locked
NAP SHA/SHV to identify corporate computers RRS feed

  • Question

  • Hello to all,

    I'm working with NAP for a while and did the DHCP and 802.1x step-by-step guides.  With your help configuring the switch I've brought it to run.

    Our primary goal we like to do with NAP is to identify the corporate computers. Only corporate computers should be able to access the corporate network. After that, security settings (firewall, ...) should be enforced.

    With the default SHA/SHV I see no problem to enforce the security stuff. But I can't see a setting to identify our clients.

    We would like to identify our corporate clients by checking whether a particular certificate is installed. The certificate to check should be defined in the SHV.

    Does anyone know if and how that can be made possible? Is there a third party solution for this?

    Thaks a lot and regards

    mat

     

    Friday, June 11, 2010 10:55 AM

All replies

  • I think you're overcomplicating things conceptually...

    Your corporate computers are domain joined...

    So... Create a new security group, add the appropriate computers to this security group and use this as a condition to discriminate...
    Sunday, June 13, 2010 2:45 PM
  • HI Mat,

    Thanks for the post.

    I will second the Nick's suggestion. I remeber that the NAP Step By Step guides mention we could put the clients into a specific Security Group.

    If there is something unclear on this issue, please feel free to let us know.

    Thanks,

    Miles

    Monday, June 14, 2010 2:37 AM
  • Thanks for your answers.

    Working with Security Groups have some drawbacks!

    First:

    - We have over 15'000 Clients. Security Group handling is possible but due to token size limit and manageability maybee not the best solution for our problem.

    Second:

    - The user get no message from the NAP Client when his Client is discriminated because of security group membership.

    Third:

    - Event logging on NAP server for security group discrimination is not possible and troubleshooting is therefore not easy too.

    We would definitely like to identify our corporate clients by checking whether a particular certificate is installed. The certificate to check should be defined in the SHV.

    Does anyone know a source who can build such a SHA/SHV?

    Thanks

    mat

    Thursday, June 17, 2010 12:04 PM
  • I am leading a project to implement NAP in a large complex environment and came across the same issue, i have this working similarly to what Nick suggested.

    Instead of creating a new group you can use the machine group condition with Domain Computers to identify your clients. Assuming you havn't added any third party machines to your domain this should help seperate your machines from guests.

    If you then also enclude EAP-TLS checks with auto-enrollment then the only way the conditions can be met is if they are in the domain or if you have manually added a cert and object to meet part of the condition (it would still need to pass health validation).

    Stuart

     

     

     

    Tuesday, June 29, 2010 7:51 AM