The 802.1X-compliant client
connects to and initiates authentication with the 802.1X-compliant access point, such
as an Ethernet switch or wireless access point. The NPS server then asks the client for its
Statement of Health (SoH) if the authentication was successful. It then evaluates whether
the SoH is compliant or not based on the current network policy. If it is valid, the 802.1X
client is granted access to the protected network; otherwise, it is limited to sending traffic
to remediation servers and stays with limited access until it finally complies with
the health policy. It is important to note that clients can also gain access using a health
certificate instead of a SoH when requesting access from the NPS server. Since this operates
at the network layer and virtually isolates your untrusted hosts from the rest of the
system, it is also a good choice for NAP enforcement and can work well in conjunction
with IPSec enforcement.
VPN Enforcement
VPN enforcement is a good way to extend your NAP policy to protect yourself from
users accessing your network remotely through VPN. NAP-aware VPN enforcement
agents can then check for health compliance and grant or deny VPN access based on the
NAP policy. Since inbound VPN connections typically make up the largest number of
hosts that connect to your network that you might not directly manage, it is very important
to implement some form of VPN enforcement as part of your overall NAP strategy.
Pages:
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303