: Do you have any documentation for the changes made to the PEAP method to support SoH handshake?
A: There is no public documentation available for this, but i can answer you queris if you have any specific questions.
Barry [MSFT] (Expert):
Q: What are the differences between a NAP ready and a non-NAP ready remote client. e.g. an 802.1x client.
A: On Vista NAP agent service must be running and the EAPQEC must be enabled either by local policy or group policy.
Shashwat [MSFT] (Expert):
Q: With Longhorn version of IAS and NAP, is there a way to do simultaneous machine and user authentication?
A: NoNo, you can do only one of them in a single request.
Chris Edson [MSFT] (Expert):
Q: Besides Windows SHV in the Longhorn, what other SHVs can I get to test with?
A: There are several partners with SHVs in development, but none are available for release as yet. Please consult the NAP Partners page, and if you wish, you might try contacting partners directly with your inquiries. http://www.microsoft.com/windowsserver2003/partners/nappartners.mspx
Chandra Nukala (Expert):
Q: Will NAP support EAP-FAST?
A: Yes. NAP will support EAP-FAST under the NAP-NAC Integration, please check the following link for details: http://download.microsoft.com/download/d/0/8/d08df717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper.pdf
Jeff Sigman [MSFT] (Expert):
Q: If you have tried NAP on the Beta program, which enforcement methods did you try out? DHCP / IPsec / 802.1x / Terminal Server / VPN?
Greg Lindsay [MS] (Expert):
Q: Is a "best practices" whitepaper available for nap implementation?
A: NAP documentation is found at www.microsoft.com/nap. There isn't currently a best practices document, but a few of things to consider carefully when deploying NAP are:
1) Where and how do you want to enforce health policy. If you have remote users connecting with RRAS from unmanaged systems, then VPN enforcement may be very helpful. If you want to use NAP to maintain health policies for all users in your network, an IPsec enforcement method can be useful. If you have already deployed an 802.1X framework, you may wish to use it with NAP and 802.1X enforcement.
2) What kind of health policies do you wish to enforce? You may wish to use the SHV and SHA included with Windows Longhorn and Windows Vista, or use the API set to write your own. Do you have vendors that intend to integrate their applications with NAP?
3) What is your current policy infrastructure? Do you use SMS or group policy to deploy system and software configurations? Are there things you would like to change or add by deploying NAP?ent, but
Kevin Rhodes [MSFT] (Expert):
Q: So there won't be any special functionality required to be supported by 3rd party client vendors? They will just do what they do right now and NAP will kick in appropriately?
A: To To integrate with NAP, third parties will be required to do some software work. Microsoft has published the NAP API’s and guidance in the Windows SDK specifically so 3rd parties can integrate with the NAP components. They will then provide this capability as part of an update for their product.
Chandra Nukala (Expert):
Q: What documentation do you have for developers who like to enhance their DHCP Servers on the enforcement points?
A: This will be documented as part of the NAP protocol licensing program for partners. Please email asknap@microsoft.com for further details.
Jeff Sigman [MSFT] (Expert):
Q: I've tested the NAP: DHCP, TS and our own QEC/QES pair.
A: Cool! How was your experience? Did you get it to work? Any trouble getting it working?
Shashwat [MSFT] (Expert):
Q: Do SHVs use a standard protocol to communicate with Policy Servers?
A: SHVs use public APIs to communicate with the Policy Server. The APIs are published in MSDN. Please see the NAP blog to find the link to the MSDN.
Kapil[MSFT] (Moderator):
Try newsgroup http://www.microsoft.com/technet/community/newsgroups/desktopos/winxp.mspx
Jeff Sigman [MSFT] (Expert):
Q: changes where changed later on therefor the failures were not obvious... also a definite requirement in testing was netmon 3 on LH tho parsing wasn't good it worked.
A: Good point. We will take that feedback for our next version of troubleshooting / step-by-step guides. We might want to outline how to dig-in to the protocol.
Kapil[MSFT] (Moderator):
Q: With regard to the RADIUS protocol between the HCS and NPS, are the Microsoft Vendor-specific Attributes published somewhere? Is the dictionary publicly avaialbale?
A: the xml file %windir%\system32\ias\dnary.xml is the dictionary file the NPS uses.
Ambrish Verma [MSFT] (Expert):
Q: currently we are using the CICSO concentrator for VPN, and microsoft VPN client- we had to used PPTP protocol to get this to work. We wanted to use L2tp as our protocol. I am trying to understand how the NAP is going to work, when we could not obtain
A: I think we didn't receive your complete question, could you please retype the question.
Barry [MSFT] (Expert):
Q: What EAP types will you be supporting in this release? I heard there was some talk of removing some of the less secure EAP types (ie MD5).
A: We will support Peap and MS-Chapv2
Chris Edson [MSFT] (Expert):
Q: With regard to the PEAP handshake, I assume the SoH handshake happens after the MS-CHAPv2 authentication in the PEAP tunnel? Are there 3rd party supplicants that support the SoH handshake? MeetingHouse? Funk?
A: The SoH handshake happens alongside the MSCHAPv2 (or TLS) authentication in the PEAP tunnel; they are part of the same process, not separate or necessarily sequential. As for 3rd party supplicants, Cisco is planning to support this EAP-Fast and EAP-over-UDP, per the NAP/NAC Integrated Architecture ( http://download.microsoft.com/download/d/0/8/d08df717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper.pdf), and other partners may also take advantage of this via the EAPHost architecture (upon which 3rd parties can create their own methods and supplicants).
Howard Lee [MSFT] (Expert):
Q: Is anybody deploying NAP in their networks. If not, do you have any plans to do so?
Ambrish Verma [MSFT] (Expert):
Q: Sorry about that wrong button. Sudhaker, customers are asking for support for both simultaneous machine and user authentication and if any of them fail, then the authentication fails.
A: could you please send me your question again, but we do not support user and machine auth simultanously at present.
Jeff Sigman [MSFT] (Expert):
Q: Jeff, another thing, when MS publishes (whether by license or free) the RADIUS extensions needed in the vendor defined elements, please include the chunking of data method because vista gives >600bytes where a RADIUS attr is limited to 253bytes.
A: Thomas, please send me and email, as well as Calvin Choe:
Greg Lindsay [MS] (Expert):
Q: Greg, thanks for answering my question, I guess, my problem is I am fairly ignorant about NAP, I understand the concept, but I want to understand how it will work for us. we use SMS 2003 SP2 currently and what to monitor VPN and direct connect access
A: Check the www.microsoft.com/nap site and also blogs.technet.com - there is a lot of information about how NAP works and a step by step guide for VPN (currently for Vista B2). I've used the VPN NAP solution myself and it's pretty nifty. Your VPN clients connect and are placed in quarantine until they pass health checks. The built-in health checks for Vista are things that integrate into Security Center (firewall, antivirus, malware, windows update). If these are sufficient for you, then all you need to do is decide which you want to enforce and how to enforce them. You can disconnect clients that do not comply with policy, or redirect them to a restricted network until they pass health checks, or you can grant them access for a limited time.
Ambrish Verma [MSFT] (Expert):
Q: Where I can find information about EAPHost architecture?
A: It is available on msdn, following link should be useful: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/eaphost/eaphost/eaphost_schemas.asp
Jeff Sigman [MSFT] (Expert):
Q: Jeff, I've worked with Calvin on the issue. but will resend if ye wish.
A: Yes, please do! :->
Jeff Sigman [MSFT] (Expert):
Q: Make sure you check out the latest on the NAP blog. We have posted the latest information on down-level NAP support: http://blogs.technet.com/nap/archive/2006/11/08/nap-update-for-vista-xp-windows-server-2003-and-longhorn-server.aspx
Greg Lindsay [MS] (Expert):
Q: Greg Is there more than what you mentioned (firewall, antivirus, malware, windows update). you can do with NAP?
A: Those are just the default health checks included with Vista and Longhorn. NAP also integrates with SMS, so your SMS policies can be enforced with NAP. Dozens of partners are also integrating with NAP, so they will provide additional health checks via customer SHAs and SHVs.
Greg Lindsay [MS] (Expert):
I'm sorry I meant to say custom SHAs and SHVs
Chris Edson [MSFT] (Expert):
Q: How is microsoft planning to integrate with the Cicso technology to supoport the higher level of encruption. today we are having issue where users are unable to determine when their password is about to expire
A: Ellen - I’ve taken your 3 part question, and I think I understand what you are asking.For NAP to work using the Microsoft VPN client, your authentication method would have to be PEAP, in order to be able to carry the Statements of Health (SOH). Also, the authenticator would have to be Microsoft’s Network Policy Server (NPS).
Jeff Sigman [MSFT] (Expert):
Q: What documentation is available to a RADIUS server vendor to correctly handle NAP (SoH, SoHR, etc.) handshakes with a Vista client (PEAP, EAP-FAST, etc)?
A: Hey Avenda. Can you send this question to ASKNAP@microsoft.com? We will work with you on this!
