Microsoft Network Access Protection (NAP) is a policy-based management feature of Windows Server 2008 that allows a network administrator to control access to network resources.
An endpoint device without malware protection, the latest operating system patches, a properly configured firewall and other well-proven security measures can pose a significant risk to the corporate network. NAP policies ensure that these and other features are in place and current before the endpoint device is allowed access to the network. Devices that are not in compliance may have their access restricted or blocked entirely.
NAP is built around a Network Policy Server (NPS) which replaces the older Internet Authentication Service (IAS) in Windows Server 2003. NPS is a RADIUS-compatible server designed to provide authentication and authorization for remote clients, and it acts as the "health evaluation server" for Network Access Protection. The NPS stores the administrator's NAP policies, which are also referred to as health policies.
The actual evaluation of the rules in a policy is performed by an enforcement point, which is a compatible RADIUS client that's capable of communicating with NPS.
NPS supports three types of policies:
- Connection requests: Determine general rules for requests from RADIUS clients, such as whether specific requests are handled by the NPS or proxied to another RADIUS server.
- Network policies: Define how connection attempts are either authorized or rejected.
- Health policies: Define health rules that must be met in order to connect.
Here is how NAP works:
During login, a NAP client reports system status to a NAP enforcement device such as a switch, VPN server, DHCP server, or other services. The NAP enforcement device reports the endpoint’s health to a Network Policy Server under Windows Server 2008 or Windows Server 2008 R2. The NPS evaluates the status against requirements established by the system administrator.
If the NAP client logging in meets the NPS requirements, it will be allowed to log into the corporate network normally. If the NAP client trying to log into the corporate network doesn’t comply with NPS requirements, the client can be blocked or placed on a network with restricted access until its health can be corrected by the user or through a remediation server containing the required patches, signatures or other content. Once the client’s health is updated and compliant, a new request for a health check can be made.