Remote VPN and NAC/NAP

Unanswered Question
Dec 17th, 2008

Hello!

Does anybody know is there an opportunity to implement Microsoft NAP with VPN client terminating on ASA? I.e I want to permit access to network after MS posture validation. Is it real or I should use only CISCO proprietary NAC solution?

Regards, Amir

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
drienties Tue, 12/23/2008 - 03:01

apparently it is easily possible if you deploy NAP using IPsec enforcement. I found a quote on the technet forum that makes perfect sense to me:

"Because the IPsec enforcement method uses certificates that can be given (or not given) to computers connecting to the network through any means, you can use IPsec even if (for example) clients connected through a VPN device that doesn't support NAP VPN enforcement. To set this up, you would configure the NAP client computers for IPsec enforcement similar to what is done in the IPsec step by step guide. If you want clients to have access to certificates when they are not connected to the VPN, you would have to supply some of the NAP infrastructure on the Internet, specifically the HRAs. You can also put everything on your intranet and check health only when clients connect through the VPN."

source: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/ab7a5a06-b258-4918-a4a4-e1c96f7a2e6d/

There are also a people who managed to get NAP with VPN enforcement working on a PIX so i guess it should be doable with an ASA as well.

PIX working with NAP VPN: http://social.technet.microsoft.com/forums/en-US/winserverNAP/thread/d20ddfef-3275-4903-893e-853049bc1925

Actions

This Discussion