802.1X Enforcement Example

  • Article

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

The following examples show how NAP with 802.1X enforcement can be used to restrict network access when a computer is determined to be noncompliant with health policies. In the first example, only the NAP health policy server and 802.1X access devices are shown. The second example also displays DHCP and remediation services. Both examples use VLANs to restrict network access for noncompliant client computers. Network access can also be restricted using access control lists (ACLs), or by using a combination of VLANs and ACLs. When you use the ACL method, network access of noncompliant client computers is restricted to the ports and IP addresses that are allowed by the ACLs that you define in noncompliant network policy. The ACL method is not shown.

802.1X design: example 1

In this example, noncompliant computers are granted restricted network access by placing them on a noncompliant VLAN. Compliant computers are granted full access by placing them on the corporate VLAN.

Compliant client access request

The following illustration and its corresponding steps provide a detailed description of the processes involved in evaluating health and providing full network access to a compliant NAP client computer using the 802.1X enforcement method.

802.1X NAP compliant client access request

  1. The NAP client computer requests network access from an 802.1X-compliant network access device and provides security credentials and system health information.

  2. The network access device forwards the client computer’s access request to the NAP health policy server for analysis.

  3. If the connection is authenticated and the client computer is compliant, the NAP health policy server instructs the network access device to allow the connection and place the client computer on the corporate VLAN.

  4. The network access device forwards the access response to the client computer.

  5. The network access device places the client computer on the corporate VLAN.

Noncompliant client restriction and remediation

The following illustration and its corresponding steps provide a detailed description of the processes involved in providing restricted network access and then remediating the health state of a noncompliant NAP client computer using the 802.1X enforcement method.

802.1X NAP noncompliant client restriction and remediation

  1. The NAP client computer detects a change in its health state and sends an access request containing its health state to the network access device.

  2. The network access device forwards the client’s access request to the NAP health policy server for analysis.

  3. The NAP health policy server evaluates the access request. The client computer is determined to be noncompliant with health requirements, so NPS instructs the network access device to place the computer on the noncompliant VLAN.

  4. The network access device forwards the access response along with health remediation instructions to the client computer.

  5. The network access device places the client computer on the noncompliant VLAN.

  6. If required, the client computer requests updates from a remediation server.

  7. The remediation server provides software updates to the client computer.

  8. After its health state has been updated, the client computer sends a new access request containing its health state to the network access device.

  9. The network access device forwards the client computer’s access request to the NAP health policy server for analysis.

  10. The NAP health policy server evaluates the access request and determines that the client computer is compliant with health requirements. The NAP health policy server instructs the network access device to place the client computer on the corporate VLAN.

  11. The network access device forwards the access response to the client computer.

  12. The network access device places the client computer on the corporate VLAN.

802.1X design: example 2

In this example, noncompliant computers are granted restricted network access by placing them on a noncompliant VLAN. Compliant computers are granted full access by placing them on the corporate VLAN.

Compliant client access request

The following illustration and its corresponding steps provide a detailed description of the processes involved in evaluating health and providing full network access to a compliant NAP client computer using the 802.1X enforcement method. In this example, a DHCP server and remediation server are connected to a trunk port on a network access device that has access to both the noncompliant VLAN and the corporate VLAN. This configuration allows both compliant and noncompliant client computers to access DHCP and remediation services.

802.1X NAP compliant client access request

  1. The NAP client computer requests network access from an 802.1X-compliant network access device.

  2. The network access device forwards the access request to the NAP health policy server for analysis.

  3. If the connection is approved and the client computer is compliant with health requirements, the NAP health policy server instructs the network access device to place the client computer on the corporate VLAN.

  4. The network access device forwards the access response to the client computer.

  5. The network access device places the client computer on the corporate VLAN.

  6. The client computer obtains a corporate IP address profile from the DHCP server.

Noncompliant client restriction and remediation

The following illustration and its corresponding steps provide a detailed description of the processes involved in providing restricted network access and then remediating the health state of a noncompliant NAP client computer using the 802.1X enforcement method. In this example, a DHCP server and remediation server are connected to a trunk port on a network access device that allows access to both the noncompliant VLAN and the corporate VLAN.

802.1X NAP noncompliant client restriction and remediation

  1. The NAP client computer detects a change in its health state and sends an access request to the network access device.

  2. The network access device forwards the client access request to the NAP health policy server for analysis.

  3. The NAP health policy server determines that the client computer is noncompliant with health requirements and instructs the network access device to place the client computer on the noncompliant VLAN.

  4. The network access device forwards the response to the client computer.

  5. The client computer is placed on the noncompliant VLAN.

  6. The client computer obtains an IP address configuration for the noncompliant VLAN from the DHCP server.

  7. If required, the client computer requests updates from a remediation server.

  8. The remediation server provides updates to the client computer.

  9. The client computer sends a new access request to the network access device.

  10. The network access device forwards the client access request to the NAP health policy server for analysis.

  11. The NAP health policy server determines that the client computer is compliant with health requirements and instructs the network access device to place the client computer on the corporate VLAN.

  12. The network access device forwards the access response to client computer.

  13. The client computer is placed on the corporate VLAN.

  14. The client computer obtains an IP address configuration for the corporate VLAN from the DHCP server.