Remove From My Forums

Users' access policy - Deny access to Network resources for users who are not part of a domain

Question
0

Sign in to vote

Hi there,

We have users accessing netwrok resources (internet, web portal, email services) coming from a NON-domain joined system.

Can NAP policy be used to restrict their access to network resources, although they have the required credentials, but because they are coming from a NON-domain joined system.

Thanks.

Raid,

Wednesday, June 29, 2011 10:08 AM

Answers

0

Sign in to vote
Hi Raid,

Thanks for posting here.

You may consider to deploy certificate base computer authentication to achieve the goal. We can first generate and issue certificate to all domain computers via group policy and configure you network devices which support 802.1x to evaluate with NPS to the determine if the computer that plug into you network is authorized and need to enable the port . This solution could also be applied to both wired or wireless scenario :

Provide Wireless Access that uses Digital Certificate Client Authentication

http://technet.microsoft.com/en-us/library/dd348480(WS.10).aspx

Provide Wired Access that uses Digital Certificate Client Authentication

http://technet.microsoft.com/en-us/library/dd378967(WS.10).aspx

Regards,

Tiger Li

TechNet Subscriber Support in forum

If you have any feedback on our support, please contact tnmff@microsoft.com.

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked as answer by Tiger LiMicrosoft employee Tuesday, July 5, 2011 10:36 AM
Thursday, June 30, 2011 3:07 AM
0

Sign in to vote
Hi,

Tiger Li is correct that you do not need NAP to accomplish this. 802.1X can do this without NAP, but you will need devices that are capable of 802.1X authentication.

Any NAP enforcement method can restrict non-domain joined computers. The simplest method for you would be to deploy NAP with DHCP enforcement. Keep in mind though that in this case domain joined computers might also be restricted if their NAP configuration or service status is not active.

-Greg
- Marked as answer by Tiger LiMicrosoft employee Tuesday, July 5, 2011 10:36 AM
Monday, July 4, 2011 6:02 AM

All replies

0

Sign in to vote
Hi Raid,

Thanks for posting here.

You may consider to deploy certificate base computer authentication to achieve the goal. We can first generate and issue certificate to all domain computers via group policy and configure you network devices which support 802.1x to evaluate with NPS to the determine if the computer that plug into you network is authorized and need to enable the port . This solution could also be applied to both wired or wireless scenario :

Provide Wireless Access that uses Digital Certificate Client Authentication

http://technet.microsoft.com/en-us/library/dd348480(WS.10).aspx

Provide Wired Access that uses Digital Certificate Client Authentication

http://technet.microsoft.com/en-us/library/dd378967(WS.10).aspx

Regards,

Tiger Li

TechNet Subscriber Support in forum

If you have any feedback on our support, please contact tnmff@microsoft.com.

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked as answer by Tiger LiMicrosoft employee Tuesday, July 5, 2011 10:36 AM
Thursday, June 30, 2011 3:07 AM
0

Sign in to vote
Hi,

Tiger Li is correct that you do not need NAP to accomplish this. 802.1X can do this without NAP, but you will need devices that are capable of 802.1X authentication.

Any NAP enforcement method can restrict non-domain joined computers. The simplest method for you would be to deploy NAP with DHCP enforcement. Keep in mind though that in this case domain joined computers might also be restricted if their NAP configuration or service status is not active.

-Greg
- Marked as answer by Tiger LiMicrosoft employee Tuesday, July 5, 2011 10:36 AM
Monday, July 4, 2011 6:02 AM
0

Sign in to vote

Hi Raid,

Please feel free to let us know if the information was helpful to you.

Regards,

Tiger Li

TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tnmff@microsoft.com.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Monday, July 4, 2011 10:01 AM
0

Sign in to vote

Thanks guys for addressing my inqiury.

Raid,

Wednesday, July 6, 2011 3:24 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Users' access policy - Deny access to Network resources for users who are not part of a domain

Question

Answers

All replies