Off the top of my head... You can create checks that check for domain membership. I would reasonably assume that if it's joined to the domain, then it's part of your organization.
Or are you looking for something more indepth. On Mon, Mar 31, 2008 at 1:06 PM, Newman, Harris < [EMAIL PROTECTED]> wrote: > We only want to allow machines that are owned by our organization onto > the network. (in addition to meeting our security policies). > thanks, > Harris > ------------------------------ > *From:* Cisco Clean Access Users and Administrators [mailto: > [EMAIL PROTECTED] *On Behalf Of *Mike King > *Sent:* Sunday, March 30, 2008 8:37 PM > *To:* [email protected] > *Subject:* Re: System validation rules > > Hi Harris, > > I guess the question I have is: > > What is your goal? > > Is it to only allow machines that are owned by your organization onto the > network? > > Or is it to allow users on the network regardless of the machine, as long > as the machine meets your security policy? > > Mike > > On Fri, Mar 28, 2008 at 3:47 PM, Newman, Harris < > [EMAIL PROTECTED]> wrote: > > > I beginning a NAC rollout and was wondering if this is possible: > > > > We wish to only allow our workstations on our internal network. In > > looking at the rules available, I can check for registry entries and files, > > and the contents of each (and date/time stamps for the files). If this > > information were to get out, it would not be of any use. Once the > > information becomes known, these checks are worthless. > > > > What is needed is some way of ensuring that the equipment is ours. > > > > In the Cam users guide there is a discussion of a "Launch Programs > > Example" which utilizes a valid data signature signed by certificates in > > order to have a rule check to see if a service is running that is signed. > > (What is to stop someone from writing a service with the same name to get > > around this?). > > > > I guess my question is: Is there a way to programmatically check to see > > if the system is "ours", ie: use public/private keys to validate the system > > is "ours". > > >
