locked
NAP Architecture/availability question RRS feed

  • Question

  •  

    In a remote office scenerio assuming the office has a local DC/DHCP - and the clients are running the DHCP enforcement agents. The NPS elements are in the main Datacenter. What is the behavior of the clients if the WAN link goes down and the NPS server(s) can't be contacted?

     

    Will they get a DHCP address and use the last SOH policy that was received or not get DHCP until the NPS server is available again.

     

     

     

    Thanks

    Mitch

     

    Tuesday, April 29, 2008 2:59 PM

Answers

  • It is 100% configurable on the properties of the DHCP node in the Server Manager console (also via the command-line). I believe you have three choices in there:

     

    1.)  Allow Full Access (default)

    2.)  Drop the DHCP request (i.e. ignore)

    3.)  Restrict the client’s access (i.e. non-compliant)

     

    http://blogs.technet.com/teamdhcp/archive/2006/07/26/443488.aspx

     

     

    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Tuesday, April 29, 2008 6:18 PM
  • Hey again Mitch. You’re welcome!

     

    Well, it’s not quite as simple to explain for the two you mention, but they do have some fault tolerance built-in:

     

    1.    802.1X is enforced at the hardware itself – Wireless Access Points and/or Wired Switches. These devices can point to multiple back-end NAP Servers (aka RADIUS servers, NPS, IAS; etc). If one doesn’t reply in a timely manner, each device normally rolls to the next server it has configured. Some switches I have configured have modes of behavior to handle the case of authentication time out. For instance, the demo I just built for RSA San Francisco had all ports dump into the “guest VLAN” if anything failed at all. This was the “non-complaint” VLAN for my demo. The person will still have base connectivity, but not full “compliant” connectivity.

     

    2.    In IPsec we have the notion of “Health Certificates”. This is a credential issued to you by our “Health Registration Authority” (HRA) server on Windows Server 2008. The default lifetime of these credentials (which are only issued when you a “compliant") is 8 hours. During the lifetime of the credential, NAP will try multiple times to get another one before it expires so you don’t lose any connectivity to protected resources. Even if everything completely fails, you will still have access to the “boundary resources”. As soon as the infrastructure recovers, NAP Health Certificates will start flowing again and you will re-gain access to the protected zone.

     

     

    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Wednesday, April 30, 2008 8:41 PM

All replies

  • It is 100% configurable on the properties of the DHCP node in the Server Manager console (also via the command-line). I believe you have three choices in there:

     

    1.)  Allow Full Access (default)

    2.)  Drop the DHCP request (i.e. ignore)

    3.)  Restrict the client’s access (i.e. non-compliant)

     

    http://blogs.technet.com/teamdhcp/archive/2006/07/26/443488.aspx

     

     

    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Tuesday, April 29, 2008 6:18 PM
  • Thanks for the quick answer.. I should have looked there..

     

    To expand on the question.. are there similar choices for 802.x or ipsec enforcement agents as well.

     

     

     

     

     

    Thanks

     

     

    Tuesday, April 29, 2008 7:05 PM
  • Hey again Mitch. You’re welcome!

     

    Well, it’s not quite as simple to explain for the two you mention, but they do have some fault tolerance built-in:

     

    1.    802.1X is enforced at the hardware itself – Wireless Access Points and/or Wired Switches. These devices can point to multiple back-end NAP Servers (aka RADIUS servers, NPS, IAS; etc). If one doesn’t reply in a timely manner, each device normally rolls to the next server it has configured. Some switches I have configured have modes of behavior to handle the case of authentication time out. For instance, the demo I just built for RSA San Francisco had all ports dump into the “guest VLAN” if anything failed at all. This was the “non-complaint” VLAN for my demo. The person will still have base connectivity, but not full “compliant” connectivity.

     

    2.    In IPsec we have the notion of “Health Certificates”. This is a credential issued to you by our “Health Registration Authority” (HRA) server on Windows Server 2008. The default lifetime of these credentials (which are only issued when you a “compliant") is 8 hours. During the lifetime of the credential, NAP will try multiple times to get another one before it expires so you don’t lose any connectivity to protected resources. Even if everything completely fails, you will still have access to the “boundary resources”. As soon as the infrastructure recovers, NAP Health Certificates will start flowing again and you will re-gain access to the protected zone.

     

     

    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Wednesday, April 30, 2008 8:41 PM
  • Thanks..

     

    I'm getting ready to deploy a pilot 802.x NAP scenerio.. and these questions were posed as part of the detailed design for the enterprise deployment.

     

    Your reply does give me the answers/guidance I was looking for. I had expected for 802.x that there could be multiple radius servers to support loadbalancing/failover. The concern had been.. what if the WAN connection went down. Then all communication back to the Radius/NPS servers would be lost. your saying that the answer is to put the logic into the local switches and what level of connectivity to allow if radius is not available. I'll definitetly look at my switch documentation to see what options are available for that.

     

    I've read from some of the NAP design guides to set a certificate lifetime of 12-24 hours so some consideration needs to go into the Certificate lifetime to accomadate a WAN failure.

     

     

     

     

     

    Mitch

     

    Wednesday, April 30, 2008 8:54 PM
  • You got it exactly Mitch. The other thing you should consider is the “NPS RADIUS Proxy” scenario. You can have NPS act as a proxy to one or more back-end NPS’s that house the actual policy. Microsoft IT has multiple NPS’s in each of our 3 datacenters around the world. Since we do NAP + IPsec, they have clients in each region prefer their “local” HRA/NPS, and if it is down, go across the WAN. Obviously, there is a balance to achieve on IT administration costs vs. fault tolerance, etc.

     

     

    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Thursday, May 1, 2008 8:34 PM
  • Maybe it sounds stupid, but how do you make a RADIUS Proxy redundant? Because if the radius proxy is down, access requests are not forwarded to the radius servers, right?

    Wednesday, December 10, 2008 2:44 PM
  • You can use a secondary RADIUS proxy. 
    Wednesday, December 10, 2008 6:53 PM
  • for my understanding:

    if you use 802.1x with radius proxy, you must specify the IP address of the radius proxy in the 802.1x switch as the radius server right? correct me if i'm wrong.
    if the switch doesn't support a secondary radius server entry how can you archive that radius messages are sent to the second radius proxy?
    Thursday, December 11, 2008 8:16 AM