NAC NAP Whitepaper

8/7/2019 NAC NAP Whitepaper

1/8

Cisco Network Admission Control andMicrosoft Network Access ProtectionInteroperability ArchitectureCisco Systems and Microsoft CorporationPublished: September 2006


2/8

AbstractCisco Systems, Inc. and Microsoft Corporation have developedan interoperability architecture that allows customers to deploy boththe Network Admission Control (NAC) platform available fromCisco and the Network Access Protection (NAP) platform beingdeveloped for Microsoft Windows Vista (now in beta testing) andWindows Server code name Longhorn (now in beta testing). Theresult is a set of components that interoperate, allowing customers toenforce health requirements for network access using a combination of components from Cisco and Microsoft. This white paper describes the setof characteristics that will support the interoperability architecture andhow the interoperability architecture works.


3/8

Contents

Interoperability Features and Benefits 4

Interoperability and Customer Choice 4Investment Protection 4Single Agent Included in Windows Vista 4ISV Integration Ecosystem 4Agent Deployment and Update Support 4Cross-Platform Support 4

NAP and NAC Interoperability Architecture 5

How the NAC and NAP Interoperability Architecture Works 6

Summary 7

Related Links 7


4/8

Interoperability Features and BenefitsCisco and Microsoft have collaborated to enable richinteroperability between the Cisco Network AdmissionControl (NAC) and Microsoft Network AccessProtection (NAP) solutions. This interoperability willallow customers to realize the benefits of both NACand NAP while using and preserving their investmentsin their NAC network and Microsoft NAP desktop andserver infrastructure. Interoperability will be supportedwith the release of NAP in the future version of Windows Server, codenamed Longhorn, which isscheduled to be available in the second half of 007.Primary features and benefits of the solution include: Interoperability and customer choice Investment protection Single agent included in Windows Vista Independent Software Vendor (ISV)

integration ecosystem Agent deployment and update support Cross-platform support

Interoperability and Customer ChoiceThe interoperability architecture allows customers todeploy both NAC and NAP incrementally orconcurrently. Deployment of heterogeneous NAC andNAP agent (the Cisco Trust Agent and the NAP Agent)environments is also supported. The client agentarchitecture will be transparent to the Cisco networkdevices enforcing network access.Deploying both the Cisco Secure Access Control Server(ACS) and the Microsoft Network Policy Server (NPS)will be required for the initial interoperability release.However, Cisco and Microsoft have cross-licensedthe NAC and NAP protocols, which provides theopportunity for both companies to respond to futuremarket and customer requirements for a combinedpolicy product.

Investment ProtectionThe interoperability architecture enables customer reuseand investment protection of their NAC and/or NAPdeployments. For example, customers can begindeploying NAC today and integrate NAP into theenvironment concurrent with their deployment of Windows Vista and Windows Server Longhorn.

Single Agent Included in Windows VistaComputers running Windows Vista or Windows ServerLonghorn will include the NAP Agent component aspart of the core operating system, which will be used forboth NAP and NAC. In addition to the native ExtensibleAuthentication Protocol (EAP) methods and the 80 . Xsupplicant that are included with the Windows Vista andWindows Server Longhorn operating systems, an

additional EAP-FAST method and EAPoverUDPsupplicant will be provided to enable interoperabilitybetween NAC and NAP. The EAP-FAST method andEAPoverUDP supplicant will be developed by Ciscoand distributed by Microsoft with Windows Update

and Windows Server Update Services (WSUS)through the EAP Certification Program. Using 80 . X,EAPoverUDP, and EAP-FAST provides agenttransparency for the NAC network infrastructure.A single agent architecture for Windows Vista andWindows Server Longhorn greatly simplifies thedeployment of a health infrastructure consistingof NAP components, NAC components, or acombination of the two.Computers running Windows XP with Service Pack will need to run the Cisco Trust Agent for NAC and runthe NAP Agent for NAP.

ISV Integration EcosystemTo simplify the development of third-party health agentand health enforcement components for clients runningWindows Vista, the NAP client APIs will serve as thesingle programmatic interface used for health reportingand enforcement for both NAP and NAC. This willfacilitate the integration of applications that collecthealth information by ISVs.

