Hi Aronow, The Authtable is now published to the Enforcer andeverything seems to be working. The rest to be done: =============== I am able to authenticate to the IC directly (by opening up IE and connecting to a specific URL on the IC) by means of using the "System Local" and "LDAP/AD" databases as authentication servers. With regards to LDAP and RADIUS, I have a quick question: Do I have to create a "Location Group" and "RADIUS Client" under "UAC>Network Access>Location Group" and also under "UAC>Network Access>Radius Client" for LDAP to work in conjunction with the local RADIUS (SBR) setup on the IC, for seemless authentication ? I am however still experiencing some problems with authenticating to the IC by means of the Oddessy client (OAC), but I think this may be a slight misconfiguration that I have done on the IC. Ok, so all that is left for me to do now is the following: --------------------------------------------------------------------- Integrate UAC into the MSGina, how will I attempt this as I have never changed the msgina before Using LDAP Authentication and be assigned to the correct VLAN (currently everyone is assigned to the trust VLAN using LDAP, but this can be a configuration issue as SBR (System Local database) assigns correct VLAN) Integrate IDP with the whole UAC solution When an endpoint is in Compliance/Trusted VLAN and starts an attack against let's say the IIS server, it is then reassigned by means of the IDP to the Out of Compliance/Untrusted VLAN untill the attack is stopped or resolved. When all this is done, I will be able to do the demo to our partners customer as they want to see it. Regards, Martin Message Edited by martin_xon on 03-11-2009 02:08 AM Message Edited by martin_xon on 03-11-2009 02:10 AM ... View more

Hi Aronow, The picture has since changed, they wat to see how the whole UAC solution works in conjunction withIDP. So I have to show 802.1x authentication, Agentless authentication and access, LDAP authentication, but make the LDAP authentication as seamless aspossible, in other words the user must only login to Windows and automaticallybe authenticated via LDAP to the UAC. They also want to see the IDP in action, in other words, if anendpoint is in compliance and assigned to the trusted VLAN, then suddenlystarts an attack on a trusted server (web server for instance), IDP should then block access for theendpoint to the trusted VLAN, infrom the Enforcer about this and move the endpoint to the untrusted VLAN. Currently I have it setup with the following equipment: EX4200 Switch that has two VLANs configured Trust VLAN Untrust VLAN Authentication using802.1x and Radius IC 4000 802.1x configured LDAP authenticationserver configured Local authenticationconfigured (radius) ISG 1000 as the enforcer Windows 2003 Server Active Directory(LDAP) DNS Windows XP Professional as the Endpoint The problems that I have: When using 802.1x authentication with OAC, everything seems to beworking perfectly. The endpoint is assigned to the correct VLAN once the hostchecker policy has been run, although when the endpoint is in the untrustedVLAN, he is still able to access the trusted VLAN resources. When using LDAP authentication, the endpoint stays in the trusted VLAN,even if the host checker policy fails. When a user is not authenticated and tries to access the internet, itgoes through. The browser is not redirected to the IC for authentication priorto loading the web page. I have setup the Redirection rule on the ISG as statedby the UAC Administration guide. With Agentless access, I only want the user to be able to access theinternet and nothing else, but I only receive a message on the browser windowwhen authenticating on the IC, that the user has not been assigned to anyprotected resources although I am able to connect to the protected resources. With regards to the IDP integration, how will I do this ? Regards, Martin ... View more