locked
internal NAP with no isolation RRS feed

  • Question

  •  

    i have set up a LAB for NAP with IPSec. works fine.

    i have added IPSec domain isolation - and it gives nice functionality and protectcion...

     

    but what about NAP with IPSec with no Isolation? it looks like it is totaly nonsense to setup such configuration, because if one does not acquire health certificate [and will not be able to establish crypted channel] it will normally communicate with other host, as there is no ipsec requirement.

     

    is there a way to create a solution combining dialup and DHCP scenarios working like that:

    - mobile client gets to the LAN and trying to connect

    - client is forced to authenticated through NPS/RADIUS and not directly in AD

    - if client does not meet requirements it is restricted to few remediation hosts

    - if it does, it normally connects and has ability to use all resources

     

    i thing i know the answer but would be very glad to have it confirmed:

    to create such a soultion i one needs devices supporting 8o2.1x auth. and client would be forced to auth through such a device [swith f.ex] before it gets access to internal network. than this device [here - switch] would need to try to auth user through the NPS server and ask for a health certificate. then if client is healthy it get certificate for 8o2.1x thus having access to internal resources.

    i can not test such LAB 'couse i do not have such a device in LAB ): but if i am thinking right - the next question arises: is the NDES [network device enrollment service] somehow connected with such a solution? are there any whitepapers or anything so i can read about such configuration?

     

     

    Tuesday, September 4, 2007 1:32 PM

Answers

  •  

    To answer your first question (NAP with IPsec with no Isolation), I  would like to know what scenario are you looking at?  Why would you want to deploy such a scenario? If you provide me more concrete information,  I will be better equipped to answer the question for you.

     

    Regarding your second question about  combining dialup and DHCP scenario? Are you asking abour NAP VPN? In case of home computers (which might be using dailup to get on the internet) that will be used to VPN into the corp network (VPN NAP scenario), you can use the step-by step guide to setup a VPN NAP enforcement in a test lab. 

     

    In case of a  802.1x enforcement scenario, a client is placed in different VLANs based on their health states, ie unhealthy clients are placed in a VLAN that will be isolated from the intranet resources. This restricted VLAN will have access to ther remediation servers and other limited resources. Where as a healthy client will be place in a VLAN which has  access to the intranet resources. In case of a 802.1x enforcement, no certificate is issued.

    A certificate is issued in a NAP IPsec deployment scenario and not in a 802.1x NAP enforcement.

     802.1x and IPsec enforcements are two separate concepts and they operate at different layers and perform different functions.

    I am not familiar with the NDES concept but found this link that provides some basic information regarding NDES.

    http://technet2.microsoft.com/windowsserver2008/en/library/569cd0df-3aa4-4dd7-88b8-227e9e3c012b1033.mspx?mfr=true

     

    If there are any more specific questions regarding the VPN, 802.1x or IPsec NAP enforcement scenarios, please let us know and I make sure that we get your questions clarified.

     

    Kedar

    Friday, September 7, 2007 5:30 AM

All replies

  •  

    To answer your first question (NAP with IPsec with no Isolation), I  would like to know what scenario are you looking at?  Why would you want to deploy such a scenario? If you provide me more concrete information,  I will be better equipped to answer the question for you.

     

    Regarding your second question about  combining dialup and DHCP scenario? Are you asking abour NAP VPN? In case of home computers (which might be using dailup to get on the internet) that will be used to VPN into the corp network (VPN NAP scenario), you can use the step-by step guide to setup a VPN NAP enforcement in a test lab. 

     

    In case of a  802.1x enforcement scenario, a client is placed in different VLANs based on their health states, ie unhealthy clients are placed in a VLAN that will be isolated from the intranet resources. This restricted VLAN will have access to ther remediation servers and other limited resources. Where as a healthy client will be place in a VLAN which has  access to the intranet resources. In case of a 802.1x enforcement, no certificate is issued.

    A certificate is issued in a NAP IPsec deployment scenario and not in a 802.1x NAP enforcement.

     802.1x and IPsec enforcements are two separate concepts and they operate at different layers and perform different functions.

    I am not familiar with the NDES concept but found this link that provides some basic information regarding NDES.

    http://technet2.microsoft.com/windowsserver2008/en/library/569cd0df-3aa4-4dd7-88b8-227e9e3c012b1033.mspx?mfr=true

     

    If there are any more specific questions regarding the VPN, 802.1x or IPsec NAP enforcement scenarios, please let us know and I make sure that we get your questions clarified.

     

    Kedar

    Friday, September 7, 2007 5:30 AM
  •  

    my question was unclear because i did not yet new what i want ask for (;

    so to clarify my question:

    - to use NAP with IPSec enforcemnet one would need quite a machine - DC etablishing f.ex. 2oo IPSec channels would die in pain (; i did not yet tested such a scenario and am wondering about tcp offloading - so maybe such a scenario is technically possible, still there are a lot of servers which will not support the feature. so creating IPSec isolation will not be possible in many cases [or am i missing something?]

     

     

    the rest was the answer for my unclear question - so thank you (: i got the point about 8o2.1x and IPSec - so i need just more reading about the two.

    Tuesday, September 11, 2007 6:41 PM