locked
Users' access policy - Deny access to Network resources for users who are not part of a domain RRS feed

  • Question

  • Hi there,

    We have users accessing netwrok resources (internet, web portal, email services) coming from a NON-domain joined system.

    Can NAP policy be used to restrict their access to network resources, although they have the required credentials, but because they are coming from a NON-domain joined system.

    Thanks.

    Raid,

    Wednesday, June 29, 2011 10:08 AM

Answers

  • Hi Raid,

     

    Thanks for posting here.

     

    You may consider to deploy certificate base computer authentication to achieve the goal. We can first generate and issue certificate to all domain computers via group policy and  configure you network devices which support 802.1x to evaluate with NPS to the determine if the computer that plug into you network is authorized and need to enable the port . This solution could also be applied to both wired or wireless scenario :

     

    Provide Wireless Access that uses Digital Certificate Client Authentication

    http://technet.microsoft.com/en-us/library/dd348480(WS.10).aspx

     

    Provide Wired Access that uses Digital Certificate Client Authentication

    http://technet.microsoft.com/en-us/library/dd378967(WS.10).aspx

     

    Regards,

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, June 30, 2011 3:07 AM
  • Hi,

    Tiger Li is correct that you do not need NAP to accomplish this. 802.1X can do this without NAP, but you will need devices that are capable of 802.1X authentication.

    Any NAP enforcement method can restrict non-domain joined computers. The simplest method for you would be to deploy NAP with DHCP enforcement. Keep in mind though that in this case domain joined computers might also be restricted if their NAP configuration or service status is not active.

    -Greg

    Monday, July 4, 2011 6:02 AM

All replies

  • Hi Raid,

     

    Thanks for posting here.

     

    You may consider to deploy certificate base computer authentication to achieve the goal. We can first generate and issue certificate to all domain computers via group policy and  configure you network devices which support 802.1x to evaluate with NPS to the determine if the computer that plug into you network is authorized and need to enable the port . This solution could also be applied to both wired or wireless scenario :

     

    Provide Wireless Access that uses Digital Certificate Client Authentication

    http://technet.microsoft.com/en-us/library/dd348480(WS.10).aspx

     

    Provide Wired Access that uses Digital Certificate Client Authentication

    http://technet.microsoft.com/en-us/library/dd378967(WS.10).aspx

     

    Regards,

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, June 30, 2011 3:07 AM
  • Hi,

    Tiger Li is correct that you do not need NAP to accomplish this. 802.1X can do this without NAP, but you will need devices that are capable of 802.1X authentication.

    Any NAP enforcement method can restrict non-domain joined computers. The simplest method for you would be to deploy NAP with DHCP enforcement. Keep in mind though that in this case domain joined computers might also be restricted if their NAP configuration or service status is not active.

    -Greg

    Monday, July 4, 2011 6:02 AM
  • Hi Raid,

    Please feel free to let us know if the information was helpful to you.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, July 4, 2011 10:01 AM
  • Thanks guys for addressing my inqiury.

    Raid,

     

    Wednesday, July 6, 2011 3:24 AM