locked
NAP 802.1X DC in quarantine Zone RRS feed

  • Question

  • In 802.1X NAP every desktop that restarts remains in quarantine zone unless the machine is started completely and NAP service is as well up which at then brings the machine in corp VLAN/zone.

    Problem then is computer policy is never applied to machine. One solution is to have a DC in quarantine zone.

    What is the recommended way to come across this ?


    Shahid Roofi
    Thursday, December 16, 2010 7:52 PM

Answers

  • Hi Shahid,

     

    Thanks for posting here.

     

    You may consider deploying Remediation Server in this scenario .For more information please take look the links below:

     

    Planning the Placement of a NAP Remediation Server

    http://technet.microsoft.com/en-us/library/dd125378(WS.10).aspx

     

    802.1X Enforcement Example

    http://technet.microsoft.com/en-us/library/dd125336(WS.10).aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Shahid Roofi Monday, December 20, 2010 7:51 PM
    Friday, December 17, 2010 4:51 AM
  • Yes, thanks Tiger for the link.

    Actually what i've concluded is, its required to have DC in quarantine zone as a part of remediation server group.

    And that's in case of 802.1X a requirement


    Shahid Roofi
    • Marked as answer by Shahid Roofi Monday, December 20, 2010 7:51 PM
    Monday, December 20, 2010 7:51 PM

All replies

  • Hi Shahid,

    I am not following your question very well. What do you mean about "Problem then is computer policy is never applied to machine. One solution is to have a DC in quarantine zone."?

    Regards

    Qunshu

    Thursday, December 16, 2010 8:02 PM
  • I mean to say, DC is in the corp zone/VLAN. Now during the boot process of the machine, at the stage of applying computer settings, the computer is still in quarantine zone without any DC in that zone/VLAN. Now definitively group policy of computers cannot reach that computer. Computer is into the corp zone long after that stage.

    I hope you are now getting my point


    Shahid Roofi
    Thursday, December 16, 2010 8:17 PM
  • Hi Shahid,

     

    Thanks for posting here.

     

    You may consider deploying Remediation Server in this scenario .For more information please take look the links below:

     

    Planning the Placement of a NAP Remediation Server

    http://technet.microsoft.com/en-us/library/dd125378(WS.10).aspx

     

    802.1X Enforcement Example

    http://technet.microsoft.com/en-us/library/dd125336(WS.10).aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Shahid Roofi Monday, December 20, 2010 7:51 PM
    Friday, December 17, 2010 4:51 AM
  • Hi Shahid,

    If there is any update on this issue, please feel free to let us know.

    We are looking forward to your reply.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 20, 2010 11:28 AM
  • Yes, thanks Tiger for the link.

    Actually what i've concluded is, its required to have DC in quarantine zone as a part of remediation server group.

    And that's in case of 802.1X a requirement


    Shahid Roofi
    • Marked as answer by Shahid Roofi Monday, December 20, 2010 7:51 PM
    Monday, December 20, 2010 7:51 PM