System Administration
System Settings
15-6
System Settings
DNS/Windows Domain Authentication and
Quarantined Endpoints
In order to satisfy the following scenarios:
■
A guest user gets redirected
A user is redirected if their home page is the Intranet
■
■
The only host that is resolved is the domain controller (DC); and no
other intranet hosts are resolved.
Windows domain authentication can take place from quarantine with
■
minimal configuration
Perform the following steps:
1.
Configure the domain suffixes in the quarantine areas to a placeholder,
such as the following:
quarantine.bad
2.
Enter the full domain controller hostnames in the System
configuration>>Accessible services area (for example,
dc01.mycompany.com, dc02.mycompany.com).
3.
Ensure that each ES has a valid, fully qualified domain name (FQDN) and
that the domain portion matches the domain for the registered windows
domain.
4.
Ensure that each ES is configured with one or more valid DNS servers
that can fully resolve (both A and PTR records) each ES.
5.
Ensure that the following ports on the domain controller/active directory
(DC/AD) servers are available from quarantine:
•
88
•
389
•
135-139
•
1025
NAC 800 will then lookup the Kerberos and LDAP services, and resolve those
services within its own DNS server used for quarantined devices.
For example: