Re: NAC and AD, Machine GPOs, Roaming Profiles = Chaos

gordonf4c · ‎11-19-2008

I've just observed a hapless Cisco consultant try to make NAC 4.1 work on computers with machine GPOs, roaming profiles, logon scripts within user GPOs, and for that matter legacy logon scripts with "run logon scripts synchronously" enabled. All of these technologies seem to fail on a NAC-enforced connection.

We assign software on machine GPOs and we use roaming user profiles, and it seems we either need to have a domain controller and profile share on the isolation VLAN, which defeats the purpose of NAC, or perform some kind of machine authentication, which can occur before GPO processing and net logons can happen.

While I'm not the Cisco consultant, it wasn't hard to recognize this problem.

Everything I've read about NAC and CAA suggests this is a per-user compliance solution and not a per-machine solution. Surely others have observed this, and I think this is what machine authentication (802.1x) NAC, as opposed to user authentication NAC, is all about. At the risk of sounding like a total n00b, where can I start researching a NAC solution that supports what I want and lets us use the Cisco NAC gear we've already invested in?

flitcraft33 · ‎01-30-2009

I have had similar issues and have solved many with a custom script that runs at log on. It is a compiled script and works great, AutoIT3.

The policy part takes care of itself if you leave machines logged in long enough or do a gpupdate /force. This will force the group policy to synchronize but you will need to log off and on again.

The roaming profile is much tougher. I am still trying to get this working. If anyone has any info on EXACTLY what takes place on a roaming profile synchronization, I would be grateful. If I can I will replicate that process in my script and solve this issue also.

I have fixed the log in script stuff with a delayscript that I use (ironically) clean access to install. You have to launch it with the users credentials, though and not from Clean Access which uses the SYSTEM users credentials in its stub agent!

This is a known issue to Cisco but any prodding of them to get it working would help. Their solution is braindead, just give unremediated machines full access! If they fail remediation, kick them off then. Gee, that gives the unremediated machine a mere two to three minutes to attack your AD DCs on each log in attempt. Not good.

Anyway, that's where I am at. Most of this can be dealt with, some is still problematical.

Dan S.

Khurram Noor · ‎09-19-2012

Well, i was about to post a similar problem on cisco community and i got this one. I am having a similar issue in my OOB Real IP gateway deployment at one of my clients. When the client login in unauthenticated role, its unable to get his roaming profile downloaded from the domain controller and logs in using local profile over desktops. I even tried allowing all IP traffic for the clients in unathenticated role and temporary role to the domain controllers and the file servers (which has the shared map drives for users) but no success. i would highly appriciate if someone can help me. Thanks