locked
What network policy to exclude non-domain computers ? RRS feed

  • Question

  • Not using NAP DHCP any more - it does not work on IPv6 scopes (can anyone explain?)

    No Wifi on this particular network.

    My IPsec / HRA is working very nicely.

    Now I want to generate an identifiable event, and preferably deny access if a non-domain computer gets plugged into an Ethernet port. (I have found that more and more computers from corporate have NAP installed, so "non-NAP capable" does not work as filter)

    I thought I could add a catch all rule at the bottom of my list of rules, but everytime I try this my domain joined computers start getting denied access. First they are granted access as DOMAIN\COMPUTER$, then they are denied access as COMPUTER.

    I don't understand what is causing the deny access for the COMPUTER. I thought that once a rule is matched, NPS stops processing further rules.

    Can someone provide my with some guidance?

    I tried: unspecified network access server, Condition: NAS port type Ethernet, Access Permissions : Access Denied, Authentication : Default, no constraints, NAP Enforcement : Limited access


    CarolChi

    Tuesday, October 29, 2013 9:41 AM

All replies

  • Hi,

    If you just want to allow the domain computers to access the intranet, we can set the condition of the network policy to domain computers, and enable 802.1x authentication on computers and middle devices.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Alex Lv Tuesday, November 5, 2013 3:14 AM
    Friday, November 1, 2013 11:22 AM
  • I want non-domain computers NOT to be able to access the network. (no wifi, so this is to prevent (or at least alert me that someone has plugged a non-domain computer into the LAN somewhere).

    Blocking DHCP no longer is effective because of IPv6.

    Non-NAP capable does not work because many computers seem to have NAP clients and send health information. They don't get a certificate, and they can't access IPsec servers but they can access the network.

    I want to stop them, or at least know that one is there.


    CarolChi

    Friday, November 1, 2013 3:43 PM
  • Hi Carol,

    If I understand your situation, you have people plugging a computer into an Ethernet port somewhere and want to control the access they have.

    If you don't have a MAC based deny rule or 802.1X authentication installed at the first access point to the network, (which is usually a switch), then they will have physical access to the network at that point.

    The next way to prevent access would be to attempt to restrict DHCP so only the devices you approve get an IP address, default route, etc. (by the way, NAP DHCP has never worked on IPv6 scopes, it is IPv4-only)

    Finally, you can add policies to the network that prevent access. With NAP, these are IPsec policies.

    You said that you want to generate an event when someone plugs into the network. If 802.1X is not enabled on the switch port, there will be no such event - because the switch grants access it doesn't need to pass the network access request onward.

    If the computer is using DHCP there will be DHCP request. If the computer has a static configuration obviously this will not occur.

    Once the computer is physically connected to an open port (no 802.1X) on the switch and has an IP address, it will have access to the network. At this point, you would need policies (such as IPsec policies) to prevent access. No other network access events will occur however. With IPsec, the network access request is to HRA so if the computer doesn't have an HRA configuration it won't request access and there will be no event. It will simply be blocked, assuming the IPsec configuration is working.

    I think IPsec NAP might be working for you, but you won't see events when computers are blocked.

    I hope this helps,

    -Greg

    • Proposed as answer by Alex Lv Tuesday, November 5, 2013 3:14 AM
    Monday, November 4, 2013 6:41 PM