Module 5:
Network Policies and Access
Protection
Module Overview
Network Policies Access Protection
Enforcement Options
Network Access Protection Scenarios
Lesson 1: Network Policies Access Protection
Why Use Network Access Protection?
Network Protection Services Overview
Network Access Protection Solution
NAP Architecture Overview
Network Layer Protection with NAP
Host Layer Protection with NAP
Why Use Network Access Protection?
Healthy computer
Unhealthy computer
Private Network
Network Protection Services Overview
Network Policy Server (NPS)
Network Access Protection (NAP) Policy Server
IEEE 802.11 Wireless
IEEE 802.3 Wired
RADIUS Server
RADIUS Proxy
Routing and Remote Access
 Remote Access Service
 Routing
Health Registration Authority (HRA)
Network Access Protection Solution
Policy Validation
Network Restriction
Remediation
Ongoing Compliance
Data
Application
Host
Internal Network
Perimeter
Polices, Procedures
& Awareness
NAP Architecture Overview
Remediation
Servers
System Health
Servers
Updates
Client
Health
Statements
Network
Access
Requests
System Health Agent (SHA)
Health policy
MS Network
Policy Server
MS and 3rd Parties
Quarantine Agent (QA)
Enforcement Client (EC)
(DHCP, IPSec, 802.1X, VPN)
Health
Certificate
Network Access Devices
and Servers
System Health Validator
Quarantine Server (QS)
Network Layer Protection with NAP
Restricted Network
Remediation
Servers
System Health
Servers
Here you go.
Can I have
updates?
Ongoing policy updates
to Network Policy Server
May
I have access?
Requesting
access.
Here’s
my current
Here’s
my new
healthhealth
status.status.
Client
You are given
restricted access
until fix-up.
Should this client be
restricted based
on its health?
802.1x
Switch
According to policy, MS NPS
According
the clientto
is policy,
not up to
the
client
is
up
to
date. Quarantine
date.
client,
it to
Client
is request
granted
access to
fullupdate.
intranet.
Grant access.
Host Layer Protection with NAP
No Policy
Authentication
Optional
Authentication
Required
May I have a health certificate?
Here’s my SoH.
Client
Client
You don’t get a health
Here’s your health
certificate.
certificate.
Go fix up.
I need updates.
Client ok?
HRA
HRA
Accessing the network
Yes.
Issue
No.
Needs
fix-up.
health certificate.

Here you go.
NPS
NPS
Remediation
Remediation Server
Server
Lesson 2: Enforcement Options
NAP – Enforcement Options
NAP with DHCP
IPsec-based Communication
NAP with RRAS
NAP – Enforcement Options
Enforcement
Healthy Client
Unhealthy Client
DHCP
Full IP address given,
Restricted set of routes
full access
VPN
Full access
Restricted VLAN
802.1X
Full access
Restricted VLAN
Can communicate
Healthy peers reject
with any trusted peer
connection requests
IPsec
from unhealthy systems
Complements layer 2 protection
Works with existing servers and infrastructure
Offers flexible isolation
NAP with DHCP
I need to Lease an IP address
Requesting access.
Here’s my new health status.
Client
IEEE 802.1X
Devices
DHCP Server
You are not within the
Health Policy requirements
Access Granted. Here is
your new IP Address
The client requests
and receives updates
Remediation
Servers
NPS Server
VPN Server
IPsec-based Communication
Secure network
IPsec Authenticated
Unauthenticated
Boundary network
Restricted network
NAP with RRAS
RADIUS Messages
PEAP Messages
Client
VPN Server
Remediation
Servers
NPS Server
Lesson 3: Network Access Protection Scenarios
Scenario 1: Roaming Laptops
Scenario 2: Health of Desktop Computers
Scenario 3: Health of Visiting Laptops
Scenario 4: Unmanaged Home Computers
Scenario 1: Roaming Laptops
NAP
Scenario 2: Health of Desktop Computers
Network Policy Server
Scenario 3: Health of Visiting Laptops
Network Policy Server
Scenario 4: Unmanaged Home Computers
Review
Network Policies Access Protection
Enforcement Options
Network Access Protection Scenarios
Lab: Using Network Access Protection
Exercise 1: Configuring Network
Access Protection for DHCP