A Czechnological Solution

I had just read an article about czechnology on somebody else’s blog today, when we experienced a wonderful improvised and somewhat hackish solution in our own environment. I have been working with Lyle from Longview systems on setting up a pilot of a network access control infrastructure that locks computers out of the network at the switch until they meet the virus scanner, malware scanner and Windows patch currency policy.

The system we are looking at is of course designed for a Windows Server / Active Directory environment, so it is not obvious getting it working with a Novell environment. With Windows desktops and servers, the NAC will do pass-through authentication, so when you boot up, you are on the untrusted network, you authenticate to AD via pass-through on the NAC server, the NAC agent runs and verifies you meet policy, then flips you onto the trusted network, at which point you run your login script and go to work. With NetWare / Open Enterprise Server, you can’t defer the login script, and if you allow enough traffic from the untrusted network to the trusted network to get users authenticated, they can also access data on the server, because authentication and data access via Novell core protocol uses the same ports. Allowing data access while the workstation is still in the untrusted network defeats the purpose of the NAC.

When Lyle and I were discussing the conundrum, Lyle mentioned that you can change the security configuration on the NAC server between the time the user logs in and the time the NAC agent starts to check your workstation for policy compliance. That led to the idea that we could allow the user access to eDirectory from the untrusted network before they login, so that the login could work and the login script could run. Then, when the user had logged in and all the drive mapping had been done, the NAC agent starts up and the NAC server revokes access to eDirectory and NCP protocol, effectively blocking the user from using the mapped drives. Then, after remediation, the workstation flips into the trusted network, and grabs a new IP address. The Novell client stays connected, and all those drive mappings suddenly work again. A nice clean but hackish solution!