On 9/2/06, John Nemeth <jnemeth@victoria.tc.ca> wrote:
>      This is where things like Cisco's NAC (Network Admission Control)
> comes into play.  Basically, it prevents machines from connecting to
> the network if they aren't running the latest patches, anti-virus, etc.
> (whatever you put into your policy).  It can either block the machine
> completely or quarantine it in a subnet where it can only get updates.
> There may be other products that do similar things, but I'm not aware
> of any.

I think you could write this up in a script using nmap and authpf.

> Of
> course, there is the issue of authenticating users and making sure they
> don't try to fake the credentials of a different user.  I think some of
> the other options are better for that.

Yeah, well nowadays there's so many PCs relative to the number of
users, and it's reasonable to assume one user per workstation.
I think Kerberos is designed with this assumption.  Certainly
network security devices like firewalls are.  A person with
physical access can probably get any other user's privileges
anyway.
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484