Overview
NAP clients are computers that report system health to a NAP enforcement point. A NAP enforcement point is a computer or network access device that can require the evaluation of a NAP client’s health state and optionally provide restricted network access or communication. NAP enforcement points can be IEEE 802.1X-capable switches or VPN servers, DHCP servers, or Health Registration Authorities (HRAs) that run Windows Server 2008 or Windows Server 2008 R2. The NAP health policy server is a computer running the Network Policy Server (NPS) service in Windows Server 2008 or Windows Server 2008 R2 that stores health requirement policies and provides health evaluation for NAP clients. Health requirement policies are configured by the administrator and can include settings that require that NAP client computers have the latest antivirus definitions and security updates installed, a personal firewall enabled, and other settings.
When a NAP-capable client computer contacts a NAP enforcement point, it submits its current health state. The NAP enforcement point sends the NAP client’s health state to the NAP health policy server for evaluation using the RADIUS protocol. The NAP health policy server can also act as a RADIUS-based authentication server for the NAP client.
The NAP health policy server can use a health requirement server to validate the health state of the NAP client or to determine the current version of software or updates that need to be installed on the NAP client. For example, a health requirement server might track the latest version of an antivirus signature file.
If the NAP enforcement point is an HRA, it obtains health certificates from a certification authority for NAP clients that are determined to be compliant with health requirements. If the NAP client is determined to be noncompliant with health requirements, it can optionally be placed on a restricted network. The restricted network is a logical subset of the intranet and contains resources that allow a noncompliant NAP client to correct its system health. Servers that contain system health components or updates are known as remediation servers. A noncompliant NAP client on the restricted network can access remediation servers and install the necessary components and updates. After remediation is complete, the NAP client can perform a new health evaluation in conjunction with a new request for network access or communication.
Read more about this topic: Network Access Protection