locked
NAP with Cisco Routers RRS feed

  • Question

  • Hi All.

    I have some users, which are connected to my network via VPN. VPN terminated on Cisco router. Users use PPTP VPN to connect  to the office network. I want to use NAP for this clients. Does any one tried this?


    Tuesday, March 11, 2008 3:33 AM

Answers

  • The Cisco VPN is not likely to work with NAP VPN enforcement because the RADIUS client (the Cisco router) won't recognize some of the NAP specific VSAs (attributes) that are used to dynamically change network access based on client health during the VPN session.

     

    -Greg

    Saturday, March 29, 2008 6:50 PM

All replies

  • Hi,

     

    You may want to use IPsec NAP for these clients. The clients can have their health evaluated and request a health certificate from HRA after they connect.

     

    -Greg

    Thursday, March 13, 2008 6:32 AM
  • Hi, Greg.

     

    Where IPSec tunnel will be terminated? on Cisco Rouer or not?

    Friday, March 14, 2008 11:42 AM
  • Hi,

     

    The VPN tunnel is terminated at the VPN server, but the IPsec tunnel will be maintained within the VPN tunnel and beyond into the LAN, on a peer to peer basis.

     

    I'll double-check on exactly how this type of configuration works with local or GP NAP client settings. Unless your HRA is available on a public network, you would want the client to request a health certificate only when connected to the VPN.

     

    -Greg

    Monday, March 17, 2008 8:33 PM
  •  

    If you have a Windows 2008 server and your clients are using Windows Vista or Windows XP SP3 you can us NAP for these clients.

     

    You will have  to configure your Cisco router to use Radius and point it to the NPS server to authenticate you clients using PEAP.  Then you will configure your NPS server to see your Cisco router as a Radius client.  Then on your NPS server you will configure it for NAP for VPN.  You will have to enable your client for NAP and enable the VPN enforcement client.

     

    The step by step guide below may help with configuration.

    http://www.microsoft.com/downloads/details.aspx?FamilyID=729bba00-55ad-4199-b441-378cc3d900a7&displaylang=en

     

    Louis H

    Microsoft Support Escalation Engineer

    http://blogs.technet.com/networking

     

    Saturday, March 29, 2008 2:18 PM
  • The Cisco VPN is not likely to work with NAP VPN enforcement because the RADIUS client (the Cisco router) won't recognize some of the NAP specific VSAs (attributes) that are used to dynamically change network access based on client health during the VPN session.

     

    -Greg

    Saturday, March 29, 2008 6:50 PM
  • Hello, I'm a relatively newbie in network but I'm very interesting on NAP

     

    I agree with Greg...

    The problem is that the "VPN Enforcement client" (module of NAP agent client) and "VPN Enforcement server" are specific to Microsoft VPN (RRAS). To continue to use Cisco router like VPN server we need to have "Cisco VPN Enfocement Client" & "Cisco VPN Enfocement server" (IOS)! Unfortunately, I don't know WHY Cisco will develop that !? (=> Cisco NAC)

     

    Concerning the proposition of Louis H, I understanded your idea but it is working ? It's a good solution ? (security)

     

     

    Thanks in advance for your response and sorry for my english...

     

     

     

    Sunday, May 11, 2008 4:34 PM