NAP Common Question Series: How does NAP restrict endpoints? Does NAP == DHCP?
This is the first in a series of posts to address common questions about NAP. If you have a topic you would like to see addressed, feel free to post it to the comments section. We’ll collect these in the product team and do our best to answer them.
One common misconception about NAP is the idea that it is based on DHCP and requires a Microsoft DHCP infrastructure to deploy. This is not the case. While it is true that NAP can be deployed with MS DHCP, it is not true that DHCP is the only enforcement mechanism or that it is required.
The NAP platform is extensible with respect to the isolation it imposes on end systems. It enables switches, routers, host firewalls, VPN gateways, Network Access Control appliances and more to "plug into" a NAP deployment and enforce restrictions on network endpoints. The APIs that enable 3rd party enforcement with NAP are published on MSDN.
The same NAP backend can control the activities of multiple enforcement systems. For example, in our lab today, we have Network Policy Servers that are controlling the following:
1.)
Dynamic VLAN assignment on 802.1x switches
2.) The issuance of certificates required for clients to access certain servers on our network
3.) The assignment of DHCP addresses and routes
4.) The filters enforced by our VPN gateways
In all of the above cases, the level of access granted is based on the compliance of the endpoints (the team’s desktops and laptops).
The idea behind making the enforcement extensible is that it enables customers to target the specific threats that are most important in their environments. They can choose the products and vendors that provide the most economical and effective mitigations to the threats they care about.
Included in Windows will be the ability to provide enforcement with 802.1x, the Windows Authenticating Host Firewall (IPsec), DHCP, ISA, RRAS and Terminal Services Gateway. Additionally, we are working with switch, router, firewall, VPN and NAC appliance vendors to ensure that a broad menu of products will be available for customers to deploy with NAP.
We publish a list of NAP partners here.
-Paul Mayfield
Group Program Manager
Network Access Protection