Providing 802.1X Providing 802.1X Enforcement For Network Enforcement For Network Access ProtectionAccess Protection

Mudit GoelMudit GoelDevelopment ManagerDevelopment ManagerWindows Enterprise NetworkingWindows Enterprise NetworkingMicrosoft CorporationMicrosoft Corporation

GoalsGoals

OverviewOverviewNetwork Access Protection (NAP) – Network Access Protection (NAP) – architecture and extensibilityarchitecture and extensibility

Demonstrate 802.1x NAPDemonstrate 802.1x NAP

Target audienceTarget audienceHardware Vendors (e.g.: 1x hardware)Hardware Vendors (e.g.: 1x hardware)

Connectivity software (1x supplicant, Connectivity software (1x supplicant, EAP methods)EAP methods)

What Is In It For You?What Is In It For You?

Add value to your hardware based Add value to your hardware based products or solutionsproducts or solutions

Demonstrated interoperability with NAP Demonstrated interoperability with NAP

Easy configuration of 1x Hardware for NAPEasy configuration of 1x Hardware for NAP

Unique value that you can add to your deviceUnique value that you can add to your device

Easier to develop EAP related softwareEasier to develop EAP related softwareEAP extensibility model EAP extensibility model

Client: Supplicants and MethodsClient: Supplicants and Methods

Server: MethodsServer: Methods

More satisfied customersMore satisfied customers

InternetInternet

IntranetIntranet

`

Remote Remote EmployeesEmployees

Remote Access Remote Access GatewayGateway

Web ServerWeb Server

CustomersCustomers

PerimeterPerimeter

XX Infrastructure Infrastructure ServersServersExtranet Extranet

ServerServerBusiness Business PartnersPartners

`

Life In A Highly-Connected WorldLife In A Highly-Connected World

Interconnected networksInterconnected networks

Distributed dataDistributed data

Mobile workersMobile workers

Business extranetsBusiness extranets

Remote access Remote access

Web servicesWeb services

WirelessWireless

Mobile smart devicesMobile smart devices

ProblemProblem

Very little isolation in networkVery little isolation in network

Customers control very small Customers control very small percent of endpointspercent of endpoints

De-perimeterization of devices De-perimeterization of devices happening nowhappening now

Customers have little or no way of Customers have little or no way of enforcing or even validating security enforcing or even validating security policy compliancepolicy compliance

Need for security at multiple layersNeed for security at multiple layers

Network Access Protection Network Access Protection (NAP) Solution Overview(NAP) Solution Overview

Policy ValidationPolicy Validation Are computers “healthy” – compliant with company’s Are computers “healthy” – compliant with company’s security policysecurity policy

Network RestrictionNetwork RestrictionRestrict network access based on their healthRestrict network access based on their health

RemediationRemediationProvides necessary updates to become healthyProvides necessary updates to become healthy

Once healthy, the network restrictions are removedOnce healthy, the network restrictions are removed

Ongoing ComplianceOngoing ComplianceChanges in computers’ health may dynamically Changes in computers’ health may dynamically result in network restrictionsresult in network restrictions

Requesting Requesting access. Here’s access. Here’s

my new my new health statushealth status

Network Access Protection Walk-ThroughNetwork Access Protection Walk-Through

MicrosoftMicrosoftnetworknetwork

policy serverpolicy serverClientClient802.1x802.1xSwitch Switch

/ AP/ AP

Remediation Remediation servers servers

May I have access?May I have access?Here’s my current Here’s my current health statushealth status

Should this client be Should this client be restricted basedrestricted basedon its health? on its health?

Ongoing policy updates Ongoing policy updates to NPS Policy Server to NPS Policy Server

You are given You are given restricted accessrestricted accessuntil fix-upuntil fix-up

Can I have Can I have updates?updates?

Here you goHere you go

According to policy, According to policy, the client is not up to the client is not up to date. Quarantine date. Quarantine client, request it to client, request it to updateupdate

Corporate NetworkCorporate Network

Restricted NetworkRestricted Network

Client is granted access to full intranet Client is granted access to full intranet

System health System health servers servers

According to policy, According to policy, the client is up to the client is up to date date

Grant accessGrant access

Microsoft Network Microsoft Network Policy Server Policy Server (NPS)(NPS)

NAP Server (QS)

ClientClient

NAP Agent (QA)

Health policyHealth policyUpdatesUpdates

HealthHealthStatementsStatements

NetworkNetworkAccessAccess

RequestsRequests

System Health Servers

Remediation Servers

HealthHealthCertificateCertificate

Network Access Devices Network Access Devices and Serversand Servers

System Health Agent (SHA)MS and 3rd Parties

Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)

NAP Architecture OverviewNAP Architecture Overview

ClientClientSHA – health agents check client stateSHA – health agents check client stateQA – coordinates SHA/ECQA – coordinates SHA/ECEC – method of enforcementEC – method of enforcement

Remediation serverRemediation serverServes up patches, AV signatures, etc.Serves up patches, AV signatures, etc.

Network access devices and serverNetwork access devices and serverAccess points, switches, VPN servers, HRAAccess points, switches, VPN servers, HRA

Network Policy ServerNetwork Policy ServerQS – coordinates SHV QS – coordinates SHV SHV – validates client healthSHV – validates client health

System health serverSystem health serverProvides client Provides client compliance policiescompliance policies

System Health Validator (SHV)MS and 3rd Parties

Extending NAPExtending NAP

Published APIsPublished APIsSHA APISHA API

QEC APIQEC API

SHV APISHV API

EAP Host SupplicantEAP Host Supplicant

EAP Host Method (Peer and Authenticator)EAP Host Method (Peer and Authenticator)

802.1x client extensibility802.1x client extensibility

Licensed ProtocolsLicensed ProtocolsSoH / SoHRSoH / SoHRRADIUS extensionsRADIUS extensionsEAP TLVsEAP TLVsHealth Certificate Health Certificate Enrollment ProtocolEnrollment Protocol

Health policyHealth policyUpdatesUpdates

System Health Servers

HealthHealthStatementsStatements

NetworkNetworkAccessAccess

RequestsRequests

HealthHealthCertificateCertificate

Network Access Devices Network Access Devices and Serversand Servers

Remediation Servers

Microsoft Network Microsoft Network Policy ServerPolicy Server

NAP Server (QS)

System Health Validator (SHV)Microsoft and 3rd Parties

3rd party EAP methods

PEAP

EapHost

ClientClient

3rd party EAP methods

3rd party EAP supplicants

NAP Agent (QA)

System Health Agent (SHA)Microsoft and 3rd Parties

EapHost

802.1x supplicant

PEAP

EapQEC 3rd Party QEC

RADIUS Attributes For NAPRADIUS Attributes For NAP

Microsoft-Quarantine-State Microsoft-Quarantine-State Machine access should beMachine access should be

Full AccessFull Access

QuarantinedQuarantined

Probation until a certain timeProbation until a certain time

Microsoft-Quarantine-Grace-Time Microsoft-Quarantine-Grace-Time Specified date and time for probationSpecified date and time for probation

Microsoft-IPv4-Remediation-ServersMicrosoft-IPv4-Remediation-ServersCollection of IPv4 addresses of fixup serversCollection of IPv4 addresses of fixup servers

Microsoft-IPv6-Remediation-ServersMicrosoft-IPv6-Remediation-ServersCollection of IPv6 addresses of fixup serversCollection of IPv6 addresses of fixup servers

Microsoft-Attribute-Not-Quarantine-CapableMicrosoft-Attribute-Not-Quarantine-CapableMachine requesting access is not participating in NAPMachine requesting access is not participating in NAP

EAP ExtensibilityEAP Extensibility

Supplicant APISupplicant API33rdrd party EAP supplicants can plug-in party EAP supplicants can plug-in e.g. 802.x, IKEv2, VPNe.g. 802.x, IKEv2, VPNSupplicants can become NAP aware by using EapHostSupplicants can become NAP aware by using EapHost

