Network Access Control

  • Private Community
 View Only

  • 1.  Possible to check if computer is a Active Directory computer?

    Posted Nov 29, 2011 01:41 PM

    Hello everybody,

    Our company is looking at Symantec Network Access Control 11. Is it prossible to let the Network Access Control server check if the client is part of our Active Directoy domain?

    If it is possible to use that check; is it then possible to route the clients, which fails the check, to a guest VLAN?

    Many thanks in advance.

    V



  • 2.  RE: Possible to check if computer is a Active Directory computer?

    Posted Dec 01, 2011 02:15 PM

    Yes, the SNAC LAN Enforcer is designed to assign clients to specific VLANs based on Host Integrity checks and autnetication criteria.   VLAN assignments can occur for multiple reasons, such as no SNAC agent is installed or if AV is out of date.  Using RADIUS on your network in conjunction with the LAN Enforcer would be the best configuration for your environment - allowing RADIUS to manage the AD authentication process. 

     

     

    Let me know if you have any outstanding questons.



  • 3.  RE: Possible to check if computer is a Active Directory computer?

    Posted Dec 01, 2011 05:32 PM

    Here a way I know how to do this:

    You can use a custom Host Integrity policy to check to see if the machine in question is part of your AD Domain.

    This information is stored in the registry, and you need to craft a custom policy to look at the following registry key.  Have the policy fail if it does not match the following key:

     

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon\DefaultDomainName


Type: REG_SZ

Data: <YourDomainName>
    This registry key is where the default domain name (the last one the machine joined) is stored.  There may be other locations in the registry where you can find this info, but this is the only one I know about.