How to isolate guest computers using Symantec NAC?
Using Symantec Endpoint Protection Manager, Symantec Network Access Control and Windows Server DHCP, we want to achieve the following:
When a user plugs in to the network, his PC should get IP from subnet A if the PC is member of domain. Otherwise, it should get IP from subnet B (Guest subnet).
Windows DHCP server is configured with two DHCP scopes, one for each subnet.
Symantec DHCP Enforcerer is installed on the same machine running DHCP server.
Symantec DHCP Enforcerer is connected to Symantec Endpoint Protection Manager.
In SEPM, a Host Integrity Policy is configured to check the registry key for domain membership. I have created a client group "Quarantine" and assigned this policy to it. This group is configured in SNAC console.
Guest computers are still getting IP from Subnet A.
Am I missing something?
I'm not sure about the IF THEN statements in Host Integrity Policy.
Is there a step by step guide to configure this?
Symantec installation guides are more of generic type. No step by step details for specific scenarios.