The following figure shows key elements in a NAP Environment.
System Health Validation occurs when a NAP Client requests a level of network access. The Enforcement Client (EC) that enforces access rules to the requested network service requests system health data from the NAP agent. The EC forwards a list of SoHs to the corresponding Enforcement Server (ES) on a NAP server. The NAP server sends the list of SoHs to a Network Policy Server (NPS). The NPS acts as a RADIUS server to authenticate connections and verify system health status. An SHV running on the NPS examines and validates the contents of the SoH. The SHV returns one of two possible results: compliant or not compliant. If all SHVs return a status of complaint, then the ES grants the Host platform access to the network resource.
The system health agents examine a variety of possible conditions that are typically based on the state of the device operating system as well as applications such as Anti-Virus, Intrusion Detection System and Firewall. For example, this enables customers to implement an Anti-Virus policy such as “Restricted access unless the AV application from vendor XXX, version YYY is enabled using the latest scan engine version and signature file version.”
The following figure shows the Intel AMT context in passive mode.
1. The Intel AMT device generates the SoH parameters in response to a periodic request from the Local Manageability Service (LMS), beginning in Release 9.0. Prior to Release 9.0 the request came from the User Notification Service (UNS).
2. The LMS builds a message in SoH format and stores it locally.
3. The NAP Agent requests a SoH periodically from the LMS or when there is a change in status (for example, a mobile platform attempts to connect to a different access point). The LMS retrieves the last saved posture and returns it to the NAP Agent.
4. The NAP Agent sends the SoH combined with other platform SoHs to the EC to support a periodic requirement or a change in some platform condition.
5. The EC requests network access from the corresponding ES running on the NAP server.
6. The ES forwards the SoH to the NPS Server for validation and a health determination by the SHV.
Copyright © 2006-2022, Intel Corporation. All rights reserved.