802.1x NAP Enforcement

In my last post I committed to coming back and giving you a more information on the many enforcement options available with Network Access Protection (VPN, DHCP, IPSEC, 802.1x).

 

With that in mind I thought I would start with 802.1x based Network Access Protection, let’s start by looking at the actors that are involved in a typical NAP deployment:

  • Client – The host whose health is being checked.
  • Network Access Device – The device provides access to the service, host or network.
  • Policy Server – The policy server used by the network access device to evaluate the clients request for access.

In the context of 802.1x based Network Access Protection, the client is a XP + NAP, VISTA or Longhorn host while the Network Access Device is the 802.1x capable access point or switch, and finally the Policy Server is the Longhorn Network Policy Server (NPS, formally known as IAS).

With the actors out of the way let’s talk about how the isolation takes place in this scenario, there are really three ways:

  1. RADIUS /w port shut-off
  2. RADIUS /w static VLAN assignment
  3. RADIUS /w dynamic VLAN assignment

With the 1st option if the client does not meet the policy being enforced by the Policy Server for that Network Access Device the port on the access device is just shut off.

With the 2nd option if the client does not meet the policy being enforced by the Policy Server the Network Access Device the port assigns a static VLAN that was both defined on the access point.

The 3rd option is the really interesting one where the VLANs are dynamically assigned by the Policy Server based on the health state of the client. This assignment happens by having the Policy Server pass identifiers to the Network Access Device (via RADIUS attributes) telling it which VLAN to assign the client to.

Now let’s walk through a basic 802.1x authentication scenario, in this scenario I want to walk you through just how the host gets quarantined.

Our client in this case plugs a domain joined notebook into the wall, that wall port is backed by a smart switch supports dynamic VLAN assignment.

The switch has been configured to require authentication and to send those requests to our Policy Server, it has also had several VLANS defined on it (in our case we will say they are 2 VLANS the healthy VLAN and the quarantine VLAN).

The Policy Server administrator has defined what “healthy” means for that particular Network Access Device and associated what VLANs to assign when a host is found to be healthy as well as which one to assign when the host is found to be unhealthy. To enable the exchange of health the Policy Server has also set up authentication to happen over PEAP.

When the client is challenged to authenticate to the network the NAP client gathers the “health state” of the client and provides it to the PEAP layer so it's passed along with any credentials needed by the inner EAP method.

Using all the information that was retrieved about the client (user principal, machine principal, machine health state) the request is evaluated against the policy on the Policy Server and based on this evaluation a VLAN identifier is passed back to the switch and the client is placed on the VLAN that was specified.

In a nutshell that’s 802.1x Network Access Protection, with the client on this restricted network it can only talk to other hosts that are in quarantine or those that are necessary to become conformant with policy.

This is a pretty big topic to cover so let me know if you have any questions,

 

Ryan M. Hurst
Lead Program Manager
Layer 2 Authentication and Authorization
Windows Enterprise Networking