Network Access Control

 View Only

  • 1.  Issue with Symantec Network Access Control and Active Directory

    Posted Sep 21, 2009 09:58 AM

    Dear Colleagues,
    I'm facing a problem when implement SNAC  solution.
    Here are our environment
    1. All endpoint computers join one domain,
    2. we use Full 802.1x Mode - With RADIUS authentication.
    3. client computers are 802.1x enabled and configured with PEAP with mschapv2 authentication.
    4. Users' domain account password can be modified by a web application.

    Image this scenario:
    when a user modifies his password through the web application, how could he logon his computer with his new password?
    To my understanding, after user typing username and new password to logon, client computer can not contact domain controllers yet because SNAC will block it, thus authentication will be fail.Am I right?
    If it does, how to deal with such situation?
    Any comments are appreciated.

    Regards
    Ethan



  • 2.  RE: Issue with Symantec Network Access Control and Active Directory

    Posted Sep 22, 2009 10:38 AM
    Ethan
    have you tried this already?
    i think it should works fine this way.

    because there is re-authentication setting in switch, normally 60s or longer...
    ->after user changed the password,
    ->machine should be able to connect with domain controller before the next authentication, and user credentials should be able to updated






  • 3.  RE: Issue with Symantec Network Access Control and Active Directory

    Posted Sep 24, 2009 01:42 AM

    Hi Figo,
    Thanks for your comments
    Yes, I tried and not passed, but we did not set re-authentication on swith;
    Finally we use an alternative 
       -- turn on machine authentication on IAS and pass this scenario

     



  • 4.  RE: Issue with Symantec Network Access Control and Active Directory

    Posted Sep 25, 2009 10:38 AM
    great idea, please continue to contribute and share  your ideas here

    cheers
    Figo