Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!
Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!
Act now. This offer ends July 14, 2017.
Course Of The Month
6 days, 4 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Blocking non domain computers with Fixed IP
Posted on 2012-12-31
Hi All,
I have implemented NAP using IPsec with HRA and it seems to be working fine for computers failing health check for both domain and non domain computers. But when the computers use Static IP address, the whole thing gets bypassed.
Any ideas with regards to this would be welcome.
regards,
Arun.
I have implemented NAP using IPsec with HRA and it seems to be working fine for computers failing health check for both domain and non domain computers. But when the computers use Static IP address, the whole thing gets bypassed.
Any ideas with regards to this would be welcome.
regards,
Arun.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4 Comments
If you choose a NAP enforcement method, then all domain computers will need to be running the NAP agent service. Computers that are not running this service can't be evaluated for domain membership because the FQDN for the computer is sent as part of the NAP packet (the statement of health). The exception to this is 802.1X with NAP where the SoH isn't needed to evaluate domain membership.
For example, you could use NAP with DHCP enforcement, which is the simplest to configure. You would then create a policy that requires a computer to be a member of "domain computers" to be granted access. Other computers will be denied access. However, a non-domain computer can still configure a static IP address if they guess the correct range and gain access this way.
If you deploy IPsec enforcement you will need a certificate infrastructure (a PKI). In this case, non-domain computers will not be given a certificate and computers without certificates can be blocked with IPsec policies.
The other method you can use is 802.1X. You can also use NAP here, but it isn't necessary. Just create a policy that evaluates computers based on domain membership. An 802.1X access request contains the computer's domain so it isn't necessary here to run NAP agent
For example, you could use NAP with DHCP enforcement, which is the simplest to configure. You would then create a policy that requires a computer to be a member of "domain computers" to be granted access. Other computers will be denied access. However, a non-domain computer can still configure a static IP address if they guess the correct range and gain access this way.
If you deploy IPsec enforcement you will need a certificate infrastructure (a PKI). In this case, non-domain computers will not be given a certificate and computers without certificates can be blocked with IPsec policies.
The other method you can use is 802.1X. You can also use NAP here, but it isn't necessary. Just create a policy that evaluates computers based on domain membership. An 802.1X access request contains the computer's domain so it isn't necessary here to run NAP agent
If you deploy IPsec enforcement you will need a certificate infrastructure (a PKI). In this case, non-domain computers will not be given a certificate and computers without certificates can be blocked with IPsec policies.
The other method you can use is 802.1X. You can also use NAP here, but it isn't necessary. Just create a policy that evaluates computers based on domain membership. An 802.1X access request contains the computer's domain so it isn't necessary here to run NAP agent
Shall try this and get back
Thank u for pointing me in a direction
Regards,
Arun
The other method you can use is 802.1X. You can also use NAP here, but it isn't necessary. Just create a policy that evaluates computers based on domain membership. An 802.1X access request contains the computer's domain so it isn't necessary here to run NAP agent
Shall try this and get back
Thank u for pointing me in a direction
Regards,
Arun
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month6 days, 4 hours left to enroll
707 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.