Deploying Microsoft Network Access Protection (NAP) with Aruba's Mobile Network Solutions

Introduction With an increasing trend of mobility, more and more companies outfit their employees with wireless mobile devices that leave the corporate network and attach to networks at homes, public wireless hotspots, hotels, and partner sites. When these devices return to the corporate network, any malicious software they may be carrying can be spread to other corporate systems. For this reason, ensuring that devices are properly protected from malicious software has become a key interest of IT departments Aruba Network’s user-centric architecture has comprehensive access control capabilities and is built on a standards-based architecture that can easily integrate 3rd party security vendors for functions such as endpoint compliance. Aruba has partnered with Microsoft® to support Network Access Protection (NAP) for mobile users. Network Access Protection for Windows VistaTM and Windows Server® “Longhorn” (now in beta) is a technology designed to prevent networked assets from connecting to, or communicating with, non-compliant clients. It enforces compliance to network access and health requirement policies by setting access rights based upon validated health state and by coordinating endpoint remediation services to ensure ongoing compliance.
NAP for Wireless LANs This article introduces the NAP solution within the scope of the 802.1x and 802.11i wireless security mechanisms. The full deployment document is attached.
A Simple NAP Architecture



Aruba and Microsoft Network Access Protection Architecture
Wireless Settings A general recommendation is to implement the highest level of encryption available, which, in the case of an 802.11 network, happens to be 802.11i followed by 802.1x. The SSID that is used to enable users to connect to the corporate network should support WPA2-AES / WPA-TKIP or dynamic WEP with 802.11i / 802.1x WiFi authentication methods. NAP operations The basic Microsoft NAP Solution can be illustrated by the diagram above.

The managed Microsoft clients tries to connect to the network, and is required to authenticate
The client provides its login credentials to the sever and during the login process the client’s NAP agent (system health agent), if enabled on the client, presents the client’s current health status (anti virus signatures, patch levels, firewall settings, applications etc)
The Aruba mobility controller forwards the authentication credentials and health state information using the RADIUS protocol to the Network Policy Server (a Microsoft RADIUS server). The NPS evaluates the client’s health status against a pre-defined set of policies.



Microsoft NPS validates the client’s credentials once received. If the client credentials do not match the entries in Active Directory, the authentication fails, a failed authentication message is passed to the Aruba controller, and the controller denies network access to the client.
If the authentication succeeds, but the client is not compliant with the predefined health requirement policy, Microsoft NPS sends limited network access configuration information to the Aruba mobility controller, which places the client in a “role” with restrictive firewall policies. The client has limited access to the network or any other clients, and is redirected to get updates from a remediation server. The client requests and receives the updates and starts over by reauthenticating.
If the client is compliant with the health requirement policy, it is granted access to the network according to its business needs; e.g. a sales user is granted access to sales servers while access to finance networks and servers is blocked.
Advantages of using Aruba The Aruba solution allows the network manager to further enhance the usability, scalability and manageability of this solution. By using the Aruba system’s ability to assign roles and policies to users based on their authentication state and the attributes returned, users can be dynamically classified into different user groups based on the authentication results.