Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation

Goals Overview Network Access Protection (NAP) – architecture and extensibility Demonstrate 802.1x NAP Target audience Hardware Vendors (e.g.: 1x hardware) Connectivity software (1x supplicant, EAP methods)

What Is In It For You? Add value to your hardware based products or solutions Demonstrated interoperability with NAP Easy configuration of 1x Hardware for NAP Unique value that you can add to your device Easier to develop EAP related software EAP extensibility model Client: Supplicants and Methods Server: Methods More satisfied customers

Internet Intranet Remote Employees Remote Access Gateway Web Server Customers Perimeter X Infrastructure Servers Extranet Server Business Partners Life In A Highly-Connected World Interconnected networks Distributed data Mobile workers Business extranets Remote access Web services Wireless Mobile smart devices

Problem Very little isolation in network Customers control very small percent of endpoints De-perimeterization of devices happening now Customers have little or no way of enforcing or even validating security policy compliance Need for security at multiple layers

Network Access Protection (NAP) Solution Overview Policy Validation Are computers “healthy” – compliant with company’s security policy Network Restriction Restrict network access based on their health Remediation Provides necessary updates to become healthy Once healthy, the network restrictions are removed Ongoing Compliance Changes in computers’ health may dynamically result in network restrictions

Requesting access. Here’s my new health status Network Access Protection Walk-Through Microsoftnetwork policy server Client 802.1xSwitch / AP Remediationservers May I have access? Here’s my current health status Should this client be restricted based on its health? Ongoing policy updates to NPS Policy Server You are given restricted access until fix-up Can I have updates? Here you go According to policy, the client is not up to date. Quarantine client, request it to update Corporate Network Restricted Network Client is granted access to full intranet System health servers According to policy, the client is up to date Grant access

Microsoft Network Policy Server (NPS) NAP Server (QS) Client NAP Agent (QA) Health policy Updates HealthStatements NetworkAccessRequests System Health Servers Remediation Servers HealthCertificate Network Access Devices and Servers System Health Agent (SHA) MS and 3 rd Parties Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) NAP Architecture Overview Client SHA – health agents check client state QA – coordinates SHA/EC EC – method of enforcement Remediation server Serves up patches, AV signatures, etc. Network access devices and server Access points, switches, VPN servers, HRA Network Policy Server QS – coordinates SHV SHV – validates client health System health server Provides client compliance policies System Health Validator (SHV) MS and 3 rd Parties

Extending NAP Published APIs SHA API QEC API SHV API EAP Host Supplicant EAP Host Method (Peer and Authenticator) 802.1x client extensibility Licensed Protocols SoH / SoHR RADIUS extensions EAP TLVs Health Certificate Enrollment Protocol Health policy Updates System Health Servers HealthStatements NetworkAccessRequests HealthCertificate Network Access Devices and Servers Remediation Servers Microsoft Network Policy Server NAP Server (QS) System Health Validator (SHV) Microsoft and 3 rd Parties 3 rd party EAP methods PEAP EapHost Client 3 rd party EAP methods 3 rd party EAP supplicants NAP Agent (QA) System Health Agent (SHA) Microsoft and 3 rd Parties EapHost 802.1x supplicant PEAP EapQEC 3 rd Party QEC

RADIUS Attributes For NAP Microsoft-Quarantine-State Machine access should be Full Access Quarantined Probation until a certain time Microsoft-Quarantine-Grace-Time Specified date and time for probation Microsoft-IPv4-Remediation-Servers Collection of IPv4 addresses of fixup servers Microsoft-IPv6-Remediation-Servers Collection of IPv6 addresses of fixup servers Microsoft-Attribute-Not-Quarantine-Capable Machine requesting access is not participating in NAP

EAP Extensibility Supplicant API 3 rd party EAP supplicants can plug-in e.g. 802.x, IKEv2, VPN Supplicants can become NAP aware by using EapHost Method API Enables 3 rd party methods to plug-in e.g. EAP-TTLS, EAP-SIM, EAP-FAST 802.1x (EAP) RADIUS (EAP) 802.1x AP / Controller Microsoft Network Policy Server Quarantine Server (QS) System Health Validator 3 rd Party EAP Methods PEAP EapHost Client 3 rd Party EAP Methods 3 rd Party EAP Supplicants NAP Agent (QA) System Health Agent (SHA) Microsoft and 3 rd Parties EapHost 802.1x supplicant PEAP EapQEC 3 rd Party QEC

Network Access Protection Demo Chandra Nakula Test Lead Windows Enterprise Networking

Demo Setup NPS Server (Radius) Vista Client DHCP Server HP Pro-curve Switch

802.1x Wired NAP Restricted VLAN Full Access VLAN ??EAP PEAP Radius Client NPS Server (Radius) Switch

Call To Action NAS Devices (1x APs / Controllers) Ensure that your device works with NAP Value: Device is NAP capable and hence more attractive to customers Use the NAP related RADIUS attributes to make your configuration for NAP easier Value: Customers would find it easier to configure your device from NPS for NAP Extend NAP to deliver value to the customer On the client, switch, or end to end

Call To Action NICs, EAP Supplicants, EAP methods Test NAP interoperability with your hardware Extend NAP to deliver value to the customer (Adopt EAPHost and NAP) Write EAP methods to Eaphost Leverage NAP in hardware, supplicants and EAP methods Use EAPHost extensibility to build your supplicants Work with us to address 802.x challenges Multi-MAC Heterogeneous environments Bootstrapping Timing issues

Additional Resources Web Resources NAP: EAP: Additional Resources Information on NAP SDK distribution WDK – actual working sample EAP Methods and Supplicant MSDN – EH Documentation and API references s Questions or feedback NAP:EAP: microsoft.com microsoft.com microsoft.com

Q&A

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.