Appendix D: NAP-NAC Design

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

Microsoft and Cisco Systems, Inc. have worked together to enable interoperability between Microsoft Network Access Protection (NAP) and the Cisco Secure Access Control Server (ACS) version 4.2, a component of Cisco Network Admission Control (NAC). The NAP-NAC interoperability architecture allows customers to deploy both Network Policy Server (NPS) in Windows Server® 2008 and the Cisco Secure ACS version 4.2 in a configuration in which the NPS server manages health policy and ACS manages network policy. With NAP-NAC, you can determine the health status of a client computer running Windows Vista, provide remediation services, and enforce health requirements for network access. The NAP-NAC solution can be deployed independently or it can be integrated with your existing NAP or NAC deployment. NAP-NAC does not offer interoperability between the Microsoft NAP platform and the Cisco NAC Appliance, formerly known as Clean Access. The following sections provide an overview of the NAP-NAC solution and discuss some of its benefits.

NAP-NAC terminology

The following table lists NAP-NAC terms used in this section.

Term

Definition

Cisco Access Control Server (ACS)

The Cisco implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy. ACS is a required component of the NAP-NAC interoperability solution.

Cisco Clean Access

See NAC Appliance.

Cisco Trust Agent (CTA)

Software that collects and manages health information for NAC client computers.

Flexible Authentication via Secure Tunneling Extensible Authentication Protocol (EAP-FAST)

An EAP authentication method that uses Transport Layer Security (TLS) to establish an authenticated and protected tunnel for secure communication between a client and server.

EAPHost

A Microsoft Windows networking component that provides an EAP infrastructure for the authentication of supplicant protocol implementations, such as 802.1X and Point-to-Point (PPP).

Encryption Control Protocol (ECP)

A protocol used to encrypt data for point-to-point communications.

Health Credentials Authorization Protocol (HCAP)

A protocol for exchanging information between an AAA server and a server that contains information required to validate configuration data. The NAP-NAC interoperability solution uses HCAP for communication between NPS and ACS.

NAC Appliance

Formerly called Cisco Clean Access, an appliance-based solution that allows network administrators to authenticate, authorize, evaluate, and remediate client computers on a network.

NAC Framework

A solution designed to integrate into an existing 802.1X enabled Cisco network infrastructure. It allows network administrators to authenticate, authorize, evaluate, and remediate client computers on a network.

NAP-NAC overview

NAP-NAC works by using the NAP Agent service on a computer running Windows Vista SP1 or Windows Server 2008 to provide health status when a client connects to a network. Health and identity credentials are relayed through a network access device to an ACS. The ACS forwards the client’s health status to Network Policy Server (NPS) for evaluation, and then enforces the appropriate level of network access by sending an access profile to the network access device. See the following figure.

NAP-NAC infrastructure components

Communication between the client computer and a network access device occurs through the EAP-FAST method over 802.1X. Client credentials are passed to ACS for validation using the RADIUS protocol; ACS uses HCAP to communicate with NPS.

Benefits of NAP-NAC

The interoperability of NAP and NAC allows customers to preserve their investments in a NAC network or NAP desktop and server infrastructure. With this joint architecture, customers do not have to choose between NAC and NAP; they can realize the benefits of both solutions.

The features and benefits of NAP-NAC include:

Interoperability and customer choice. Customers can choose components, infrastructure, and technology that best suits their needs, while implementing a single, coordinated solution.

Investment protection. The interoperability architecture enables customers to reuse and protect their investment in existing NAP and NAC deployments.

Single agent included in Windows Vista. The NAP Agent component is used with both NAP and NAC solutions.

Agent deployment and update support. You can use Windows Update and Windows Server Update Services (WSUS) to deploy the EAP-FAST authentication method.

Independent software vendor integration ecosystem. To simplify the development of other, non-Microsoft system health agent and health enforcement components for clients running Windows Vista, the NAP client APIs will serve as the single programmatic interface used for health reporting for both NAC and NAP.

NAP-NAC architecture

The following sections provide detailed information about the NAP-NAC interoperability architecture, including client computers, access devices, and servers.