Agent Deployment and Update SupportThe customer experience and process for deployingthe required agent components for interoperabilitywith Windows Vista and Windows Server Longhornwill be similar to deploying typical Windows operatingsystem services. The NAP Agent and 80 . X supplicantare native to the Windows Vista and Windows ServerLonghorn operating systems, and the EAP-FAST andEAPoverUDP modules, developed by Cisco, will bedistributed by Microsoft with Windows Update andWindows Server Update Services. Additionally, GroupPolicy configuration support for the agent components(including the EAP-FAST and EAPoverUDP modules)will be supported.

Cross-Platform SupportTo support client operating systems other thanWindows, Microsoft will license elements of the NAPclient technology to third-party software developers.Cisco will continue to support and develop its NACclient (the Cisco Trust Agent) for non-Windows Vistaand non-Windows Server Longhorn platforms andwill continue to execute on its publicly stated directionto submit the Cisco NAC protocols for standardizationthrough open standards processes.


5/8

Cisco NAC and Microsoft NAPInteroperability ArchitectureFigure shows the NAC and NAPinteroperability architecture.

The NAC and NAP interoperability architecture consists of the following components: NAP client (Microsoft):The NAP client computer is a computer

running Windows Vista or Windows Server Longhorn thatsends its health credentials as either a list of Statements of Health(SoHs) or a health certificate. The client architecture consistsof a layer of System Health Agents (SHAs), the NAP Agent, theEAPHost NAP Enforcement Client, EAP methods to performaccount credential authentication and indication of health status,and EAP supplicants that allow the client to send EAP messages

over 80 . X or UDP.To obtain a current health certificate, the NAP clientuses the Health Certificate Enrollment Protocol (HCEP)to send a certificate request and its list of SoHs to theHealth Registration Authority (HRA).

Network access devices (Cisco):NAC-enabled network access devices(which include switches, routers, wireless access points, VPNconcentrators, and so on) provide network access to clients andserve as network enforcement points.

Access Control Server (ACS) (Cisco):Cisco Secure ACS authorizesnetwork access for clients by validating the administrativelyspecified client attributes, which could include the identity of theuser and/or the computer, and the overall health state of theclient. Cisco Secure ACS sends an access profile to the networkaccess device(s) to grant the appropriate level of network access fo

the client based on the authorization result. Note that validation of the client health state attributes and assignment of the overall clienhealth state in the interoperability architecture are performed bythe Microsoft Network Policy Server.


6/8

Network Policy Server (NPS) (Microsoft): A Microsoft NPS performs the validation of thecomputers system health and provides remediationinstructions if needed.

Health Registration Authority (HRA) (Microsoft): An HRA obtains health certificates on behalf of NAP clients from a public key infrastructure(PKI) (not shown).

Policy servers (Microsoft or third party):Servers that provide current system health statefor Microsoft NPSs. Policy servers integrate withMicrosoft NPSs through the NPS System HealthValidator (SHV) API.

To accommodate this interoperability architecture,the NAP and NAC platforms will support the following: Cisco Secure ACS will pass the list of SoHs

from the NAP agent to an NPS for overall clienthealth validation.

Microsoft NPS will support the Cisco HostCredentials Authorization Protocol (HCAP) toreceive the list of SoHs from Cisco Secure ACSand return the list of SoH Responses (SoHRs).

Cisco Secure ACSs will perform network accessvalidation based on a health certificate.

How the NAC and NAP InteroperabilityArchitecture WorksUpon connection to the network, the client will providea set of credentials that will be validated in order toauthenticate and authorize the appropriate level of network access. These client credentials can includeuser and/or computer identity credentials in additionto health credentials. Clients that are noncompliant canbe rate limited, quarantined, remediated, or similarlytreated before being granted normal network access.In the interoperability architecture, the client, using theNAP Agent, provides its credentials for validation. Thelist of SoHs (and optionally user and/or computeridentity) is sent to a Cisco Secure ACS with EAP-FASTcarried over 80 . X or EAPoverUDP. If a healthcertificate infrastructure is deployed, the client willsend its health certificate to the Cisco Secure ACS forvalidation rather than sending a list of SoHs.If the NAP Agent sends its list of SoHs to validate systemhealth, the Cisco Secure ACS will send the list of SoHsto a Microsoft NPS for validation using the Cisco HCAPprotocol. The Microsoft NPS evaluates the SoHRs againstthe configured health requirements and returns thehealth validation results, which include the individualSoHRs and the overall client System SoHR (SSoHR), to

