1



This is a quite typical requirement. I need to find a NAC solution where I could control access of non-standard machines from joining my network physically.

We are running Windows Domain architecture in a very large organisation with multiple departments separated geographically. We have few proprietary software that clients(Windows clients) need to install and also managed anti-virus clients.

Now it is very difficult to deny network access to PCs that are complying these standards.

I've heard about CISCO NAC, which offers a client package to be installed on PCs and then it collects the information from PCs and decides whether to allow that PC in network or not.

What I am looking for is an open-source solution that could provide such kind of features. Basically we need to check client's domain information(if it has migrated to our domain or not) along-with some presence of few particular software in it. If client doesn't fulfil this criteria it should be denied access to network at all.

I've searched for the solution and found many, but none seems to be fitting as per my requirements.

If anyone could just name such solutions, it would be very helpful.

Regards Kriss

kriss
  • 337
  • 1
  • 2
  • 4
  • Product recommendations are off-topic here. What you are looking for is an Windows, Open Source, Agent-based NAC. I would imagine that the available options are few. – schroeder Nov 04 '15 at 17:12
  • Well, I am not expecting an advice which would generate some kind of advertisement. For example if someone would suggest SNORT, it is completely genuine as it is widely in as an IDS/IPS system. So I would request to advice some methods if not Products. Where we could use some based NAC which would take help of scripts as well., – kriss Nov 04 '15 at 17:21
  • That's cool. That's why I didn't close the question. Could you edit your question to include the 'process' element? – schroeder Nov 04 '15 at 17:51
  • @kriss The problem with shopping questions isn't just advertisement. It's that "no single right answer" type questions doesn't fit within the SE Q&A framework. Additionally, product recommendations can become obsolete very quickly. That would make maintenance of these questions over time, to preserve the integrity and value of their answers, a nightmare. – Iszi Nov 04 '15 at 17:52
  • Is the domain check basically "if you aren't on the domain you aren't allowed access"? If so, that part becomes simple, Windows has free (to windows users) ways to accomplish that. Past that, the question becomes how to enforce app presence and operation, which is a different question. If you want non-domain users to be allowed access only if they have a certain set of software installed, I agree with the other comments that you are not gonna have a good time. – Jeff Meden Nov 04 '15 at 18:04

1 Answers1

0

May be you can use Group Policy or write a Start Up script.
PS: I assume you have Sys Admin level knowledge of Active Directory and basic scripting.

Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
  • Thanks for the answers. Startup scripts are OK, but they are going to be applied only on Domain clients. What we need is if a machine is not part of Domain and not having few particular software installed it should be denied all network resources from our layer-3 core switch itself. I guess Cisco NAC (agent based) only seems to be a solution. Push agent through group policy and allow or disallow through NAC based on agent's presence. – kriss Nov 05 '15 at 01:54
  • Other practical approach is to maintain a MAC Address- IP Address binding, and manually whitelisting new IP address which needs network access. Also start-up scripts can be run individually on any machine irrespective of whether it is associated with a domain or not. PS: I assume that these guest machines popping on network are uncommon. Or you can have separate VLAN for them with restricted access may be. – Krishna Pandey Nov 05 '15 at 03:42
  • My intention is to deny any machine which is connected to network with some possible malicious intention since he will easily bypass MAC-IP filters. So a fullproof method will be to check the Domain name(Since our domain applies some USB media restriction policies) and presence of some software to prevent malware spread. We already have VLANs but different VLAN IP addresses are managed by their admins and we can't be sure if they are not making mistakes. Further, departments in distant cities are connected through leased lines and separated by firewalls. They will be taken care of later. – kriss Nov 05 '15 at 17:05