Frequently asked questions (FAQ) about VPN NAP
Hi Folks,
In this blog, I will try to summarize the frequently asked questions about VPN Network access protection (NAP). Please feel free to comment on this blog - if you have more questions and I will answer & subsequently add those :)
Q: What is VPN NAP? How is it implemented?
A: When NAP is enforcemt using VPN based quaratine enforcement client, it is VPN NAP scenario. For example, when a remote access client (say a corporate issued laptop or home PC) connects to corporate network RRAS server enforcing NAP, the statement of health will be passed from the VPN client to the network policy server (NPS) server over PEAP authentication protocol. If the client PC is unhealthy, it will be put in quarantine - i.e. static filters will be applied on RRAS server to restrict the traffic coming in/going to this client to specific machine/subnet/port (i.e. to the group of remediation servers - contacting which the client can become healthy). Client remediates itself (like patch update, turning on firewall, etc). Once the client becomes healthy, it sends the new statement of health and then moves out of quarantine state (i.e. filters are removed).
Q: Can it be implemented for dialup based remote access scenario?
A: Yes - as long as PEAP protocol is supported (because statement of health is passed over PEAP protocol).
Q: Can VPN NAP be used for site-to-site based RRAS scenario?
A: Not really. VPN/Dialup NAP enforcement is for remote access client's health to be validated against corporate policy and cannot be used for site-to-site scenario with RRAS. It cannot be enabled for site-to-site based tunnels.
You may ask - can we deploy other forms of NAP enforcements like IPSec, DHCP or 802.1x inside the branch office and keep network policy server in head-office? Only issue I see in DHCP and 802.1x case is the WAN link delay impact - as the radius server packets will flow back & forth over WAN link - may cause impact. IPSec NAP can still work because communication between IPSec based QEC and HRA is over HTTPS (i.e. TCP).
Q: Is VPN NAP supported for PPTP as well as L2TP/IPSec?
A: Yes - NAP is independent of the VPN tunnel type. VPN NAP is implemented via PEAP authentication protocol which is part of PPP authentication stage and hence independent of tunnel type (which is below PPP layer on the protocol layering perspective)
Q: Is VPN NAP supported for IPv4 as well as IPv6?
A: Yes - for the same reason as given above
Q: What are the requirements for VPN NAP?
A: Vista based VPN clients, LH based VPN server (routing and remote access server or RRAS) and LH based radius server (called as network policy server or NPS). Microsoft is investigating a client update for computers running Windows XP with Service Pack 2. For the latest information about the NAP Client for Windows XP, see https://blogs.technet.com/nap/archive/2006/05/17/444119.aspx
Q: How to enable VPN NAP? What are the main configuration steps?
A: On the RAS client side, NAP agent service should be running and RAS connection should be created with PEAP authentication with "Enable Quarantine checks". On the RRAS server side, PEAP should be allowed as authentication protocol and radius server based authentication provider. The NPS based radius server can be installed locally on the RRAS box or some other machine running on the network. The NPS server should be configured for NAP. For further details, please refer to step-by-step guide at: https://blogs.technet.com/rrasblog/archive/2006/06/29/439291.aspx
Q: Does it require certificate to enable PEAP?
A: Yes on the NPS server side (because PEAP is based upon TLS). Optional on the client side - depends upon what EAP method is carried inside PEAP. If it is PEAP-MSCHAPv2 - you don't need on the client side. But if it is PEAP-EAPTLS or PEAP-EAPsmartcard - you need client side certificate too. Note: If you are using L2TP/IPsec tunnel, then you need machine certificates on VPN client as well as RRAS server side - but this is independent of NAP scenario.
Q: How VPN NAP is different from RQS/RQC based quarantine solution?
A: Despite the similar name, Network Access Protection is not Network Access Quarantine Control. The original Network Access Quarantine Control functionality that originally shipped with Windows Server 2003 and the Windows Server 2003 Resource Kit Tools is based only on client inspection and is strictly a remote access solution. Network Access Quarantine Control requires customer-written, customized scripts to perform compliance checks, and the APIs were not supported (ISA Server 2004 now supports them). The new Network Access Protection platform allows for third-party vendors to take part in the policy decisions. Network Access Protection also allows for remote, local, managed, unmanaged, and guest client inspection, which offers significantly more functionality than only remote access connections that are supported by Network Access Quarantine Control.
Network Access Protection is essentially the replacement for Network Access Quarantine Control in Windows Server 2003 and the long-term solution for customers. Microsoft anticipates that partners will provide services and solutions to assist customers with maintenance of their existing investment or the update of their networks based on this new architecture.
Q: What will happen when the PC moves inside corporate network - when there is no VPN?
A: You should deploy some other NAP enforcement (like DHCP, 802.1x or IPSec) inside your corporate network to take care of this. The beauty of NAP architecutre is same set of policies can be applied on the same PC when connecting over different enforcement. For example, when the laptop is at home, VPN NAP is enforced; when the laptop is inside corporate network using wireless - 802.1x can be enforced; when the laptop is joined to ethernet using DHCP - DHCP can be enforced; etc.
Q: Can there be double enforcement?
A: No - in most of the cases. But sometimes yes - for example you take your laptop home and get VPN enforcement. And if you have done IPSec enforcement, you may get that enforcement too. But it should not matter - as long as your policies remain the same.
For further details, please refer to:
https://www.microsoft.com/technet/itsolutions/network/nap/default.mspx
https://www.microsoft.com/technet/itsolutions/network/nap/napfaq.mspx
Cheers,
Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]