> We wish to only allow our workstations on our internal network.
In 
 > looking at the rules available, I can check for registry entries
and 
 > files, and the contents of each (and date/time stamps for the files).

 > If this information were to get out, it would not be of any use.
Once

 > the information becomes known, these checks are worthless.

I also amd pursuing this goal. At this point I intend to use LDAP
attributes to check and make sure the machine name is in the appropriate
AD container. I am still struggling with basic setup however, and do not
know if this will work, but there is that field where you tell Clean
Access under auth servers->lookup servers
Of course, like so much in Clean Access, I am sure this will not work as
expected, but the manual says the following;
                                 	
                                         "NoteThe LDAP Lookup server is
only needed if you want to configure mapping rules 
                                         so that users are placed into
user roles based on AD attributes after AD SSO 
                                         authentication."

Like so much of the Clean Access documentation it is delightfully vague
and ambiguous. However I am hoping to use this to put people into a role
defined by what container within the AD structure their computer is in.
I have no doubt that there is some reason this won't work, but that is
the current plan. BTW, the manual is vague on how this is achieved, if
anyone has details, that would be much appreaciated. 

Thanks,

Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008)
Network Engineer
Ponderosa Telephone (559) 868-6367