Another awesome question from a student asking "when does the NAP client refresh or resend a Statement of Health (SOH) back to the NAP Policy Server (NPS)?"
 
Assuming that the WSHA and WSHV are both enabled, this will depend almost entirely upon the NAP enforcement method chosen.

 

For 802.1x (P)EAP-based NAP, the SOH/SOHR will be exchanged with every (re)authentication, if the backend RADIUS is an NPS/NAP Server.  For VPN enforcement, similar schedule.

For DHCP based NAP, the SOH/SOHR will be exchanged with every address acquisition and renewal (if the DHCP Server is NAP-enabled).

For IPSec based NAP, this is mostly controlled by the lifetime of the HRA-issued certificate.

In all scenarios, the SHA has the ability to notify the NAP Agent when something changes, and the NAP Agent will typically initiate a new set of transactions over the enforced mediums as necessary.

After every 4 hour, as SOH expired in 4 hour.

Every time client machine start.

if you refresh your GPO setting on your client machine.

if you make some chenges in security setting.

if you stop and start the NAP service.
if you forcefully delete the SOH certificate from your machine and would like to access the network again..

Implementation of some SHAs trigger SoH notification when waking up from Sleep/Hibernate.

The network enforcement (e.g., DHCP, IPSec, or 802.1x) requires the client to re-evaluate it’s health.  In the IPSec case, it would be the certificate expiration.

Advertisements