NAP-NAC client computer

The NAP-NAC client computer is a computer running Windows Vista SP1 or Windows Server 2008 that sends its health credentials in a statement of health (SoH). The client architecture consists of the following:

  • A layer of SHAs that continuously monitor client health status.

  • The NAP EAPHost enforcement client that requests access to the network.

  • The NAP Agent service, which mediates communication between installed SHAs and the enforcement client.

  • The EAP-FAST method to perform account credential authentication.

  • EAP supplicants that allow the client to send EAP messages over 802.1X.

The identity information provided by 802.1X can include both user and computer credentials. See the following diagram.

NAP-NAC client components

Client operating system requirements

The NAP-NAC solution requires that client computers are running Windows Vista with SP1 or Windows Server 2008. NAP-NAC is not supported in earlier releases of Windows Vista or on Windows XP.

NAP-NAC combines elements of NAP with the NAC Framework. The NAC Appliance solution is not a component of NAP-NAC. The following table provides a summary of client operating system requirements for the NAP, NAC, and NAP-NAC solutions.

Solution

Vista

Vista SP1

Windows Server 2008

Windows XP SP2

Windows XP SP3

NAP-NAC

NAP

NAC Framework

NAC Appliance

Client operating system support for NAP-NAC solutions

Some solutions also require you to install the following software on client computers:

  • NAP-NAC. You must install the Cisco EAP-FAST (ECP) update.

  • NAC Framework. You must install CTA.

  • NAC Appliance. You must install NAC Agent or Web Agent.

Network access device

Network access devices enabled for NAP-NAC include switches and wireless access points. These devices provide network access to clients and serve as NAP-NAC enforcement points. The network access device enforces network access based on policies that you configure on both ACS and NPS, and are communicated through RADIUS attributes. NAP-NAC requires that you use a supported Cisco network access device. See the following table for platform and operating system requirements.

Platform Operating system version

6500 – Sup32, 720

IOS 12.2 (33) SXH

6500 – Sup2, 32, 720

CatOS 8.6 (1) or later

4500 – SupII+, II+TS, II+10G, IV, V, V-10GE

IOS 12.2 (35) SG

4900

IOS 12.2 (35) SG

3570, 3560

IOS 12.2 (35) SG

3550

IOS 12.2 (35) SG

2960

IOS 12.2 (35) SG

Minimum network access device system requirements for NAP-NAC

Communication between the network access device and the client computer takes place through the 802.1X authentication process. When the client initiates a connection request, the network access device establishes communication and starts the authentication process. After a trust relationship is established, the client uses a secure tunnel to provide health and identity credentials, which are then forwarded by the network access device to an authentication, authorization, and accounting (AAA) server for evaluation. For NAP-NAC, the AAA server is a Cisco Secure ACS; communication is carried out with EAPHost running on the client computer using required modules, such as EAP-FAST.

In this process, the network access device acts as a relay agent between the host and ACS for all messages in the exchange. When the authorization process is completed, ACS sends the appropriate network access profile to the network access device to allow or restrict client access. Access enforcement is carried out using dynamic VLAN assignment on the switch. Whenever a health state change is detected on the client, the 802.1X authentication process occurs again, allowing client health status to be actively monitored and enforced.

NAP-NAC servers

The following server roles are required for NAP-NAC:

  • Active Directory domain controller. A server running AD DS is required to validate client identity credentials. DHCP and DNS are common optional services that you can install on the domain controller.

  • NPS and HCAP. A server running NPS and HCAP is required to validate client health credentials. You can also optionally install the Group Policy Management feature to manage NAP-NAC client settings.

  • Cisco Secure ACS v4.2. A server running ACS version 4.2 is required to authorize and enforce client network access profiles based on identity and posture.

You can install AD DS on the same computer with ACS or NPS. However, because ACS is not supported on Windows Server 2008, you must install NPS and ACS on separate computers. The following table displays server operating system requirements for the NAP, NAC, and NAP-NAC solutions.

