cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
965
Views
0
Helpful
1
Replies

Remote VPN and NAC/NAP

uralsib
Level 1
Level 1

Hello!

Does anybody know is there an opportunity to implement Microsoft NAP with VPN client terminating on ASA? I.e I want to permit access to network after MS posture validation. Is it real or I should use only CISCO proprietary NAC solution?

Regards, Amir

1 Reply 1

drienties
Level 1
Level 1

apparently it is easily possible if you deploy NAP using IPsec enforcement. I found a quote on the technet forum that makes perfect sense to me:

"Because the IPsec enforcement method uses certificates that can be given (or not given) to computers connecting to the network through any means, you can use IPsec even if (for example) clients connected through a VPN device that doesn't support NAP VPN enforcement. To set this up, you would configure the NAP client computers for IPsec enforcement similar to what is done in the IPsec step by step guide. If you want clients to have access to certificates when they are not connected to the VPN, you would have to supply some of the NAP infrastructure on the Internet, specifically the HRAs. You can also put everything on your intranet and check health only when clients connect through the VPN."

source: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/ab7a5a06-b258-4918-a4a4-e1c96f7a2e6d/

There are also a people who managed to get NAP with VPN enforcement working on a PIX so i guess it should be doable with an ASA as well.

PIX working with NAP VPN: http://social.technet.microsoft.com/forums/en-US/winserverNAP/thread/d20ddfef-3275-4903-893e-853049bc1925

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: