Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture



Similar documents
Microsoft Windows Server System White Paper

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Major Retailer Achieves Compliance With the PCI Data Security Standard

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

Windows Hard Disk Encryption

Defender 5.7. Remote Access User Guide

Feature for India (Third-party invoice)

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

Network Access Control ProCurve and Microsoft NAP Integration

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

Content Protection in Silverlight. Microsoft Corporation

The 2007 R2 Version of Microsoft Office Communicator Mobile for Windows Mobile: Frequently Asked Questions

Towards End-to-End Security

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Credit Card Extension White Paper

NETWORK ACCESS CONTROL

Statement of Direction

Pipeliner CRM Phaenomena Guide Lead Management Pipelinersales Inc.

Microsoft Dynamics GP. Payroll Connect

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

SDN for Wi-Fi OpenFlow-enabling the wireless LAN can bring new levels of agility

Technical Brief for Windows Home Server Remote Access

Copy Tool For Dynamics CRM 2013

Accessing BlackBerry Data Services Using Wi-Fi Networks

Product Guide for Windows Home Server

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Microsoft Dynamics GP. Electronic Signatures

Checking System Requirements. How-To Guide

Controlling and Managing Security with Performance Tools

CRM Accelerators Overview

Technical Certificates Overview

Security Industry Market Share Analysis

Windows Least Privilege Management and Beyond

Windows Server Virtualization An Overview

Windows Embedded Compact 7: RemoteFX and Remote Experience Thin Client Integration

Quest Collaboration Services How it Works Guide

Dell InTrust Preparing for Auditing Cisco PIX Firewall

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Integration with IP Phones

CRM Form to Web. Internet Lead Capture. Installation Instructions VERSION 1.0 DATE PREPARED: 1/1/2013

MBAM Self-Help Portals

Microsoft SQL Server Master Data Services Roadmap

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

RedBlack CyBake Online Customer Service Desk

Datacenter Management Optimization with Microsoft System Center

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Installing Sage ACT! 2013 for New Users

Windows Embedded Security and Surveillance Solutions

The Role of Cisco SONA in Enterprise Architecture Frameworks and Strategies

Software Solutions for the Telecommunications Industry

TS Gateway Step-By-Step Guide

Technical Overview of Terminal Services

Vblock Systems hybrid-cloud with Cisco Intercloud Fabric

Object Level Authentication

UPGRADE. Upgrading Microsoft Dynamics Entrepreneur to Microsoft Dynamics NAV. Microsoft Dynamics Entrepreneur Solution.

Managing Wireless Clients with the Administrator Tool. Intel PROSet/Wireless Software 10.1

DYNAMIC PLANNER RISK PROFILER

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

Exchange Storage Meeting Requirements with Dot Hill

Spotlight Management Pack for SCOM

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

IBM Lotus Protector for Mail Encryption

BlackBerry Enterprise Solution and RSA SecurID

Organized, Hybridized Network Monitoring

How to Secure a Groove Manager Web Site

Server Consolidation with SQL Server 2008

Symantec AntiVirus Corporate Edition Patch Update

Deciding When to Deploy Microsoft Windows SharePoint Services and Microsoft Office SharePoint Portal Server White Paper

New Security Features

Placing the BlackBerry Enterprise Server for Microsoft Exchange in a demilitarized zone

An Overview of Samsung KNOX Active Directory and Group Policy Features

Module 1: Introduction to Designing Security

Open Source Used In Cisco Instant Connect for ios Devices 4.9(1)

How To Manage A Password Protected Digital Id On A Microsoft Pc Or Macbook (Windows) With A Password Safehouse (Windows 7) On A Pc Or Ipad (Windows 8) On An Ipad Or Macintosh (Windows 9)

A Microsoft U.S. Public Sector White Paper by Ken Page and Shelly Bird. January government

Quest Collaboration Services 3.5. How it Works Guide

About Recovery Manager for Active

Cisco Unified Workforce Optimization

Module 1: Overview of Network Infrastructure Design This module describes the key components of network infrastructure design.

Microsoft and Citrix: Joint Virtual Desktop Infrastructure (VDI) Offering

Active Directory and DirectControl

Microsoft Dynamics GP. Check Printing

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Standalone Trial Guide

Solutions for Microsoft Project Server and Microsoft Dynamics GP Timesheet Integration

Dell One Identity Cloud Access Manager SonicWALL Integration Overview

Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide

October Application Control: The PowerBroker for Windows Difference

Implementing Business Portal in an Extranet Environment

1. Introduction to DirectAccess. 2. Technical Introduction. 3. Technical Details within Demo. 4. Summary

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

AT&T Global Network Client Domain Logon Guide. Version 9.6

Overview of Active Directory Rights Management Services with Windows Server 2008 R2

Course Outline: Designing a Windows Server 2008 Network Infrastructure

Transcription:

Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture Cisco Systems and Microsoft Corporation Published: September 2006

Abstract Cisco Systems, Inc. and Microsoft Corporation have developed an interoperability architecture that allows customers to deploy both the Network Admission Control (NAC) platform available from Cisco and the Network Access Protection (NAP) platform being developed for Microsoft Windows Vista (now in beta testing) and Windows Server code name Longhorn (now in beta testing). The result is a set of components that interoperate, allowing customers to enforce health requirements for network access using a combination of components from Cisco and Microsoft. This white paper describes the set of characteristics that will support the interoperability architecture and how the interoperability architecture works.

Contents Interoperability Features and Benefits 4 Interoperability and Customer Choice 4 Investment Protection 4 Single Agent Included in Windows Vista 4 ISV Integration Ecosystem 4 Agent Deployment and Update Support 4 Cross-Platform Support 4 NAP and NAC Interoperability Architecture 5 How the NAC and NAP Interoperability Architecture Works 6 Summary 7 Related Links 7

Interoperability Features and Benefits Cisco and Microsoft have collaborated to enable rich interoperability between the Cisco Network Admission Control (NAC) and Microsoft Network Access Protection (NAP) solutions. This interoperability will allow customers to realize the benefits of both NAC and NAP while using and preserving their investments in their NAC network and Microsoft NAP desktop and server infrastructure. Interoperability will be supported with the release of NAP in the future version of Windows Server, codenamed Longhorn, which is scheduled to be available in the second half of 2007. Primary features and benefits of the solution include: Interoperability and customer choice Investment protection Single agent included in Windows Vista Independent Software Vendor (ISV) integration ecosystem Agent deployment and update support Cross-platform support Interoperability and Customer Choice The interoperability architecture allows customers to deploy both NAC and NAP incrementally or concurrently. Deployment of heterogeneous NAC and NAP agent (the Cisco Trust Agent and the NAP Agent) environments is also supported. The client agent architecture will be transparent to the Cisco network devices enforcing network access. Deploying both the Cisco Secure Access Control Server (ACS) and the Microsoft Network Policy Server (NPS) will be required for the initial interoperability release. However, Cisco and Microsoft have cross-licensed the NAC and NAP protocols, which provides the opportunity for both companies to respond to future market and customer requirements for a combined policy product. Investment Protection The interoperability architecture enables customer reuse and investment protection of their NAC and/or NAP deployments. For example, customers can begin deploying NAC today and integrate NAP into the environment concurrent with their deployment of Windows Vista and Windows Server Longhorn. Single Agent Included in Windows Vista Computers running Windows Vista or Windows Server Longhorn will include the NAP Agent component as part of the core operating system, which will be used for both NAP and NAC. In addition to the native Extensible Authentication Protocol (EAP) methods and the 802.1X supplicant that are included with the Windows Vista and Windows Server Longhorn operating systems, an additional EAP-FAST method and EAPoverUDP supplicant will be provided to enable interoperability between NAC and NAP. The EAP-FAST method and EAPoverUDP supplicant will be developed by Cisco and distributed by Microsoft with Windows Update and Windows Server Update Services (WSUS) through the EAP Certification Program. Using 802.1X, EAPoverUDP, and EAP-FAST provides agent transparency for the NAC network infrastructure. A single agent architecture for Windows Vista and Windows Server Longhorn greatly simplifies the deployment of a health infrastructure consisting of NAP components, NAC components, or a combination of the two. Computers running Windows XP with Service Pack 2 will need to run the Cisco Trust Agent for NAC and run the NAP Agent for NAP. ISV Integration Ecosystem To simplify the development of third-party health agent and health enforcement components for clients running Windows Vista, the NAP client APIs will serve as the single programmatic interface used for health reporting and enforcement for both NAP and NAC. This will facilitate the integration of applications that collect health information by ISVs. Agent Deployment and Update Support The customer experience and process for deploying the required agent components for interoperability with Windows Vista and Windows Server Longhorn will be similar to deploying typical Windows operating system services. The NAP Agent and 802.1X supplicant are native to the Windows Vista and Windows Server Longhorn operating systems, and the EAP-FAST and EAPoverUDP modules, developed by Cisco, will be distributed by Microsoft with Windows Update and Windows Server Update Services. Additionally, Group Policy configuration support for the agent components (including the EAP-FAST and EAPoverUDP modules) will be supported. Cross-Platform Support To support client operating systems other than Windows, Microsoft will license elements of the NAP client technology to third-party software developers. Cisco will continue to support and develop its NAC client (the Cisco Trust Agent) for non-windows Vista and non-windows Server Longhorn platforms and will continue to execute on its publicly stated direction to submit the Cisco NAC protocols for standardization through open standards processes. 4

