12.7. Working Together
Interestingly enough, although Cisco, Microsoft, and the Trusted Computing Group promote their frameworks and architectures, they also work together to provide greater interoperability. These varying types and levels of interoperability can deliver many strategic benefits to your organization.
12.7.1. Microsoft NAP–Cisco NAC framework
Microsoft NAP and Cisco NAC frameworks can interoperate. This interoperability between frameworks allows organizations to protect their investments in network and security infrastructure. With a combined, interoperable framework, it can use a single agent — the NAP Agent in Microsoft Windows Vista. So, it doesn't need the Cisco Trust Agent (CTA), which is part of a non-integrated Cisco NAC framework. Also, it can use a single API to develop any necessary client- and server-side components to support the interoperable frameworks.
The integrated Cisco NAC–Microsoft NAP framework can use several of the Cisco NAC framework components and many of the Microsoft NAP framework components. (We describe these components in the section "Microsoft Network Access Protection [NAP]," earlier in this chapter.) It reuses and repurposes some of these components, so you should know their function and how they work together in the combined framework.
NOTE
The Cisco NAC Appliance isn't part of the Cisco NAC–Microsoft NAP integrated framework.
A computer or other device that runs Microsoft Windows Vista Service Pack 1 or Windows Server 2008 should have the necessary Microsoft NAP Agent preloaded. The device needs the NAP Agent because it uses that Agent — as well as other NAP client-side components — to communicate its health and security state to the server:
The computer or other device attempts network access by using the 802.1X standard through an 802.1X-compatible Network Access Device (NAD).
The compatible NADs may include
An 802.1X-enabled switch or wireless access point, connecting via RADIUS to a Cisco Access Control Server (ACS)
A router that has the ability to send a connection request to the Cisco ACS via Extensible Authentication Protocol (EAP) over User Datagram Protocol (UDP)
The relevant System Health Agents (SHAs), the client-side components that monitor system security and health state of the device attempting network access, continue to gather that specific information about the device.
It needs a NAP EAPHost enforcement client (EC) because that client facilitates the network access request; the NAP Agent service negotiates the communications between the SHAs and EC.
The NAP Agent packages the device's health and security state, as well as the network credentials for authentication, into an SoH and communicates that SoH to the Cisco ACS through a specific EAP method — Extensible Authentication Protocol–Flexible Authentication via Secure Tunneling (EAP-FAST), a Cisco-developed, publicly available tunneled EAP type that uses the 802.1X standard.
The NAP Agent packages the health and security state data, along with the network credentials (user and/or device credentials), in the SoH and communicates them to Cisco ACS through an 802.1X-compatible NAD that uses RADIUS messaging.
After receiving the network credentials via EAP-FAST, Cisco ACS validates the network credentials against a Microsoft Active Directory authentication data store. If Cisco ACS can authenticate the user and device, it forwards the SoH — which contains the device's security and health state data — on to the Microsoft Network Policy Server (NPS) via Host Credential Authorization Protocol (HCAP).
HCAP, which you must deploy with Microsoft NPS, enables the interoperability between the Microsoft NAP and Cisco NAC frameworks by enabling Microsoft NPS to perform 802.1X authorization, which includes enforcing the Microsoft NAP health policies, while Cisco ACS performs the necessary AAA functions, including user and device authentication.
Microsoft NPS validates the device's security and health state; it reports back to Cisco ACS via HCAP. Cisco ACS provides the NAD with the specific network access action that it should take, including a network access profile (predetermined by the organization) that it applies against the specific NAD port on which the device runs.
Cisco ACS sends an SoH Response (SoHR) to the NAP Agent by using RADIUS and EAP-FAST. The SoHR, based on the device's level of compliance with security and health policy (as determined by the Microsoft NPS response), either provides the device with network access if it's compliant with policy or directs it to the non-compliant VLAN if it's not compliant.
Cisco may restrict non-compliant devices from accessing the network until it remediates those devices, at which time it re-verifies their compliance with policy — and re-authenticates their network credentials. If a device passes both the new policy check and re-authentication, it grants the user and device network access.
