Network Access Protection

Network Access Protection (NAP) is a Microsoft technology for controlling network access of a computer, based on its health. It was first included in

host-based firewall

installed and enabled. Computers with a NAP client will have their health status evaluated upon establishing a network connection. NAP can restrict or deny network access to the computers that are not in compliance with the defined health requirements.

NAP was

deprecated in Windows Server 2012 R2^[2] and removed from Windows Server 2016.^[3]

Overview

Network Access Protection Client Agent makes it possible for clients that support NAP to evaluate software updates for their statement of health.

DHCP servers, or Health Registration Authorities (HRAs) that run Windows Server 2008 or later. The NAP health policy server is a computer running the Network Policy Server (NPS) service in Windows Server 2008 or later that stores health requirement policies and provides health evaluation for NAP clients. Health requirement policies are configured by administrators. They define criteria that clients must meet before they are allowed undeterred connection; these criteria may include the version of the operating system, a personal firewall

, or an up-to-date antivirus program.

When a NAP-capable client computer contacts a NAP enforcement point, it submits its current health state. The NAP enforcement point sends the NAP client's health state to the NAP health policy server for evaluation using the RADIUS protocol. The NAP health policy server can also act as a RADIUS-based authentication server for the NAP client.

The NAP health policy server can use a health requirement server to validate the health state of the NAP client or to determine the current version of software or updates that need to be installed on the NAP client. For example, a health requirement server might track the latest version of an antivirus signature file.

If the NAP enforcement point is an HRA, it obtains health certificates from a

certification authority

for NAP clients that it deems to be compliant with the relevant requirements. NAP clients can be placed on a restricted network if they are deemed non-compliant. The restricted network is a logical subset of the intranet and contains resources that allow a noncompliant NAP client to correct its system health. Servers that contain system health components or updates are known as remediation servers. A noncompliant NAP client on the restricted network can access remediation servers and install the necessary components and updates. After remediation is complete, the NAP client can perform a new health evaluation in conjunction with a new request for network access or communication.

NAP client support

A NAP client ships with

Windows XP Service Pack 3. It has no MMC snap-in and does not support AuthIP-based IPsec enforcement. As such, it can only be managed via a command-line tool called netsh, and the IPsec enforcement is IKE-based only.^[5]^[6]

Microsoft partners provide NAP clients for other operating systems such as macOS and Linux.

References

^ "Network Access Protection". 2 July 2012. Archived from the original on 2016-06-07. Retrieved 2016-06-15.
^ "Features Removed or Deprecated in Windows Server 2012 R2". Archived from the original on 2015-02-08. Retrieved 2015-01-29.
^ ^a ^b "What's New in DHCP in Windows Server Technical Preview". Archived from the original on 2015-04-09. Retrieved 2015-05-20.
^ "How to Enable the Network Access Protection Client Agent". technet.microsoft.com. Archived from the original on 2016-08-19. Retrieved 2016-07-15.
^ Sigman, Jeff (8 November 2007). "XP NAP Rude Q and A". Network Access Protection (NAP) blog. Microsoft. Archived from the original on 27 May 2008. Retrieved 24 December 2009.
^ Sigman, Jeff (20 June 2007). "NAP demystified (hopefully)". Network Access Protection (NAP) blog. Microsoft. Archived from the original on 3 January 2015. Retrieved 18 September 2015.

External links

[1] "Network Access Protection". 2 July 2012. Archived from the original on 2016-06-07. Retrieved 2016-06-15.

[2] "Features Removed or Deprecated in Windows Server 2012 R2". Archived from the original on 2015-02-08. Retrieved 2015-01-29.

[:0-3] "What's New in DHCP in Windows Server Technical Preview". Archived from the original on 2015-04-09. Retrieved 2015-05-20.

[4] "How to Enable the Network Access Protection Client Agent". technet.microsoft.com. Archived from the original on 2016-08-19. Retrieved 2016-07-15.

[5] Sigman, Jeff (8 November 2007). "XP NAP Rude Q and A". Network Access Protection (NAP) blog. Microsoft. Archived from the original on 27 May 2008. Retrieved 24 December 2009.

[6] Sigman, Jeff (20 June 2007). "NAP demystified (hopefully)". Network Access Protection (NAP) blog. Microsoft. Archived from the original on 3 January 2015. Retrieved 18 September 2015.

[2]

[3]

[5]

[6]

Overview

NAP client support

See also

References

External links