Matching Windows Domain Policies To Nac Policies - HP 800 User Manual

_kerberos._tcp.Default-First-Site-
Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88
dc01.lvh.com
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com.
86400 IN SRV 0 100 389 dc01.lvh.com
When a browser is configured with an Intranet site as its home page, it will
get redirected as shown in the following example process:
-> lookup intranet.mycompany.com
<- get an NXDomain (since dc01.mycompany.com is in the forwarders, all
other mycompany.com hostnames get an NXDomain; that is the way named
works).
-> lookup intranet.mycompany.com.quarantine.bad
<- get NAC 800 IP address
When the end-user logs in, they will be able to authenticate from quarantine
even if credentials are not cached:
-> lookup the _kerberos and _ldap service location
<- receive dc01.mycompany.com & dc02.mycompany.com
-> lookup the dc01 IP address
<- receive the dc IP address forwarded through NAC 800 named to the real
DNS server (since dc01.mycompany.com is in the accessible services list).
-> authenticate

Matching Windows Domain Policies to NAC Policies

Using a Windows domain might affect the end-user's ability to change their
system configuration to pass the tests. For example, in a corporate environ-
ment, each machine gets their domain information from the domain controller,
and the user is not allowed to change any of the related settings, such as
receiving automatic updates and other IE security settings.
The NAC 800 administrator needs to make sure the global policy on their
network matches the NAC policy defined, or skip the test.
For example, if the global network policy is to not allow Windows automatic
updates, any user attempting to connect through the High security NAC policy
fails the test, and is not able to change their endpoint settings to pass the test.
System Administration
System Settings
15-7