12.7.2. Microsoft NAP and TNC
The Trusted Computing Group (TCG) and Microsoft Corporation (a TCG member and active participant in TCG standards development) have made their respective NAC frameworks — TNC and NAP — interoperable. The interoperability between these two leading NAC frameworks delivers easy-to-use, cost-effective, scalable endpoint integrity and NAC to organizations. It also provides investment protection, enabling organizations to leverage their existing investments in network equipment and endpoint software while future-proofing their investments in NAC. And it lowers implementation costs and deployment time, as well as offering a consistent, single NAC software client.
Microsoft contributed its Statement of Health (SoH) protocol to the TCG, which published it as a new TNC specification, IF-TNCCS-SOH. Published by the TCG and available for download or implementation, IF-TNCCS-SOH is an open-standard client-server protocol that reports the health and security state of an endpoint device prior to granting it a network connection. The IF-TNCCS-SOH protocol complements the TNC's IF-TNCCS protocol. These protocols define two alternative methods for the exchange of information between the TNC Client (TNCC) and the TNC Server (TNCS), and they serve as the protocols usually invoked for those sorts of checks.
When an endpoint device requests network access, it must share the state of security and health of the endpoint device, as well as whether that device is operating in a network protected by a TNC architected NAC solution or a Microsoft NAP framework solution. The device communicates this security and health information by using an SoH. If the endpoint device meets the required, predefined security and endpoint health policies — which the Policy Decision Point (PDP) in the TNC architecture defines and validates — it grants the device the appropriate network access, based on user authentication (identity) and the device security and health check (integrity). If it finds that an endpoint device's state of security and health is non-compliant with the predefined security and endpoint health policies, it directs the device to a quarantine network. The quarantine network gives that device limited network access until it has remediated the device (bringing it into policy compliance), rechecks its security and health state, and possibly re-authenticates it. If the endpoint device meets policy after remediating it, the endpoint device — depending on the policies that the managing organization administers — gains appropriate, relevant network access.
The interoperability between the TNC architecture and the Microsoft NAP framework occurs at three different points in the NAC framework: at the endpoint device, at the PDP in the TNC architecture, and at the Policy Enforcement Point (PEP) in the TNC architecture.
When an endpoint device requests network access, it communicates its captured security and health state, as well as network credentials (such as user and/or device credentials), to a PDP in the TNC architecture's interoperable TNC-NAP framework by using the IF-TNCCS-SOH protocol. When an endpoint device uses this standard protocol, that device can be either a NAP client or a TNC Client. In fact, it can use a mix of NAP clients and TNC Clients with any vendor's NAP server or TNC server, as long as it uses the IF-TNCCS-SOH protocol.
The PDP determines the level of network access to grant the endpoint device after it authenticates network credentials (user and/or device credentials) and compares the security and health state of the endpoint device to the predefined security and access control policies of your organization. For endpoint devices that don't comply with policy, the PDP in the interoperable TNC-NAP framework provides remediation instructions to those devices through the IF-TNCCS-SOH protocol and access control instructions (via RADIUS protocols) to the PEP. In this situation, your organization needs only a single PDP server, regardless of whether it's a NAP server, such as the Microsoft Network Policy Server (NPS), or a TNC server. However, if your organization chooses to implement and use multiple PDP servers, maybe to leverage existing infrastructure or to copy an organizational blueprint, you can do it, as well.
Depending on the access control instructions that the PDP provides after it authenticates network credentials, and analyzes and evaluates a device's security and health status, the PEP (in the form of a switch, access point, router, gateway, or firewall) may grant the endpoint device full or limited network access, or may deny it network access altogether, depending on your organization's policies. If it quarantines the endpoint device and requires remediation, the device may have limited network access — such as being restricted to a remediation server — until it remediates, re-authenticates, and re-checks it for its security and health state.
As Figure 12-4 shows, the interoperability and co-mingling of the TNC architecture and NAP framework — as well as Microsoft's contribution of SoH to the TCG, and the subsequent release of the TNC's IF-TNCCS-SOH open, published protocol — enables NAP servers (such as Microsoft NPS) to perform security and health checks on TNC clients without additional software. Also, TNC servers can perform security and health checks on NAP clients — endpoint devices running Microsoft Windows Vista or Windows XP Service Pack 3 — without needing to add software.
Figure 12.4. How the TNC architecture and NAP framework work together.