Cisco NAC and Microsoft NAP Interoperability Architecture Figure 1 shows the NAC and NAP interoperability architecture. The NAC and NAP interoperability architecture consists of the following components: NAP client (Microsoft): The NAP client computer is a computer running Windows Vista or Windows Server Longhorn that sends its health credentials as either a list of Statements of Health (SoHs) or a health certificate. The client architecture consists of a layer of System Health Agents (SHAs), the NAP Agent, the EAPHost NAP Enforcement Client, EAP methods to perform account credential authentication and indication of health status, and EAP supplicants that allow the client to send EAP messages over 802.1X or UDP. To obtain a current health certificate, the NAP client uses the Health Certificate Enrollment Protocol (HCEP) to send a certificate request and its list of SoHs to the Health Registration Authority (HRA). Network access devices (Cisco): NAC-enabled network access devices (which include switches, routers, wireless access points, VPN concentrators, and so on) provide network access to clients and serve as network enforcement points. Access Control Server (ACS) (Cisco): Cisco Secure ACS authorizes network access for clients by validating the administratively specified client attributes, which could include the identity of the user and/or the computer, and the overall health state of the client. Cisco Secure ACS sends an access profile to the network access device(s) to grant the appropriate level of network access for the client based on the authorization result. Note that validation of the client health state attributes and assignment of the overall client health state in the interoperability architecture are performed by the Microsoft Network Policy Server.