Sam Salhi [MSFT] (Expert):
Q: How is a computer quarantined? by VLAN? ACL? other? What is the enforcement point?
A: Yes depending on the switch and how it's implemented. It can be VLAN, ACL or even manual (not do anything). If the 802.1x Vlan’s would possibly be the natural choice. If its VPN ACL/IP Filters is the choice.
Kapil[MSFT] (Moderator):
Q: What documentation is available to a RADIUS server vendor to correctly handle NAP (SoH, SoHR, etc.) handshakes with a Vista client (PEAP, EAP-FAST, etc)?
A: Microsoft's RADIUS server NPS has the understanding of the SOH protocol and Handles incoming SOH requests and then creates an SOH response. Third party Radius servers can proxy requests to NPS for NAP.
Jeff Sigman [MSFT] (Expert):
Q: Will NAP clients be available or documented for non-Vista clients and/or non-Windows clients?
A: YES! Check this out: http://blogs.technet.com/nap/archive/2006/11/08/nap-update-for-vista-xp-windows-server-2003-and-longhorn-server.aspx
Jeff Sigman [MSFT] (Expert):
Q: I have tinkered with it (at InteropLabs)
A: Did you get end-to-end working?
Jeff Sigman [MSFT] (Expert):
Q: Jeff- it looks like that blog only shows non-vista client possibilities, what about non-windows- either printers/faxes/etc or a Mac device that may be somewhere on my network?
A: We are licensing our protocols for other OS's. For devices that are static (printer, etc), there are many deployment options where they could be *exempted* from healthy policies.
Chris Edson [MSFT] (Expert):
Q: Yes, Jeff, we got NAP working Vista/Longhorn end-to-end... and use Lockdown to proxy for non-Vista clients...
A: Excellent!
Jeff Sigman [MSFT] (Expert):
Q: Licensing it? Or making the protocol definitions available so that they can be openly implemented by other systems?
A: We are licensing the SoH protocol. For details email ASKNAP@microsoft.com and we can clarify details.
Kevin Rhodes [MSFT] (Expert):
Q: Is there a time schedule/plan for supporting windows mobile devices such as PDAs or Phones?
A: At the present time there is not a schedule for this. We are in the process of figuring this out.
Christian (Moderator):
Well that wraps it up for today’s chat. Thanks to everyone for participating, and also thanks to the Experts for being here to answer everyone’s questions
Howard Lee [MSFT] (Expert):
Q: Will Microsoft release a Linux port for NAP?
A: Thank you for joining the chat. Please get ready for Longhorn Beta. If you have further questions, come ask us at the NAP blog (http://blogs.technet.com/nap/), NAP technet forum (https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17) or NAP alias (asknap@microsoft.com).
Kevin Rhodes [MSFT] (Expert):
Thanks for taking the time to come chat with us.
Sam Salhi [MSFT] (Expert):
Q: Is the ACL component the key to integration with Cisco NAC?
A: Thanks all for joining us ...
Jeff Sigman [MSFT] (Expert):
Q: Will Microsoft release a Linux port for NAP?
A: Thanks everyone for coming to chat with us! We love the feedback. Feel free to engage us in the public web forum as well as the blog: http://blogs.technet.com/nap/default.aspxhttp://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17
Shashwat [MSFT] (Expert):
Q: Is the ACL component the key to integration with Cisco NAC?
A: No, router or switch just enforces the quarantine based on the health which client reports. The decision is made by the backend policy server. Please see the NAP-NAC interoperability document at http://microsoft.com/nap
atacanc [MSFT] (Expert):
Q: Will Microsoft release a Linux port for NAP?
A: As of know Microsoft has no plans to implement the NAP Client's linux port. But the SOH protocol, communication protocol required to contact the NAP server, is available for licensing. So 3rd party in future might implement a port.
Barry [MSFT] (Expert):
Q: What are the differences between a NAP ready and a non-NAP ready remote client. e.g. an 802.1x client.
A: Nice talking to all of you on another NAP chat.
Chandra Nukala (Expert):
Goodbye, Thanks for joining the chat. Please ask further questions at NAP blog or asknap@microsoft.com
Chris Edson [MSFT] (Expert):
Great attendance today and many good questions! Thanks all for attending, and please keep an eye out for more NAP-related TechNet Web Chats in the future!
Christian (Moderator):
Have a great day everyone!
Shashwat [MSFT] (Expert):
Q: Is the ACL component the key to integration with Cisco NAC?
A: Thanks for participating in the chat
atacanc [MSFT] (Expert):
Thanks for joining today's tech chat. See you in the next tech chat.