locked
Non-NAP capable machines are not identified RRS feed

  • Question

  • in 802.1x Network connection policy successfully identifies a non nap capable machine and can only opt not to authenticate such machine based on the MAC address.

    But this makes it nearly impossible to filter out machines without MAC address exemption so that those can be put in quarantine zone atleast.

    Current configuration renders them non connectable to network at all.

    On the switch also having enabled the port security (3COM) it is no possible to enable guest VLAN and use that as quarantine VLAN.

    Why does not machiine comes into non-nap capable computer network policy at all

     

    Specific response plz don't reply with documentation links with thanx.


    Shahid Roofi
    Thursday, June 9, 2011 12:22 PM

Answers

  • We've found that mac authentication need also to be turned on besides dot1.x. In 3com world it is called portsecurity which is superset of both. I-e dot1.x is tried first and upon failing of that mac based authorization is tried.

    having turned that on helped us get the printer auth requests logged atleast ( which was not possible without ).

    Having achieved that, we could also develop a connection policy which opted not to authenticate any connection with the requird calling-station-id(mac address) and it worked like charm.

    i doubt if that is the standard way of achieving this though. but that seems to be only the possiblity in 3com.

    Nothing ever lands in non-nap-capable rule except the humble desktops which have always been compliant and all of a sudden NAP service is turned off on them.


    Shahid Roofi
    • Marked as answer by Shahid Roofi Friday, June 10, 2011 6:23 PM
    Friday, June 10, 2011 6:22 PM

All replies

  • I have the same problem here (with Cisco 2960 switch)
    williamg
    Thursday, June 9, 2011 2:53 PM
  • Hi Shahid,

     

    Thanks for posting here.

     

    So what about the configurations you set for this policy that filter machines base on their MAC address? Actually you should also add and set attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and Tunnel-Tag in the conditions of this filter policy in order to grant permission for these machines to access your normal network/VLAN without 802.1x authentication and NAP health evaluation. Please also set this policy top priority in NPS policy list.

     

    You should also make sure that the port base dynamic VLAN feature is supported by your switch device. And please also create complicate/no complicate VLANs and set number for each of it on you switch . The rest polices should be automatically created by NAP configuration wizard .

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, June 10, 2011 5:42 AM
  • We've found that mac authentication need also to be turned on besides dot1.x. In 3com world it is called portsecurity which is superset of both. I-e dot1.x is tried first and upon failing of that mac based authorization is tried.

    having turned that on helped us get the printer auth requests logged atleast ( which was not possible without ).

    Having achieved that, we could also develop a connection policy which opted not to authenticate any connection with the requird calling-station-id(mac address) and it worked like charm.

    i doubt if that is the standard way of achieving this though. but that seems to be only the possiblity in 3com.

    Nothing ever lands in non-nap-capable rule except the humble desktops which have always been compliant and all of a sudden NAP service is turned off on them.


    Shahid Roofi
    • Marked as answer by Shahid Roofi Friday, June 10, 2011 6:23 PM
    Friday, June 10, 2011 6:22 PM