Solution

Domain controller

NPS

Cisco Secure ACS v4.2

NAP-NAC

Windows 2000 Server (minimum); Windows Server 2003 (supported); Windows Server 2008 (recommended)

Windows Server 2008 (minimum)

Windows 2000 Server (minimum); Windows Server 2003 (recommended)

NAP

Windows 2000 Server (minimum); Windows Server 2003 (supported); Windows Server 2008 (recommended)

Windows Server 2008 (minimum)

N/A

NAC Framework

Windows 2000 Server (minimum); Windows Server 2003 (supported); Windows Server 2008 (recommended)

N/A

Windows 2000 Server (minimum); Windows Server 2003 (recommended)

NAC Appliance

Windows 2000 Server (minimum); Windows Server 2003 (supported); Windows Server 2008 (recommended)

N/A

Windows 2000 Server (minimum); Windows Server 2003 (recommended)

Server operating system requirements for NAP and NAC solutions

The following restrictions also apply:

  • If the server used to configure Group Policy objects (GPOs) is not running Windows Server 2008, you must extend the Active Directory schema in order to use enhancements to Group Policy for configuring wired and wireless connections. For more information, see Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements (https://go.microsoft.com/fwlink/?LinkId=70195).

  • To configure EAP-FAST authentication requirements on supplicants using Group Policy, you must install the Cisco EAP-FAST (ECP) update on the computer used to configure NAP-NAC supplicant GPOs.

Active Directory domain controller

A domain controller is a server running AD DS that provides a database to validate client identity data presented during the 802.1X authentication process. Cisco Secure ACS uses AD DS to determine user and computer identity before authorizing a level of access.

NPS and HCAP

NPS is required to perform validation of a client computer’s system health and provide remediation instructions, if required. Communication between NPS and ACS occurs through the use of HCAP. When you install HCAP on a computer running Windows Server 2008, NPS is installed automatically. Policies and settings that you configure in NPS are used to determine whether a client is compliant or noncompliant with network health requirements. Based on evaluation of the client computer’s health state, NPS will instruct ACS to allow or deny network access. If allowed, NPS can specify that the client is allowed full access or it can restrict client access to a remediation network.

Note

NPS can also contact other servers (such as NAP health requirement servers) to validate client health if required by an installed SHV. For more information about how NPS validates client health, see Appendix B: Reviewing Key NAP Concepts.

Cisco ACS v4.2

Cisco Secure ACS authorizes network access for clients by validating the administratively specified client attributes, which can include the identity of the user or computer and the health state of the client. Cisco Secure ACS sends an access profile to the network access device to grant the appropriate level of network access for the client based on the authorization result. For NAP-NAC, validation of client health state attributes and assignment of the client health state are performed by NPS. The Cisco ACS server maps the policy decision made by NPS to a network access profile that is sent to the network access device. ACS version 4.2 is required for support of NAP-NAC integration.

How NAP-NAC works

Upon connection to the network, client health and identity are evaluated and a level of access is assigned using the following process:

NAP-NAC client health evaluation

  1. The client uses the NAP Agent service to provide a set of credentials in the form of an SoH. The SoH is provided as an EAP message using the EAP-FAST protocol over 802.1X.

  2. The network access device uses the RADIUS protocol to forward EAP messages to Cisco ACS for analysis.

  3. ACS receives the client’s credentials through EAP-FAST and uses AD DS to validate identity. If the client is authenticated, ACS forwards the client’s SoH to NPS using HCAP.

  4. NPS determines the health state of the client and reports it to ACS using HCAP.

  5. Based on posture information from NPS, ACS instructs the network access device to apply a preconfigured network access profile to the client port. ACS will also return a statement of health response (SoHR) to the NAP Agent on the client using the RADIUS protocol and the EAP-FAST method.

  6. The client will dynamically be placed in the compliant or noncompliant VLAN based on the response from NPS.

Clients that are noncompliant can be restricted and remediated before being granted full network access. Noncompliant clients that have their network access restricted will be automatically revalidated after remediation to provide a transparent end-user experience.

For more information, see Network Admission Control (https://go.microsoft.com/fwlink/?LinkId=128907) and Network Access Protection (https://go.microsoft.com/fwlink/?LinkID=56443).