We only want to allow machines that are owned by our organization onto the network. (in addition to meeting our security policies). thanks, Harris
________________________________ From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Mike King Sent: Sunday, March 30, 2008 8:37 PM To: [email protected] Subject: Re: System validation rules Hi Harris, I guess the question I have is: What is your goal? Is it to only allow machines that are owned by your organization onto the network? Or is it to allow users on the network regardless of the machine, as long as the machine meets your security policy? Mike On Fri, Mar 28, 2008 at 3:47 PM, Newman, Harris <[EMAIL PROTECTED]> wrote: I beginning a NAC rollout and was wondering if this is possible: We wish to only allow our workstations on our internal network. In looking at the rules available, I can check for registry entries and files, and the contents of each (and date/time stamps for the files). If this information were to get out, it would not be of any use. Once the information becomes known, these checks are worthless. What is needed is some way of ensuring that the equipment is ours. In the Cam users guide there is a discussion of a "Launch Programs Example" which utilizes a valid data signature signed by certificates in order to have a rule check to see if a service is running that is signed. (What is to stop someone from writing a service with the same name to get around this?). I guess my question is: Is there a way to programmatically check to see if the system is "ours", ie: use public/private keys to validate the system is "ours".