Method APIMethod APIEnables 3Enables 3rdrd party methods to plug-in party methods to plug-in e.g. EAP-TTLS, EAP-SIM, EAP-FASTe.g. EAP-TTLS, EAP-SIM, EAP-FAST

802.1x (EAP)802.1x (EAP) RADIUS (EAP)RADIUS (EAP)

802.1x AP / Controller802.1x AP / Controller

Microsoft Network Microsoft Network Policy ServerPolicy Server

Quarantine Server (QS)

System Health Validator

3rd PartyEAP Methods

PEAP

EapHost

ClientClient

3rd PartyEAP Methods

3rd Party EAPSupplicants

NAP Agent (QA)

System Health Agent (SHA)Microsoft and 3rd Parties

EapHost

802.1x supplicant

PEAP

EapQEC 3rd Party QEC

Network Access Network Access Protection DemoProtection Demo

Chandra NakulaChandra NakulaTest LeadTest LeadWindows Enterprise NetworkingWindows Enterprise Networking

Demo SetupDemo Setup

NPS Server (Radius)NPS Server (Radius)

Vista ClientVista Client

DHCP ServerDHCP Server

HP Pro-curve SwitchHP Pro-curve Switch

802.1x Wired NAP802.1x Wired NAP

Restricted VLANRestricted VLAN

Full Access VLANFull Access VLAN??

??

EAPEAP

PEAPPEAP

RadiusRadiusClientClient

NPS Server (Radius)NPS Server (Radius)

SwitchSwitch

Call To ActionCall To ActionNAS Devices (1x APs / Controllers)NAS Devices (1x APs / Controllers)

Ensure that your device works with NAPEnsure that your device works with NAPValue: Device is NAP capable and hence Value: Device is NAP capable and hence more attractive to customersmore attractive to customers

Use the NAP related RADIUS attributes to Use the NAP related RADIUS attributes to make your configuration for NAP easiermake your configuration for NAP easier

Value: Customers would find it easier to Value: Customers would find it easier to configure your device from NPS for NAPconfigure your device from NPS for NAP

Extend NAP to deliver value to Extend NAP to deliver value to the customerthe customer

On the client, switch, or end to endOn the client, switch, or end to end

Call To ActionCall To ActionNICs, EAP Supplicants, EAP methodsNICs, EAP Supplicants, EAP methods

Test NAP interoperability with your hardwareTest NAP interoperability with your hardwareExtend NAP to deliver value to the customer Extend NAP to deliver value to the customer (Adopt EAPHost and NAP)(Adopt EAPHost and NAP)

Write EAP methods to EaphostWrite EAP methods to EaphostLeverage NAP in hardware, supplicants and Leverage NAP in hardware, supplicants and EAP methodsEAP methodsUse EAPHost extensibility to build your supplicantsUse EAPHost extensibility to build your supplicants

Work with us to address 802.x challengesWork with us to address 802.x challengesMulti-MACMulti-MACHeterogeneous environmentsHeterogeneous environmentsBootstrappingBootstrappingTiming issuesTiming issues

Additional ResourcesAdditional Resources

Web ResourcesWeb ResourcesNAP: NAP: http://www.microsoft.com/NAPhttp://www.microsoft.com/NAP

EAP: EAP: http://www.microsoft.com/EAPhttp://www.microsoft.com/EAP

Additional ResourcesAdditional ResourcesInformation on NAP SDK distribution Information on NAP SDK distribution

WDK – actual working sample EAP Methods and SupplicantWDK – actual working sample EAP Methods and Supplicant

MSDN – EH Documentation and API referencesMSDN – EH Documentation and API references

E-mailsE-mailsQuestions or feedback Questions or feedback

NAP: NAP:

EAP:EAP:

napsdk @ microsoft.comnapsdk @ microsoft.com

asknap @ microsoft.comasknap @ microsoft.com

eapqa @ microsoft.comeapqa @ microsoft.com

Q&AQ&A

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.