Answer the question
In order to leave comments, you need to log in
Authentication in the enterprise network by user and computer account in the domain?
Good day. We have an enterprise network, Active Directory is deployed on the network (domain operation mode 2012), Certification Authority, TMG. Everything worked more or less well, but it turned out that computers that are not related to the organization can physically connect to the local network. I would like to protect myself and configure access to network resources only for computers located in the domain. At the moment, by connecting a computer / laptop to the network (not registered in the enterprise domain), and entering the credentials of a domain user, you can get access to file storage (there are access levels), to database servers. How it is possible to forbid access to resources of a network to "left" computers? Whether correctly I look towards EAP-TLS?
Answer the question
In order to leave comments, you need to log in
xgu.ru/wiki/NAC#802.1X
but in general, read on the topic of Network access control and network access protection,
networkers will most likely tell you in more detail about the equipment settings (or at least poke your nose where to dig) - I configured only NAP on windows 2008 in the project =)
I would suggest limiting yourself to the switch settings, to remembering the poppy address of the connected computer, blocking the port when connecting a computer with an excellent poppy + disabling open ports.
For example, in the Cisco 3750 switches (as organized at our enterprise), the command
is configured on the ports Access port configuration example:
interface GigabitEthernet2/0/3
description PORT_NAME
switchport access vlan 20
switchport mode access
switchport port-security ! - активация port-security
switchport port-security mac-address sticky ! - тип мак-адреса
switchport port-security mac-address sticky 24be.050f.ee8d ! - собственно мак
Well and IPsec actually. The infrastructure of the network is quite extensive, 4 branches in neighboring regions. I'm afraid that half of the services may fall off
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question