M
M
Marat Gataullin2016-03-28 20:40:18
Active Directory
Marat Gataullin, 2016-03-28 20:40:18

Authentication in the enterprise network by user and computer account in the domain?

Good day. We have an enterprise network, Active Directory is deployed on the network (domain operation mode 2012), Certification Authority, TMG. Everything worked more or less well, but it turned out that computers that are not related to the organization can physically connect to the local network. I would like to protect myself and configure access to network resources only for computers located in the domain. At the moment, by connecting a computer / laptop to the network (not registered in the enterprise domain), and entering the credentials of a domain user, you can get access to file storage (there are access levels), to database servers. How it is possible to forbid access to resources of a network to "left" computers? Whether correctly I look towards EAP-TLS?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
E
Eugene, 2016-03-28
@Divest

xgu.ru/wiki/NAC#802.1X
but in general, read on the topic of Network access control and network access protection,
networkers will most likely tell you in more detail about the equipment settings (or at least poke your nose where to dig) - I configured only NAP on windows 2008 in the project =)

A
Alex Suvoroff, 2016-03-29
@Axel_L

I would suggest limiting yourself to the switch settings, to remembering the poppy address of the connected computer, blocking the port when connecting a computer with an excellent poppy + disabling open ports.
For example, in the Cisco 3750 switches (as organized at our enterprise), the command
is configured on the ports Access port configuration example:

interface GigabitEthernet2/0/3
 description PORT_NAME
 switchport access vlan 20
 switchport mode access
 switchport port-security ! - активация port-security
 switchport port-security mac-address sticky ! - тип мак-адреса
 switchport port-security mac-address sticky 24be.050f.ee8d ! - собственно мак

A little more information port-security
Well, the option that comrade yellowmew suggested , looking in the direction of 802.1x, is correct, this will give more flexible security management options

M
Marat Gataullin, 2016-03-28
@Divest

Well and IPsec actually. The infrastructure of the network is quite extensive, 4 branches in neighboring regions. I'm afraid that half of the services may fall off

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question