Network Policy Server (NPS) (Microsoft): A Microsoft NPS performs the validation of the computer s system health and provides remediation instructions if needed. Health Registration Authority (HRA) (Microsoft): An HRA obtains health certificates on behalf of NAP clients from a public key infrastructure (PKI) (not shown). Policy servers (Microsoft or third party): Servers that provide current system health state for Microsoft NPSs. Policy servers integrate with Microsoft NPSs through the NPS System Health Validator (SHV) API. To accommodate this interoperability architecture, the NAP and NAC platforms will support the following: Cisco Secure ACS will pass the list of SoHs from the NAP agent to an NPS for overall client health validation. Microsoft NPS will support the Cisco Host Credentials Authorization Protocol (HCAP) to receive the list of SoHs from Cisco Secure ACS and return the list of SoH Responses (SoHRs). Cisco Secure ACSs will perform network access validation based on a health certificate. How the NAC and NAP Interoperability Architecture Works Upon connection to the network, the client will provide a set of credentials that will be validated in order to authenticate and authorize the appropriate level of network access. These client credentials can include user and/or computer identity credentials in addition to health credentials. Clients that are noncompliant can be rate limited, quarantined, remediated, or similarly treated before being granted normal network access. In the interoperability architecture, the client, using the NAP Agent, provides its credentials for validation. The list of SoHs (and optionally user and/or computer identity) is sent to a Cisco Secure ACS with EAP-FAST carried over 802.1X or EAPoverUDP. If a health certificate infrastructure is deployed, the client will send its health certificate to the Cisco Secure ACS for validation rather than sending a list of SoHs. If the NAP Agent sends its list of SoHs to validate system health, the Cisco Secure ACS will send the list of SoHs to a Microsoft NPS for validation using the Cisco HCAP protocol. The Microsoft NPS evaluates the SoHRs against the configured health requirements and returns the health validation results, which include the individual SoHRs and the overall client System SoHR (SSoHR), to the Cisco Secure ACS using HCAP. The Cisco Secure ACS will evaluate all of the credential validation results (which can include user and/or computer identity in addition to the SSoHR) to select and send the appropriate access profile to the network access device(s) to grant the authorized level of network access for the client. The Cisco Secure ACS will also return the SoHRs and the SSoHR to the NAP Agent on the client with EAP-FAST carried over 802.1X or EAPoverUDP. Noncompliant clients that are quarantined will be automatically revalidated upon remediation to provide a transparent end-user experience. If the NAP client sends its health certificate rather than a list of SoHs, the Cisco Secure ACS will validate the certificate as the EAP-FAST session is established to determine the overall client health state. As in the case where a list of SoHs is used, EAP-FAST is carried over 802.1X or EAPoverUDP. Note that limited network access to the HRA is required for the client to acquire a health certificate. The Cisco Secure ACS will validate the health certificate along with any other required credentials (such as user and/or computer credentials) and send the appropriate access profile to the network access device(s) to grant the authorized level of network access for the client. If the client is noncompliant or if the client is unable to provide a health certificate, the client will be quarantined for remediation, and revalidation will occur automatically upon remediation. To obtain a health certificate, the NAP client uses HCEP to send a certificate request and its list of SoHs to the HRA. The HRA sends the list of SoHs to the Microsoft NPS. The Microsoft NPS evaluates the SoHRs against the configured health requirements and sends the SSoHR and the list of SoHRs back to the HRA. If the NAP client does not need to be remediated, the HRA requests a health certificate from the PKI (not shown) and forwards it along with the SSoHR and the list of SoHRs to the NAP client. If the NAP client needs to be remediated, the HRA sends the SSoHR and the list of SoHRs to the NAP client. The NAP client performs the appropriate remediation and sends a new certificate request and its updated list of SoHs to the HRA. 6

Summary Cisco and Microsoft have collaborated to enable rich interoperability between the Cisco Network Admission Control (NAC) and Microsoft Network Access Protection (NAP) solutions. This interoperability will allow customers to realize the benefits of both NAC and NAP while using and preserving their investments in their Cisco NAC network and Microsoft NAP desktop and server infrastructure. Interoperability will be supported with the release of NAP in Windows Server Longhorn, which is scheduled to be available in the second half of 2007. Related Links See the following resources for further information: Microsoft Network Access Protection Web site at www.microsoft.com/nap Cisco Network Admission Control Web site at www.cisco.com/go/nac 7

This White Paper is for informational purposes only. THIS WHITE PAPER IS PROVIDED AS IS. NEITHER MICROSOFT NOR CISCO MAKES ANY WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. IN NO EVENT WILL EITHER MICROSOFT OR CISCO BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE ANY COPYRIGHTED MATTER OR THE INFORMATION PROVIDED HEREIN, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft and Cisco. Microsoft and Cisco may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft or Cisco, as applicable, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Network Access Protection, and NAP, are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks are property of their respective owners. Microsoft and Cisco employees may reference or cite portions of this white paper in marketing collateral, presentations and other marketing materials, but any use of the other company s logo must be pre-approved by the other company in writing. Each employee has the responsibility to contact its corporate legal department to ensure compliance with any branding, copyright usage or other modification requirements. 2006 Microsoft Corporation and Cisco Systems, Inc. All rights reserved. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information