Hi, I'm not sure about your setup, but: - If you make the HC evaluation at the realm level, you can then make a role mapping rule based on the status of the Host Checker (if HC=OK -> role employee, else -> role quarantine). - You can make vlan assignment without agent, but it is needed if you want host checker. I'm pretty sure you can allow agent AND agentless client to a same realm, by selecting the rights protocols in protocol set, then make distinction with role mapping rules. With an AD configuration, make sure the NTP is configured on IC/MAG and its the same than AD server, cause this type of authentication requires time sync to work (linked to kerberos tickets I think), and it can generate authentication failed log you linked. Please make sur that the username is in the right format by the policy tracing option, you may need to remove/add the realm suffix to the username value. Hope it will help. Regards,
... View more