09-26-2017 02:00 AM
Hi Team,
My Customer is asking the following use-case based on AD group and passive ID:
Deny policy for the PC without Domain.
Permit policy for Domain User and Computer.
My understanding is that we don't support the Domain Computers in PassiveID... is that correct?
Please advise.
Solved! Go to Solution.
09-26-2017 04:07 AM
Passive ID validates user login events. If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert. Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.
Craig
09-26-2017 04:07 AM
Passive ID validates user login events. If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert. Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.
Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide