AD Domain Login

Genian NAC can be used for Active Directory alternative authentication using Windows or macOS agents.

To use alternative authentication via AD, you must first enable node policies.

1. Go to Policy in the top menu.
2. Go to Node Policy in the left Policy menu.
3. Click the policy name you want to activate.

In Authentication Policy, do the following:

1. In Single Sign-On Method, select Active Directory.
2. Enter the AD Allowed Domain Name.
3. Click the Update button.

Agent-based AD Alternative Authentication Settings

• Install the agent. (Installing Agent)
• The agent execution / installation account must be set as a domain administrator account or an account with installation privileges. If the agent is installed on a local account, SSO will not work.

Agentless AD Alternative Authentication Settings

• When adding the settings below, the authentication replacement function can be used even on nodes without the Agent installed.
• Performs agentless SSO via WMI queries to the domain controller (supports all nodes authenticated in the domain).
• The Network Sensor performs authentication replacement by comparing domain login event logs from the AD server with the hostname/domain name of the endpoint detected by the Network Sensor via NetBIOS. Therefore, the Network Sensor must be able to communicate smoothly with the endpoint's NetBIOS, remote WMI, etc.

1. Go to Preferences in the top menu.
2. In the left settings menu, go to User Authentication > Authentication Integration > AD Single Sign-On.

Complete the AD Single Sign-On settings by entering the following items:

1. Server Connection Sensor : Select the sensor to connect to the AD server. (If 'None' is selected, it connects from the Policy Server.)
2. Server Address : Enter the address/domain of the server system for AD Single Sign-On. If the node is joined to the domain, the node's user information is replaced with authentication information.
3. User ID : Enter the user ID of the AD server for event log monitoring.
4. Password : Enter the user Password of the AD server for event log monitoring.
5. Use Secondary AD : Select whether to use Secondary AD.
6. Click the Update button.

AD Configuration

1. Confirm that the entered AD user account is included in the following groups:

   • Distributed COM Users
   • Event Log Readers
   • Domain Users
   • AD configuration

2. Run wmimgmt.msc from the command prompt.

3. In the WMI Control Properties Security tab, select the CIMV2 folder.

4. Click Security, then Add, and then select the user account configured in NAC.

5. Set 'Account Usage' and 'Remote Access' to Allow.

6. Click the OK button to complete the settings.

How to Check Endpoint's AD Domain Join Status

1. Method to check from AD server

   • On the AD server, run Control Panel > Administrative Tools > Active Directory Users and Computers.
   • Click Domain > Computers to check the list of joined computers on the right.

2. Method to check from client endpoint

   • In the client endpoint's CMD, check if ping [AD Domain] resolves to a valid IP.

Genian NAC performs SSO for agentless endpoints via WMI queries. Please refer to the following link to configure WMI:

• Configuring Environment for Remote WMI Information Collection

• Please refer to the Agentless-related items in FAQ.