09-26-2017 02:00 AM
Hi Team,
My Customer is asking the following use-case based on AD group and passive ID:
Deny policy for the PC without Domain.
Permit policy for Domain User and Computer.
My understanding is that we don't support the Domain Computers in PassiveID... is that correct?
Please advise.
Solved! Go to Solution.
09-26-2017 04:07 AM
Passive ID validates user login events. If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert. Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.
Craig
09-26-2017 04:07 AM
Passive ID validates user login events. If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert. Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.
Craig
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: