How do CISCO's Network Admission Control (NAC) and Microsoft's Network Access Protection work together?

In my experience any serious conversation with a medium or large enterprise regarding NAP often quickly turns to "can I use CISCO's NAC with Microsoft's NAP" shortly followed by "how does CISCO's NAC work with Microsoft's NAP?". Having said that both technologies can be used by smaller enterprises too.

It's important to be aware that both solutions can be used on their own and are not pre-requisites for one another. You could choose to use one in place of the other given the right underlying infrastructure. If you are a "CISCO shop" with high-end switches everywhere then NAC alone MIGHT be the right route. If you have a variety of network infrastructure providers and want the added assurity that integrating with IPSec can bring you then NAP may well become your best (technical) friend!

It's quite some time since both parties announced the "Cisco and Microsoft Unveil Joint Architecture for NAC-NAP Interoperability" agreement. I'm very pleased that both companies have invested considerable engineering effort to forge bridges to enable both technologies to work seamlessly together.

If you'd like to understand how NAC and NAP integrate then it's worth reading "Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture" which explains all you'll need to know.

In summary we (Microsoft) replaced our Internet Authentication Service (IAS) with our Network Policy Server (NPS) which (in addition to many other NAP functions) is able to proxy authentication requests to CISCO's NAC RADIUS Server - it is also able to accept connection requests from CISCO's NAC 802.1X switches on behalf of clients.