IPSec Enforcement
IPSec enforcement works by using X.509 certificates to control network access. Any host
without a valid health certificate is not allowed to communicate with hosts that do have
one. By using IPSec enforcement, hosts that require access must first request a certificate
from the Health Registration Authority (HRA). The HRA checks for a host??™s compliance
257 Chapter 8: Network Policy and Access Services
with the NAP policy. If it passes, the HRA obtains a health certificate from the certification
authority (CA), which is then used to allow communication to other IPSec-enabled hosts
with valid certificates. If it fails, the client is not given a health certificate but is instead
given instructions on how to remediate itself. The host is then granted limited access to
the network where the remediation servers reside. Once remediation has occurred, the
host is rechecked for compliance and issued a valid health certificate if it passes; otherwise,
it must undergo the remediation process again. This is the recommended method
for NAP policy enforcement, as it is the strongest method for restricting network access.
TIP If yours is a mixed environment that includes hosts that currently do not support NAP, you
can manually grant them access by creating exclusions for hosts and devices from health policy
requirements.
802.1X Enforcement
In this network layer??“based enforcement method for NAP, hosts requiring access are
placed in relative isolation either through IP filters or virtual LAN (VLAN) segmentation
until they pass the required health checks defined by the NPS.
Pages:
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302