© PAnja Kaiser, Fotolia.com

© PAnja Kaiser, Fotolia.com

Port-based access protection with NAP and 802.1X

Access Ticket

Article from ADMIN 09/2012
By
Mobile devices require special security considerations. In combination with IEEE 802.1X, Network Access Protection can ensure that mobile devices maintain the necessary security standards before they're granted access to the enterprise network.

Network Access Protection (NAP) was introduced with Windows Server 2008 and gives the network administrator the ability to check a client's security status on network access. This process involves checking the client's compliance with defined health policies. A health policy can test whether a firewall is enabled for specific profiles, an antivirus scanner exists, the pattern updates are up to date, or the operating system has the current patch status.

Network access can be refused, or at least restricted, in the case of non-compliance with the policy. This ability to impose restrictions is interesting because it provides the ability to redirect the client to a maintenance network, where it can pick up updates or a compliant configuration. Once the client complies with the policy, it is rechecked and then allowed to access the network without any restrictions. Windows supports NAP for Windows XP SP3 with some restrictions, which no longer apply to versions as of Windows Vista.

Many Roads Lead to Rome

Various types of NAP are available for access protection, including: DHCP, VPN, IPSec, Terminal services (e.g., Remote Desktop Services), and IEEE 802.1X devices. This article relates to access via wired 802.1X devices, which are basically switches. Another typical deployment scenario for 802.1X is WLAN connections via an Access Point. In both cases, the setup is less a question of authentication (although 802.1X is designed for this) and more about compliance with configuration standards.

NAP Terminology

Various parts need to mesh for NAP to work. To begin, the client needs a NAP agent that collects the required information about the status of the components to be tested, for example:

  • Firewall status
  • Windows Update
  • Antivirus scanner
  • Vendor-specific
...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”> </a> <hr> </div> </div> <div class=