the Cisco Secure ACS using HCAP. The Cisco Secure ACSwill evaluate all of the credential validation results(which can include user and/or computer identityin addition to the SSoHR) to select and send theappropriate access profile to the network access device(s)to grant the authorized level of network access for theclient. The Cisco Secure ACS will also return the SoHRsand the SSoHR to the NAP Agent on the client withEAP-FAST carried over 80 . X or EAPoverUDP.Noncompliant clients that are quarantined will beautomatically revalidated upon remediation to providea transparent end-user experience.If the NAP client sends its health certificate rather thana list of SoHs, the Cisco Secure ACS will validate thecertificate as the EAP-FAST session is established todetermine the overall client health state. As in the casewhere a list of SoHs is used, EAP-FAST is carried over80 . X or EAPoverUDP. Note that limited networkaccess to the HRA is required for the client to acquire ahealth certificate. The Cisco Secure ACS will validate thehealth certificate along with any other requiredcredentials (such as user and/or computer credentials)and send the appropriate access profile to the networkaccess device(s) to grant the authorized level of networkaccess for the client. If the client is noncompliant or if the client is unable to provide a health certificate, theclient will be quarantined for remediation, andrevalidation will occur automatically upon remediation.To obtain a health certificate, the NAP client uses HCEPto send a certificate request and its list of SoHs to the

HRA. The HRA sends the list of SoHs to the MicrosoftNPS. The Microsoft NPS evaluates the SoHRs against theconfigured health requirements and sends the SSoHR andthe list of SoHRs back to the HRA. If the NAP client does not need to be remediated, the

HRA requests a health certificate from the PKI(not shown) and forwards it along with the SSoHRand the list of SoHRs to the NAP client.

If the NAP client needs to be remediated, the HRAsends the SSoHR and the list of SoHRs to the NAPclient. The NAP client performs the appropriateremediation and sends a new certificate request and

its updated list of SoHs to the HRA.


7/8

SummaryCisco and Microsoft have collaborated to enable richinteroperability between the Cisco Network AdmissionControl (NAC) and Microsoft Network AccessProtection (NAP) solutions. This interoperability willallow customers to realize the benefits of both NAC andNAP while using and preserving their investments intheir Cisco NAC network and Microsoft NAPdesktop and server infrastructure. Interoperability willbe supported with the release of NAP in Windows ServerLonghorn, which is scheduled to be available in thesecond half of 007.

Related LinksSee the following resources for further information: Microsoft Network Access Protection Web site at

www.microsoft.com/nap

Cisco Network Admission Control Web site atwww.cisco.com/go/nac


8/8

This White Paper is for informational purposes only. THIS WHITE PAPER IS PROVIDED

AS IS. NEITHER MICROSOFT NOR CISCO MAKES ANY WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. IN NO

EVENT WILL EITHER MICROSOFT OR CISCO BE LIABLE FOR ANY INDIRECT,

SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES INCLUDING WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THEUSE OR INABILITY TO USE ANY COPYRIGHTED MATTER OR THE INFORMATION

PROVIDED HEREIN, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Complying with all applicable copyright laws is the respons ibility of the user. Without

limiting the rights under copyright, no part of this document may be reproduced, stored in

or introduced into a retrieval system, or transmitted in any form or by any means (electronic,

mechanical, photocopying, recording, or otherwise), or for any purpose, without the express

written permission of Microsoft and Cisco. Microsoft and Cisco may have patents, patent

applications, trademarks, copyrights, or other intellectual property rights covering subject

matter in this document. Except as expressly provided in any written license agreement

from Microsoft or Cisco, as applicable, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual proper ty.

Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Network Access Protection,

and NAP, are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries. Cisco, Cisco Systems, and the Cisco Systems logo

are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the

United States and certain other countries. All other trademarks are property of their

respective owners.

Microsoft and Cisco employees may reference or cite portions of this white paper in

marketing collateral, presentations and other marketing materials, but any use of the other

companys logo must be pre-approved by the other company in writing. Each employee has

the responsibility to contact its corporate legal department to ensure compliance with any

branding, copyright usage or o ther modification requirements.

006 Microsoft Corporation and Cisco Systems, Inc. All rights reserved.

NAC NAP Whitepaper

Documents

Transcript of NAC NAP Whitepaper