locked
Compliant Client constraints RRS feed

  • Question

  • I was wondering if a VPN client is compliant through the health validation check from the policy server, if there is a way to automatically add the user to a domain member group?

     

     

    Tuesday, September 4, 2007 5:26 PM

Answers

  • To answer your question, the NAP solution cannot automatically put a domain user account into a specific security group based on the results of a health check. It will only provide an indication that the client is either healthy or unhealthy and it leaves it up to the enforcement client to take the next action.

     

    I would encourage you to try out the VPN NAP solution as stated in the step-by-step guide

    http://www.microsoft.com/downloads/details.aspx?familyid=729bba00-55ad-4199-b441-378cc3d900a7&displaylang=en

     

    However, I think that you could potentially provide separate user accounts for remote access. These remote clients would be verified for their heath and then granted access accordingly. Though it might be extra work in having a separate accounts for remote access, you wont have to deal with the automatic addition to a security group (using any method). You would be reducing your risk (and testing efforts) by not having to rely on an mechanism to add to a security group after the passing the initial heath check.

     

    Please let me know if i can assist you in anyway with the NAP VPN solution setup.

     

    Kedar

     

    Wednesday, September 5, 2007 4:17 PM

All replies

  •  

    No, there is no such scenario supported. For a user to VPN into a network, he will need to be part of some domain member group to even get on the network, in addition to having a client that is complaint with the heath validation check of the policy server.  Without being a valid user of a domain, the user cannot access the network resources since there is no way to find out which group the user belongs to and thus what specific resources is he authorized to access. 

    Could you please elborate more on the specific scenario that you are trying to achieve, I am not exactly clear if you want to change domian groups after being certified health (and successfullly VPN'ed in the network) or you want to add a user to a domain member group  if you have a client that will satisfy the health check requirements of the policy server. In the latest case I dont think that you can VPN into a corp network unless you are already a member of some domain and authorized to access the network.

    If  I have not answered your question, please elborate on the specific scenario you are driving and I will be glad to be of furhter assistance.

     

     

     

    Tuesday, September 4, 2007 11:18 PM
  • Thank you Kedar for your answer.

     

    Actually, I am trying to find out if there is a way to grant membership of a domain user account to an Active directory security group once the NAP policy server has established that the PC is compliant.

     

    The user accounts that I am using are part of the active directory domain. I apologize for not being specific.

     

    The reason why I ask this is because I have a Cisco VPN client solution already in production going through my ASA5520. However I do not have the Cisco NAC due to budget constraints.

    I think the NAP is a great solution here, because I need to have health check on both domain computer accounts and non-domain computer accounts.

    The Cisco VPN client will be my primary remote access client though and I was wanting to grant access to the Cisco client via group policy. If the NAP can automatically put a domain user account into a security group based upon the results of the health check, then I could safely assume the that computer accounts are safe to allow onto my network.

     

    Hope this makes sense.

     

    Thanks,

    Bryant

    Wednesday, September 5, 2007 1:03 AM
  • To answer your question, the NAP solution cannot automatically put a domain user account into a specific security group based on the results of a health check. It will only provide an indication that the client is either healthy or unhealthy and it leaves it up to the enforcement client to take the next action.

     

    I would encourage you to try out the VPN NAP solution as stated in the step-by-step guide

    http://www.microsoft.com/downloads/details.aspx?familyid=729bba00-55ad-4199-b441-378cc3d900a7&displaylang=en

     

    However, I think that you could potentially provide separate user accounts for remote access. These remote clients would be verified for their heath and then granted access accordingly. Though it might be extra work in having a separate accounts for remote access, you wont have to deal with the automatic addition to a security group (using any method). You would be reducing your risk (and testing efforts) by not having to rely on an mechanism to add to a security group after the passing the initial heath check.

     

    Please let me know if i can assist you in anyway with the NAP VPN solution setup.

     

    Kedar

     

    Wednesday, September 5, 2007 4:17 PM