Host Credential Authorization Protocol (HCAP) allows you to integrate your Microsoft Network Access Protection (NAP) solution with Cisco Network Admission Control. When you deploy HCAP with Network Policy Server (NPS) and NAP, NPS can perform the authorization of Cisco 802.1X access clients, including the enforcement of NAP health policy, while Cisco authentication, authorization, and accounting (AAA) servers perform authentication.
To deploy a HCAP server, you must do the following:
- Deploy NAP-capable client computers. Configure client computers
to use Cisco EAP-FAST as the authentication method for network
- Using NAP deployment documentation, deploy NAP, which includes
configuring client computers with system health agents (SHAs) and
NPS servers with the corresponding system health validators
- Using Cisco deployment documentation, deploy Cisco Network
- Using the Add Roles wizard from Server Manager, install HCAP
server. HCAP server is a role service of the Network Policy and
Access Services server role. When you install HCAP server, the
additional required components, Internet Information Services (IIS)
and NPS, are installed on the same computer. In addition, a server
certificate is autoenrolled to the server running IIS to allow
Secure Sockets Layer (SSL) connections between IIS and the Cisco
- Configure IIS to listen to specified IP addresses to allow
Cisco AAA servers to send authorization requests.
- Configure the Cisco AAA server with the URL of the server
running HCAP, NPS, and IIS so that the Cisco AAA server can send
authorization requests to NPS.
- Configure NPS on the HCAP server as a RADIUS proxy to forward
authorization requests to NPS servers that are members of one or
more remote RADIUS server groups. Optionally, you can configure NPS
on the HCAP server as a RADIUS server to process authorization
- Configure NPS servers as RADIUS servers to perform
authorization, which includes deploying NAP and creating health
policy in NPS. If the NPS-HCAP server is a RADIUS proxy that
forwards connection requests to NPS RADIUS servers in remote RADIUS
server groups, you must configure the RADIUS proxy as a RADIUS
client on each RADIUS server.
- On NPS RADIUS servers, configure network policy with NAP health
policy. If desired, network policy conditions can include
HCAP-Group-Name and HCAP-Location-Group for NAP interoperability
with Cisco Network Admission Control. In addition, you can use the
Extended State condition in network policy to specify the extended
state of the client computer that is required to match the network
policy. Extended states are elements of Cisco Network Admission
Control, and include Transitional, Infected, and Unknown. By using
this network policy condition, you can configure NPS to authorize
or reject access based on whether the client computer is in one of
Authentication and authorization process
After deploying both Cisco Network Admission Control and NPS with NAP, the authentication and authorization process works as follows:
- The client computer attempts to access the network. The client
can attempt to connect through an 802.1X authenticating switch or
through an 802.1X wireless access point that is configured as a
RADIUS client to the Cisco AAA server.
- After the Cisco AAA server receives the connection request from
the network access server or router, the Cisco AAA server requests
statement of health (SoH) data from the client by sending an
EAP-Type Length Value (EAP-TLV).
- SHAs on the client computer report health status to NAP Agent
on the client, and NAP Agent creates an SoH, which it sends to the
Cisco AAA server.
- The Cisco AAA server forwards the SoH using HCAP to the NPS
proxy or server along with the client computer's user ID, machine
ID, and location.
- If the NPS-HCAP server is configured as a RADIUS proxy, NPS
forwards the authorization request to the appropriate remote RADIUS
server group. (This determination is made with the evaluation by
NPS of the configured connection request policies.) If the NPS-HCAP
server is configured as a RADIUS server, the NPS-HCAP server
processes the authorization request.
- NPS evaluates the SoH against configured network policy and, if
a matching network policy is found, creates a statement of health
response (SoHR) to be sent back to the client. This, along with the
NAP enforcement state and extended state information, is then sent
back to the Cisco AAA server using HCAP.
- The Cisco AAA server evaluates the NAP enforcement state
against Cisco Network Admission Control policy and determines the
network access profile.
- The Cisco AAA server sends the network access profile to the
network access server (the switch, AP, or router). The network
access profile contains the information that instructs the network
access server whether to allow full access, restrict access, or
deny access to the client computer.
- The Cisco AAA server sends the SoHR back to the client
- If the client configuration does not comply with health policy
and the SoHR instructs the client to remediate, then the client
attempts to take the required actions, such as downloading software
updates or changing configuration settings. After remediation, the
client attempts to access the network again, and the authentication
and authorization process is repeated.