Hi balaji,

This is not exactly what I am looking for. I am trying to control access to a network that I have created with asa. I want only PCs that are registered in the domain can access this network.

To restrict access to domain computers you can use a Dynamic Access Policy (DAP) with your VPN.

DAP uses the hostscan feature - basically you check the connecting PC's registry for a key indicating that it is domain-joined.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-dap.html#ID-2184-00000311

Hello Marvin,

is it possible to have another method without using VPN ?

I don't understand the question.

When you say "without using VPN" - do you mean they are internal users?

I f they are coming in via VPN you need to either check using the ASA (DAP method) or via some external authentication server like ISE (which in turn informs the ASA that the endpoint is authorized).

This is the architecture that I want to realize.

Please the attached image.

The DHCP is enabled in the network 2.

Only the PCs inside the network 2 should access to the network 1.

Also, the active directory is enabled in the network 2 and all PCs in the network 2 are registered in the domain.

The challenge is: if another PC ( in this example the PC3) plug a cable in the switch inside the network 2 and it's not registered to the domain, he should be blocked.

So, the only way that the PC3 has access to the network 2 is that the administrator add this PC in the domain.

I hope I explain all.

Ah ok. That's why I cannot found it anywhere.