Matching Windows Domain Policies To Nac Policies; Setting The Access Mode - Extreme Networks Sentriant AG Software User's Manual

->
lookup intranet.mycompany.com.quarantine.bad
<- Sentriant AG IP address
get
When the end-user logs in, they will be able to authenticate from quarantine even if credentials are not
cached:
-> the
lookup _kerberos
<-
receive dc01.mycompany.com
-> the dc01 IP address
lookup
the dc IP address forwarded through Sentriant AG
<-
receive
is in the quarantine/guest resources list).
dc01.mycompany.com
->
authenticate

Matching Windows Domain Policies to NAC Policies

Using a Windows domain might affect the end-user's ability to change their system configuration to
pass the tests. For example, in a corporate environment, each machine gets their domain information
from the domain controller, and the user is not allowed to change any of the related settings, such as
receiving automatic updates and other IE security settings.
The Sentriant AG administrator needs to make sure the global policy on their network matches the
NAC policy defined, or skip the test.
For example, if the global network policy is to not allow Windows automatic updates, any user
attempting to connect through the High security NAC policy fails the test, and is not able to change
their endpoint settings to pass the test.
For example, to change the NAC policy to not run the Windows automatic update test:
Home window>>NAC policies
1 Select the NAC policy that tests the domain's endpoints.
2 Select the Tests menu option.
3 Clear the Windows automatic updates check box.
4 Click ok.

Setting the Access Mode

The access mode selection is a quick way to select enforcement (normal mode) for all traffic into an
Enforcement cluster, or open it up for trial-use purposes (allow all).
To change the access mode:
Home window>>System monitor>>Select an Enforcement cluster
Sentriant AG Software Users Guide, Version 5.3
and service location
_ldap
&
dc02.mycompany.com
System Administration
to the real DNS server (since
named
311