Security Solutions
A-16
Addendum to the ProCurve Access Control Security Design Guide
Microsoft NAP
NAP Enforcement Point
In AAA, a PEP provides network access to an endpoint and enforces a PDP’s
decisions. Similarly, a NAP enforcement point stands between an endpoint
and access to the network. NAP supports these enforcement points (some of
which can also be AAA PEPs and some of which cannot):
■ HRA—controls network access by issuing certificates, which are
required to authenticate communications in the unrestricted network
■ DHCP server—controls network access by assigning IP addresses to
endpoints, allowing the endpoints to reach either all addresses or a
restricted set of addresses
■ VPN server—controls network access by opening either unrestricted
security associations (SAs) with remote endpoints or filtered SAs
■ 802.1X authenticator—controls network access by placing ports (or
wireless associations) in either an unrestricted or restricted VLAN
As you learned earlier, an endpoint has several NAP ECs, each of which
correspond to a particular type of enforcement point (or, more precisely, an
enforcement server [ES] on the enforcement point). The appropriate EC
submits the endpoint’s SSoH to the NAP enforcement point.
Table A-2. NAP ECs and Corresponding NAP Enforcement Points
The enforcement point forwards the SSoH to the NPS using RADIUS (much
as a PDP forwards a user’s credentials to a RADIUS server). After the NPS
verifies the endpoint’s health and makes an access control decision, the NAP
enforcement point applies the appropriate controls.
NPS
Like an AAA PDP, an NPS makes policy-based decisions about the level of
network access that the endpoint should receive. For each NAP client SHA,
the NPS has a system health validator (SHV), which contains the current
requirements for system health. The NPS compares the values in the SHVs
with the values in the endpoint’s SSoH.
NAP EC NAP Enforcement Point
IPsec NAP EC HRA (on Windows Server 2008)
DHCP NAP EC DHCP server (on Windows
Server 2008)
VPN NAP EC VPN gateway
EAP NAP EC 802.1X authenticator