Solved

Blocking non domain computers with Fixed IP

Posted on 2012-12-31
4
40 Views
Last Modified: 2016-04-05
Hi All,

I have implemented NAP using IPsec with HRA and it seems to be working fine for computers failing health check for both domain and non domain computers. But when the computers use Static IP address, the whole thing gets bypassed.

Any ideas with regards to this would be welcome.

regards,

Arun.
0
Comment
Question by:arunaci
4 Comments
 

Accepted Solution

by:
loaganathan earned 200 total points
ID: 38734098
If you choose a NAP enforcement method, then all domain computers will need to be running the NAP agent service. Computers that are not running this service can't be evaluated for domain membership because the FQDN for the computer is sent as part of the NAP packet (the statement of health). The exception to this is 802.1X with NAP where the SoH isn't needed to evaluate domain membership.

For example, you could use NAP with DHCP enforcement, which is the simplest to configure. You would then create a policy that requires a computer to be a member of "domain computers" to be granted access. Other computers will be denied access. However, a non-domain computer can still configure a static IP address if they guess the correct range and gain access this way.

If you deploy IPsec enforcement you will need a certificate infrastructure (a PKI). In this case, non-domain computers will not be given a certificate and computers without certificates can be blocked with IPsec policies.

The other method you can use is 802.1X. You can also use NAP here, but it isn't necessary. Just create a policy that evaluates computers based on domain membership. An 802.1X access request contains the computer's domain so it isn't necessary here to run NAP agent
0
 

Author Comment

by:arunaci
ID: 38734388
If you deploy IPsec enforcement you will need a certificate infrastructure (a PKI). In this case, non-domain computers will not be given a certificate and computers without certificates can be blocked with IPsec policies.

The other method you can use is 802.1X. You can also use NAP here, but it isn't necessary. Just create a policy that evaluates computers based on domain membership. An 802.1X access request contains the computer's domain so it isn't necessary here to run NAP agent

Shall try this and get back

Thank u for pointing me in a direction

Regards,

Arun
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now