Cisco Support Community
Community Member

Remote VPN and NAC/NAP


Does anybody know is there an opportunity to implement Microsoft NAP with VPN client terminating on ASA? I.e I want to permit access to network after MS posture validation. Is it real or I should use only CISCO proprietary NAC solution?

Regards, Amir

Community Member

Re: Remote VPN and NAC/NAP

apparently it is easily possible if you deploy NAP using IPsec enforcement. I found a quote on the technet forum that makes perfect sense to me:

"Because the IPsec enforcement method uses certificates that can be given (or not given) to computers connecting to the network through any means, you can use IPsec even if (for example) clients connected through a VPN device that doesn't support NAP VPN enforcement. To set this up, you would configure the NAP client computers for IPsec enforcement similar to what is done in the IPsec step by step guide. If you want clients to have access to certificates when they are not connected to the VPN, you would have to supply some of the NAP infrastructure on the Internet, specifically the HRAs. You can also put everything on your intranet and check health only when clients connect through the VPN."


There are also a people who managed to get NAP with VPN enforcement working on a PIX so i guess it should be doable with an ASA as well.

PIX working with NAP VPN:

CreatePlease to create content