network access control 3.2 product and installation guide ...€¦ · • enforcer:nacclientand...

McAfee Network Access Control 3.2 Product andInstallation Guidefor use with ePolicy Orchestrator 4.0

COPYRIGHT

Copyright © 2010 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCEEXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Network Access Control 3.2 Product and Installation Guide for use with ePolicy Orchestrator 4.02

ContentsIntroducing McAfee Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Control of network access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

System detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

System health assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Enforcement of access restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

How unhealthy systems are fixed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

How systems are classified. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Managed systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Unmanaged systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Unmanageable systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Unenforceable systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Supported deployment configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

McAfee NAC only deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

McAfee NAC with Microsoft Network Access Protection deployment. . . . . . . . . . . . . . . . . . . . . . . . . . 13

McAfee NAC with McAfee Network Security Platform deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . 14

McAfee NAC with McAfee Network Security Platform and Microsoft Network Access

Protection deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Use of ePolicy Orchestrator features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Use of Rogue System Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

How the McAfee Agent is used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Using this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Where to find McAfee product information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Installation and System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Pre-installation guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Hardware and software requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Installing McAfee Network Access Control 3.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Manually installing the NAC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Manually installing on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Manually installing on Mac OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Manually installing on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3McAfee Network Access Control 3.2 Product and Installation Guide for use with ePolicy Orchestrator 4.0

Key differences in the non-Windows NAC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

FAQ for non-Windows NAC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Post-installation considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

McAfee NAC Functional Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

NAC manager functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

McAfee NAC distributed component functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Detectors and how they operate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

RSD as a detector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

NAC client used as a detector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

NAC guest client used as a detector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Assessors and how they operate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

NAC client used as an assessor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

NAC guest client used as an assessor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Enforcers and how they operate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

NAC client used as an enforcer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Remediators and how they operate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

McAfee NAC Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

System health levels and their function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Benchmarks for McAfee NAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Benchmark enforcement modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Managed system health policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

System health policy structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Working with managed system health policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Unmanaged system policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Editing the unmanaged system policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Network access policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Creating network access policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Network access zones and compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Creating network access zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Importing and exporting network access zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

NAC client policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Creating and modifying NAC client policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Using Exemptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Enforcement exemptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Scan exemptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

How system classification affects exemptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64


Contents

How exemption rules work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Creating exemption rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Exporting exemption rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Importing exemption rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Use of an imported exemption list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Creating an exempt systems list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Importing an exempt systems list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

How manual exemptions work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Remediation of Unhealthy Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

Types of remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Automatic remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Common remediation commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Manual remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Elements needed for manual remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Remediation resources users must access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Dashboards, Monitors, and Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

NAC dashboards and monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Queries for network access monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Creating NAC monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Running McAfee NAC queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Network Access Administration and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

NAC manager configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Deployment and configuration tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Deploying the NAC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Editing McAfee NAC server settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Editing McAfee NAC permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Useful queries for NAC monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Creating an Enforced Health Level query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Creating a Manual Enforcement Request query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Creating a Malicious System query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Creating a NAC Client Started query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Creating a Benchmark Enforcement Mode query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Health compliance auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

System health assessment of managed systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Scheduling managed system scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Requesting an immediate scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87


Contents

System health assessment of unmanaged systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

The guest portal and guest client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Guest portal configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring the guest portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Health level overrides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Modifying a system's health level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Resetting a system's health level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Events and responses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Creating automatic event responses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Manual control of exemptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Setting a system's exemption status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Unmanageable devices and what to do with them. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

How to handle unenforceable systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Removing retired or invalid systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Post admission control for malicious systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

What are malicious systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

How post admission control works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Post admission control enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Post admission policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Configuring a post admission policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Malicious system event responses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring a malicious system event response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Setting a system's malicious status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Removing a system's malicious status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Assessment and enforcement histories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Purging scan results automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Deleting scan or enforcement results manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Combining McAfee NAC with McAfee Network Security Platform. . . . . . . . . . . . . . . . .103

Configuration requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Operations when combined with McAfee Network Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Operations unaffected by the Network Security Manager access control mode. . . . . . . . . . . . . . . . 105

Client systems that use firewall software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Network Security Sensor as a detector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Network Security Sensor as an enforcer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Health-based access control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Identity-based access control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

NAC manager configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110


Contents

Configuring a NAC client policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Assessment of unmanaged systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

The guest portal and guest client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Guest portal configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Combining McAfee NAC with Microsoft Network Access Protection. . . . . . . . . . . . . . .114

Setup requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

ePolicy Orchestrator considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Microsoft NAP as an enforcer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

NAC client operations in NAP mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Configuring a NAC client policy for NAP mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring automatic remediation for NAP mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Support for non-native operating systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Installing the DHCP Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

McAfee System Health Validator operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Installing the McAfee System Health Validator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Configuring the McAfee System Health Validator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

System Health Validator failure categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

System Health Validator error conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124


Contents

Introducing McAfee Network Access ControlMcAfee® Network Access Control (NAC) 3.2 is an extension to ePolicy Orchestrator 4.x thatprovides network access security. McAfee NAC can:

• Detect and assess managed systems on your network, and enforce access to networkresources based on a system's health level.

• Detect and assess unmanaged systems on your network, and enforce network access basedon a system's health or user identity when combined with a supported product.

To support enforcement of network access security for unmanaged systems, you can combineMcAfee NAC with McAfee Network Security Platform (formerly IntruShield) or with MicrosoftNetwork Access Protection (NAP).

To understand what McAfee NAC does and how to use it, you must be familiar with these basics:

• The functional components you can use to control access to your network.

• The system classifications that determine which functional components can be used.

• The supported deployment solutions based on the type(s) of systems you want to control.

This chapter introduces these concepts. Successive chapters build on your understanding, andprovides details about the use of each functional component.

In addition, it is important to understand how McAfee NAC fits into the framework provided byePolicy Orchestrator. See Use of ePolicy Orchestrator features and the ePolicy Orchestratordocumentation.

Contents

Control of network access

How systems are classified

Supported deployment configurations

Use of ePolicy Orchestrator features

Use of Rogue System Detection

How the McAfee Agent is used

Audience

Using this guide

Where to find McAfee product information

Control of network accessMcAfee Network Access Control allows and blocks access to your network using the followingactions:

• Detect and identify connected systems.

• Assess a system's health according to predefined rules in policies.


• Enforce network access restrictions based on policies that map network access zones tohealth levels.

• Fix (remediate) systems that are not healthy.

The functional components that support these principles are described in the following table.For details, see McAfee NAC Functional Architecture.

Table 1: McAfee NAC functional componentsDescriptionComponent name

The central management portion of McAfee NAC that provides policymanagement, exemption management, system classification, action triggers,component deployment, and data processing and storage.

NAC manager

A component that identifies systems that connect to a network. A detectorcan be software only, or a combination of hardware and software. Detectorscan be centralized or distributed as client-side agents.

Detectors

A component that evaluates the health of a system based on policies thatdescribe or identify required software, patches, services, registry keys, andnumerous other conditions that can be described by a rule.

Assessors

A component that restricts a system's access to network resources accordingto a mapping of network access zones to health levels. Enforcers are

Enforcers

typically health-based, but can use other criteria for restricting a system'snetwork access.

A component that automatically attempts to bring an unhealthy systemback into compliance with the policies you have defined for a healthysystem.

Remediators

If you need to exclude specific systems from assessment or enforcement, McAfee NAC supportsthis through exemptions. An exemption allows you to exclude a system or device, such as aprinter, from being assessed or enforced. There are several methods for designating exemptions.For details, see Using Exemptions.

System detectionDetecting the systems that are connected to a network is the responsibility of a detector. Theprimary purpose of detection is to identify a system as unique. A secondary purpose is to providethe NAC manager with information that determines a system's classification. See How systemsare classified.

McAfee NAC bases system detection on one or more of these factors:

• Acquisition of a DHCP assigned address.

• Periodic network broadcasts.

• Establishment of a network connection.

• Deployment of the McAfee Agent.

• Deployment of the NAC client.

McAfee NAC supports several detector types. See Detectors and how they operate.

System health assessmentAssessing a system's health is the responsibility of an assessor. Assessment is based onconfigurable policies that allow you to define various types of security rules. Which assessoryou can use depends on a system's classification. See Assessors and how they operate.

Health assessments (scans) can be scheduled and performed automatically, or initiated manuallyby an administrator through the NAC manager, or by a system user through the McAfee system

Introducing McAfee Network Access ControlControl of network access


tray. Health assessment also occurs automatically based on certain system conditions. SeeWhen systems are assessed.

The software predefines a set of health levels that administrators use to rank a system's healthstate (or status) based on what is wrong. A system's health is evaluated automatically againstthe policies you create, or it can be set manually.

In descending order, the health levels are:

• Healthy

• Fair

• Poor

• Serious

• Critical

How the health levels are used depends entirely on your policy definitions. Only the relativeorder of these levels is important, and only as it relates to the way each level is mapped tonetwork access zones. See System health levels and their function.

Another health level, Unknown, is assigned to a system automatically under these conditions:

• The first time a system is detected, including startup.

• The assessed health of a system expires.

• A scan fails to finish successfully.

• A system is unmanageable (see How systems are classified).

• A change occurs to the system's network connection and it is detected again.

The Unknown health level is considered a special case, and typically is not considered part ofthe health ranking.

Enforcement of access restrictionsEnforcing network access restrictions is the responsibility of an enforcer. The enforcer you useis configurable, and the method of restricting network access depends on the enforcer. Thechoice of an enforcer depends on the products you are using for network access control. SeeSupported deployment configurations.

In McAfee NAC, access enforcement is based on a system's current health status. In this regard,McAfee NAC is exclusively a health-based enforcement mechanism.

The McAfee NAC enforcer bases enforcement on a configurable policy that maps network accesszones to health levels. Enforcement takes place locally on managed systems using a local firewallto block new, outgoing connections. The resources that are blocked depends on how you defineyour network access zones. Other supported enforcement products (enforcers) might use adifferent method, or even base enforcement on criteria other than health. See Enforcers andhow they operate.

Administrators can also control system enforcement by setting a health level manually.

How unhealthy systems are fixedUnhealthy systems can be brought back into compliance with your health policies manually orautomatically. In McAfee NAC, a remediator is a component that can automatically try to fixproblems or deficiencies with unhealthy systems. McAfee NAC includes a built-in remediator,but it can be used only with managed systems because:

Introducing McAfee Network Access ControlControl of network access


• Use of the McAfee NAC remediator is specified in policies that are passed only to managedsystems.

• Remediation commands often require credentials, which are not typically available onunmanaged systems.

See Remediators and how they operate.

How systems are classifiedThe way that McAfee NAC classifies each system on your network is important for setting upand using the product, and for using its features. There are four system classifications:

• Managed systems.

• Unmanaged systems.

• Unmanageable systems.

• Unenforceable systems.

These classifications, and their characteristics and requirements, apply exclusively to McAfeeNAC functionality. Other products, including those that can be combined with McAfee NAC,might use the same classifications, but with different characteristics or requirements.

A system's classification determines which assessor, enforcer, and remediator can be used, ifat all. How systems are assigned a classification is discussed in the NAC manager section ofMcAfee NAC Functional Architecture.

The characteristics of each system classification are described in the following sections.

Managed systemsIn ePolicy Orchestrator, a managed system is one with the McAfee Agent installed and operatingproperly. McAfee NAC extends this definition. A managed system is one with both the McAfeeAgent and the NAC client installed and operating properly. Being a managed system accordingto McAfee NAC is the one prerequisite for using most of the software's features.

NOTE: A system that has the NAC guest client installed (as a detector and assessor) is notconsidered a managed system. See Detectors and how they operate and Assessors and howthey operate.

Managed systems have these characteristics and requirements:

• Only ePolicy Orchestrator managed systems can host the NAC client.

• System health is assessed by the NAC client.

• System health is evaluated against your managed system health policies.

• Enforcement can be controlled locally by the NAC client.

• Enforcement can be controlled by the Microsoft Network Access Protection product.

Unmanaged systemsIn ePolicy Orchestrator, a rogue is a system without the McAfee Agent installed, or a systemwith an agent from another ePO server. McAfee NAC uses the concept of an unmanaged system,which is a system without the NAC client installed and operating properly, or a system withoutthe McAfee Agent.

Unmanaged systems have these characteristics and requirements:

Introducing McAfee Network Access ControlHow systems are classified


• An unmanaged system can be assessed only by the downloadable guest client. It cannotuse the NAC client.

• System health is evaluated against a single unmanaged system policy.

• An unmanaged system cannot be enforced by the enforcer supplied by McAfee NetworkAccess Control.

• Enforcers supplied by other supported products, such as McAfee Network Security Platformor Microsoft Network Access Protection (NAP), might handle unmanaged systems. See thechapters that discuss use of McAfee NAC with other access control products.

Unmanageable systemsAn unmanageable system has the same characteristics as an unmanaged system, but does notmeet the requirements for using the NAC client or guest client. Typically, an unmanageablesystem is one that is running an unsupported operating system. For a list of the supportedoperating systems, see Hardware and software requirements. Because unmanageable systemscannot be assessed, they always appear in McAfee NAC monitors, queries, summary reports,etc. with a health level of Unknown.

Unmanageable systems have these characteristics and requirements:

• The health of an unmanageable system cannot be assessed because the system cannot runthe NAC client or the guest client.

• An unmanageable system cannot be enforced by the enforcer supplied by the McAfee NetworkAccess Control software.

• Enforcers supplied by other supported products, such as McAfee Network Security Platformor Microsoft Network Access Protection (NAP), might be able to handle unmanageablesystems. See the chapters that discuss use of McAfee NAC with other access control products.

For information about what you should do with unmanageable systems and devices on yournetwork, see Unmanageable devices and what to do with them.

Unenforceable systemsAn unenforceable system is one that could be classified as managed, unmanaged, orunmanageable with the additional qualifications that:

• It cannot be enforced by the enforcer supplied with the McAfee Network Access Controlsoftware.

• Its enforcement status has not been or cannot be reported to the NAC manager.

This classification refers exclusively to the McAfee NAC view of the system. It does not implywhether another product can enforce the system. An unenforceable system typically occurswhen a Rogue System Sensor detects an unmanaged system that is on a part of the networknot covered by a McAfee Network Security Sensor (a hardware component of the McAfeeNetwork Security Platform).

To be notified about unenforceable systems, create an automatic response that is triggered bythe McAfee NAC System is not enforceable event. See How to handle unenforceable systems.

Introducing McAfee Network Access ControlHow systems are classified


Supported deployment configurationsMcAfee Network Access Control 3.2 can be deployed in several configurations, depending onyour network security requirements and the types of systems you need to detect, assess, andenforce. The following deployment scenarios are supported.

• McAfee NAC standalone.

• McAfee NAC with Microsoft Network Access Protection (NAP).

• McAfee NAC with McAfee Network Security Platform.

• McAfee NAC with McAfee Network Security Platform and Microsoft Network Access Protection.

Each deployment is outlined in the following sections.

McAfee NAC only deploymentIf you are using only McAfee NAC for your network access security, the following table outlinesthe basic aspects of this deployment.

Table 2: McAfee NAC standalone deploymentDescriptionFunctional agentsProducts neededRequired

Level ofAccessControl

McAfee NAC is used for detection,assessment, and enforcement of managedsystems only.

Managedsystems only(nounmanaged

•• Detector: NAC client andRSD (no sensors deployed)

ePolicyOrchestrator 4.x

• •Rogue SystemDetection 2.0

Assessor: NAC client

• Enforcer: NAC clientsystemsupport) • McAfee Network

AccessControl 3.2

McAfee NAC is used for detection,assessment, and enforcement of managed

Managedsystems plus

•• Detector: NAC client andRSD (with sensors deployed)


unmanaged systems only. Unmanaged systems can be•• Assessor: NAC clientor NACguest client

Rogue SystemDetection 2.0

systemdetection andassessment

detected and assessed, but not enforced.The NAC guest client is used for unmanagedsystem assessment.•• Enforcer: NAC clientMcAfee Network

AccessControl 3.2

McAfee NAC with Microsoft Network Access Protectiondeployment

If you want to use McAfee NAC with Microsoft Network Access Protection (NAP) for your networkaccess security, the following table outlines the basic aspects of this deployment.

Table 3: McAfee NAC with Microsoft NAPDescriptionFunctional agentsProducts neededRequired


McAfee NAC is used for detection andassessment. Managed systems can be

Managedsystems only



(no enforced by McAfee NAC and Microsoft NAPin any combination.•• Assessor: NAC clientRogue System

Detection 2.0unmanaged

Introducing McAfee Network Access ControlSupported deployment configurations


DescriptionFunctional agentsProducts neededRequiredLevel ofAccessControl

systemsupport)

•• Enforcer: NAC client andMicrosoft NAP

McAfee NetworkAccessControl 3.2

• Microsoft NAP


Managedsystems plus

•• Detector: NAC client andRSD (with sensors deployed)


unmanaged enforced by McAfee NAC and Microsoft NAP•• Assessor: NAC client orNAC guest client

Rogue SystemDetection 2.0


in any combination. McAfee NAC detects andassesses unmanaged systems.

•• Enforcer: NAC client andMicrosoft NAP

McAfee NetworkAccessControl 3.2

• Microsoft NAP


Managed andunmanagedsystems

•• Detector: NAC client andRSD with deployed sensors


enforced by McAfee NAC and Microsoft NAPin any combination. McAfee NAC detects and•• Assessor: NAC clientRogue System

Detection 2.0 • Enforcer: NAC client andMicrosoft NAP

assesses unmanaged systems. Enforcingunmanaged systems must be done byMicrosoft NAP, if at all.

• McAfee NetworkAccessControl 3.2

• Microsoft NAP

McAfee NACwithMcAfee Network Security Platform deploymentIf you want to use McAfee NAC with McAfee Network Security Platform, configured forhealth-based access control, for your network access security, the following table outlines thebasic aspects of this deployment.

Table 4: McAfee NAC with McAfee Network Security PlatformDescriptionFunctional agentsProducts neededRequired


McAfee NAC is used for detection,assessment, and enforcement of managedsystems.






• Enforcer: NAC client andMcAfee Network SecuritySensor

systemsupport) • McAfee Network

AccessControl 3.2


Managedsystems plus

•• Detector: NAC client, RSD(with sensors deployed),


unmanaged systems. McAfee NAC can detect and assessand McAfee NetworkSecurity Sensor

• Rogue SystemDetection 2.0


unmanaged systems. McAfee NetworkSecurity Platform can be used to detectunmanaged systems.• Assessor: NAC client or

NAC guest client• McAfee Network

AccessControl 3.2 • Enforcer: NAC client

• McAfee NetworkSecurity Platform






•• Detector: NAC client, RSDwith deployed sensors, andMcAfee Network SecuritySensor


systems. Detection and enforcement ofunmanaged systems is handled by McAfeeNetwork Security Platform.


• Assessor: NAC client• McAfee NetworkAccessControl 3.2

• Enforcer: NAC client, andMcAfee Network SecuritySensor• McAfee Network

Security Platform

McAfee NAC is not used with McAfee NetworkSecurity Platform when configured for

Pure McAfeeNetwork

identity-based access control. EnforcementSecurityPlatform is controlled by a Network Security Sensor

for both managed and unmanaged systems.

McAfee NAC with McAfee Network Security Platform andMicrosoft Network Access Protection deployment

If you want to use McAfee NAC with McAfee Network Security Platform and Microsoft NetworkAccess Protection (NAP) for your network access security, the following table outlines the basicaspects of this deployment.

NOTE: McAfee Network Security Platform can be configured in either health-based oridentity-based modes. However, using McAfee Network Security Platform in identity-based modeis beyond the scope of this document (see the McAfee Network Security Platform documentation).

Table 5: McAfee NAC with McAfee Network Security Platform and Microsoft NAPDescriptionFunctional agentsProducts neededRequired


McAfee NAC is used for detection,assessment, and enforcement of managedsystems.






• Enforcer: NAC client andMcAfee Network SecuritySensor

systemsupport) • McAfee Network

AccessControl 3.2

• Microsoft NAP


Managedsystems plus

•• Detector: NAC client, RSD(with sensors deployed),


unmanaged systems. McAfee NAC can detect and assessand McAfee NetworkSecurity Sensor



unmanaged systems. McAfee NetworkSecurity Platform can be used to detectunmanaged systems.• Assessor: NAC client or

NAC guest client• McAfee Network

AccessControl 3.2 • Enforcer: NAC client

• McAfee NetworkSecurity Platform

• Microsoft NAP






•• Detector: NAC client, RSDwith deployed sensors, andMcAfee Network SecuritySensor


systems. Detection and enforcement ofunmanaged systems is handled by McAfeeNetwork Security Platform.


• Assessor: NAC client• McAfee NetworkAccessControl 3.2

• Enforcer: NAC client, andMcAfee Network SecuritySensor• McAfee Network

Security Platform

• Microsoft NAP

Use of ePolicy Orchestrator featuresMcAfee Network Access Control 3.2 is an extension to the McAfee ePolicy Orchestrator 4.xsoftware, and both use and rely on many ePolicy Orchestrator features, including Rogue SystemDetection.

In the user interface, elements specific to McAfee Network Access Control are located in theSystems section under the Network Access Control tab.

The following table lists the applicable ePolicy Orchestrator features and describes how theyare used by McAfee NAC. We recommend that you become familiar with each of the listedfeatures and their tasks.

Use by McAfee NAC administratorePolicy Orchestrator feature and location

Systems | System Tree | Client tasks • Deploy the NAC client to managed systems.

• To schedule the NAC client to perform a scan.

Automation | Server Tasks • Purge NAC scan results.

• Run a query according to a schedule.

• Synchronize Benchmark Editor content.

Specify an automatic action in response to a particular type of McAfeeNAC event.

Automation | Responses

Assign NAC client and network access policies to managed systems.Systems | System Tree | Policies

(for policy assignment)

Systems | Policy Catalog • Manage network access policies (Create, Edit, Delete, Duplicate,Import, Export, and Rename).

• Manage NAC client policies (Create, Edit, Delete, Duplicate,Import, Export, and Rename).

Create tags that can be used in a system health policy to specify thesystems that are to have that policy assigned.

Systems | Tag Catalog

Dashboards (for dashboards and monitors) • View an active McAfee NAC dashboard.

• Create a new dashboard containing McAfee NAC monitors.

• Manage the various dashboards you use for network accessmonitoring, and other queries related to McAfee NAC.

• Access detailed information about systems or McAfee NACcomponents.

Create and manage the database queries you use to obtain McAfeeNAC network security information.

Reporting | Queries

Introducing McAfee Network Access ControlUse of ePolicy Orchestrator features


Use by McAfee NAC administratorePolicy Orchestrator feature and location

Check in and manage content required by the McAfee Network AccessControl software, such as the Audit Engine content containing allthe compliance and threat checks and benchmarks.

Software | Master Repository

Network | Detected Systems • Access detection information from the Rogue System Detectionservice.

• Configure and deploy Rogue System Sensors.

Specify a command and its parameters that can be run on the serveras a registered executable.

Automation | External Commands

Register an executable (see External Commands) that can be runon the server as part of an automatic response to a NAC event.

Automation | Registered Executables

Specify parameter values affecting the operations of the McAfee NACserver.

Configuration | Server Settings

Establish user permissions for using the McAfee Network AccessControl software.

Configuration | Permission Sets

Create or edit a specific person as a user of the NAC and theirpermission type.

Configuration | Users

Create user contact information for use in automatic responses whenyou want to notify specific personnel by email of an event.

Configuration | Contacts

View a history of events that are reported to the ePO server.However, McAfee NAC events are reported in the Audit log. SeeMcAfee NAC Events and responses.

Reporting | Event Log

View a history of notifications that are reported to the ePO server.Whether anything related to McAfee NAC appears here depends onthe type of notifications you create.

Reporting | Notification Log

Use of Rogue System DetectionWhen using McAfee Network Access Control by itself, it uses the Rogue System Detection servicefor the initial detection of systems on a network.

The Rogue System Detection service can be used with or without the deployment of sensors.Without deploying sensors, you only get information about ePO-managed systems; that is,those that have the McAfee Agent installed. Deployment of sensors provides information aboutmanaged and unmanaged systems. See Detectors and how they operate.

Not all features of the Rogue System Detection service can be used in combination with McAfeeNAC; some are even detrimental. For details, see RSD as a detector.

NOTE: If you are using McAfee Network Security Platform, you would also get system detectionsfrom Network Security Sensors.

How the McAfee Agent is usedThe McAfee Agent is installed on systems you intend to manage with ePolicy Orchestrator. TheNAC client requires the presence of the McAfee Agent for normal operations, servercommunications, and use of ePolicy Orchestrator features such as client tasks and policy updates.

While running in the background, the McAfee Agent:

• Installs products, product updates, and content on managed systems.

• Gathers information and events from the managed system and sends this information tothe server.

Introducing McAfee Network Access ControlUse of Rogue System Detection


• Records and reports events that occur on the managed system.

• Runs tasks on the managed system, such as deploying the NAC client.

• Ensures that McAfee NAC policies are up-to-date.

McAfee NAC events are communicated directly to the NAC manager by the NAC client, and donot involve the McAfee Agent.

For information about deploying the McAfee Agent, see the ePolicy Orchestrator 4.xdocumentation.

AudienceThe information in this guide is intended primarily for two audiences:

• Security officers who are responsible for determining sensitive and confidential data anddefining the enterprise policy for protecting the company’s intellectual property.

• Network administrators who are responsible for implementing and enforcing the policy forprotecting the company’s intellectual property.

Using this guideThis guide helps you to:

• Understand McAfee NAC features, functions, and operations.

• Plan and perform the installation and deployment of McAfee NAC components.

• Plan an overall network access security strategy.

• Test and audit network access control before switching to full enforcement.

• Understand how to integrate with other network access products, such as McAfee NetworkSecurity Platform and Microsoft Network Access Protection (NAP).

This guide provides information on configuring and using your product.

Chapters:

• Introducing McAfee Network Access Control — Overview of how McAfee NAC works,and how the components interact.

• McAfee NAC Installation and System Requirements — How to install the product,prerequisites, and hardware and software requirements.

• McAfee NAC Functional Architecture — An architectural description of the McAfee NACcomponents based on their functionality. operation and use of the NAC server and NACclient, and their interaction with product features.

• McAfee NAC Policies — The function and use of system health policies for both managedand unmanaged systems, network access policies for controlling access based on healthlevels, and NAC client policies for scan and enforcement configuration.

• Using Exemptions — Ways of marking systems as exempt from enforcement or exemptfrom scanning.

• Remediation of Unhealthy Systems — How to automatically or manually remediateunhealthy systems on your network.

Introducing McAfee Network Access ControlAudience


• Dashboards, Monitors, and Queries — How to get information about network securityand system health through dashboards, monitors, and queries.

• Network Access Administration and Monitoring — How to use McAfee NAC on aday-to-day basis.

• Combining McAfee NAC with McAfee Network Security Platform — How to set upMcAfee NAC to operate cooperatively with Network Security Platform.

• Combining McAfee NAC with Microsoft Network Access Protection — How to setup McAfee NAC to operate cooperatively with Microsoft Network Access Protection.

Where to find McAfee product informationThe McAfee documentation is designed to provide you with the information you need duringeach phase of product implementation, from evaluating a new product to maintaining existingones. Depending on the product, additional documents might be available. After a product isreleased, additional information regarding the product is entered into the online Knowledgebaseavailable on the McAfee Service Portal.

Maintenance phaseSetup phaseInstallation phase

Maintaining the software.Getting up-and-running with theproduct.

Before, during, and after installation.

Release Notes Online HelpProduct and Installation Guide andOnline Help• •Known issues in the current

release.Maintaining the software.

• Reference information.• Setting up and customizing the

software for your environment.• Issues resolved since the last

release.• All information found in the

product guide.Online HelpKnowledgebase(knowledge.mcafee.com)

• Last-minute changes to theproduct or its documentation. • Managing and deploying products

through ePolicy Orchestrator.• Release notes and documentation.

• Detailed information about optionsin the product. • Supplemental product information.

• Workarounds to known issues.

Finding release notes and documentation for McAfee enterprise products

1 Go to knowledge.mcafee.com and select Product Documentation under Useful links.

2 Select <Product Name> | <Version> and select the required document from the list ofdocuments.

Introducing McAfee Network Access ControlWhere to find McAfee product information


https://knowledge.mcafee.com

https://knowledge.mcafee.com

Installation and System RequirementsMcAfee Network Access Control 3.2 installs as an extension to ePolicy Orchestrator 4.x to providenetwork access security for your organization. McAfee NAC uses a separate installer (does notuse the ePolicy Orchestrator Extensions interface).

The major components and features of the product are:

• The NAC manager

• The NAC client

• The NAC guest client

• Managed system health policies

• An unmanaged system policy

• Network access policies

• NAC client policies

• Post admission policies

• System exemptions

• Network access zones

• Enforcement modes

• Event handling

• Reports and queries

• Automatic remediation

• A guest portal

• Integration with other network protection appliances and software

Follow the guidelines and instructions here to install McAfee Network Access Control 3.2.

Contents

Pre-installation guidelines

Installing McAfee Network Access Control 3.2

Post-installation considerations

Pre-installation guidelinesThis section contains information you need to know before installing the software, includinghardware and software requirements.


What is installed

The McAfee Network Access Control 3.2 installer is run on an existing ePolicy Orchestrator 4.xserver. In addition to installing the NAC manager and all server-side components, the installeralso:

• Adds the NAC client installation files for all supported platforms to the ePolicy Orchestratormaster repository.

• Adds these policies to the master repository and lists them in the Policy Catalog: a defaultNAC client policy, network access policy, and post admission policy.

• Adds McAfee NAC queries to the master repository.

• Installs the Benchmark Editor (if it has not been installed previously).

• Installs the Guest Portal and guest client installer on the ePolicy Orchestrator server.

• Adds the Check Builder and check content.

• Creates a client task that, by default, runs a daily scan at 12 A.M. for all NAC clients.

NAC Guest Portal

The McAfee Network Access Control guest portal installs automatically as an ePolicy Orchestratorextension during product installation. The guest portal resides on the ePolicy Orchestratorserver. Portal configuration options are located on the ePolicy Orchestrator Server Settingspage, and the extension name is NAC Guest Portal.

McAfee Network Access Control 3.2 does not support previous versions of the guest portal. Ifyou have an earlier version of the guest portal installed you should remove it, but save anyinformation you might want to use when configuring the McAfee Network Access Control 3.2guest portal.

You uninstall the guest portal by removing the extension. You do this from the ePolicyOrchestrator Extensions page.

Hardware and software requirementsBefore installing McAfee Network Access Control 3.2, make sure your environment meets thesehardware and software requirements for the product.

McAfee NAC server-side components

The hardware requirements for the NAC manager and all server-side components are the sameas for the ePolicy Orchestrator 4.x server. For best performance, use the recommended hardwareconfiguration for an ePolicy Orchestrator server, rather than the minimum configuration.

McAfee Network Access Control 3.2 has these software requirements.

Table 6: McAfee NAC software requirementsRequirements for ePolicy Orchestrator 4.5Requirements for ePolicy Orchestrator 4.0

No additional requirements. Rogue System Detection isinstalled as a fully integrated part of ePolicy Orchestrator 4.5.

Patch 6 or greater installed

Rogue System Detection version 2.0.2 or later

Installation and System RequirementsPre-installation guidelines


McAfee NAC client components

Systems where you install the NAC client or NAC guest client must meet these requirements.

Table 7: Client system requirementsRequirementCategory

Operating system • Windows 2000 Professional, Service Pack 4

• Windows 2000 Advanced Server, Service Pack 4

• Windows 2000 Server, Service Pack 4

• Windows 2000 Terminal Services, Service Pack 4

• Windows XP Professional, Service Pack 2 or later (32-bit and 64-bit)

• Windows Server 2003 Enterprise, Service Pack 1 or later

• Windows Server 2003 Standard, Service Pack 1 or later

• Windows Server 2003 Web, Service Pack 1 or later

• Windows Server 2008, Service Pack 1 or later (32-bit and 64-bit)

• Windows Vista (32-bit and 64-bit)

• Windows 7 (32-bit and 64-bit)

• Mac OS X 10.4 (Tiger)

• Mac OS X 10.5 (Leopard)

• RedHat Enterprise Linux 4

• RedHat Enterprise Linux 5

512 MB or higher RAMMemory

McAfee Agent 4.0 patch 2 or later for non-Windows systems, and patch 3 forWindows systems. The NAC guest client does not require the McAfee Agent.

ePolicy Orchestrator products

McAfee NAC components for use with Microsoft Network Access Protection

The McAfee System Health Validator and DHCP Agent that are used when combining McAfeeNAC with Microsoft Network Access Protection can be installed only on 32-bit operating systemversions.

Firewall software

If managed or unmanaged systems use personal firewall software, you must open specific portsfor server and client communications. McAfee NAC uses ports that are configured in ePolicyOrchestrator.

Table 8: McAfee NAC communication port requirementsePolicy Orchestrator 4.5 portsePolicy Orchestrator 4.0 ports

Console-to-application server communication port (default is8443)

Console-to-application server communication port(default is 8443)

Client-to-server authenticated communication port (default is8444)

Sensor-to-server communication port (default is 8444)

Whatever the port numbers are for these ePolicy Orchestrator settings (8443 and 8444 bydefault), the firewall must open them.

Additionally, ePolicy Orchestrator might require other open ports on managed systems. McAfeerecommends that you do not run firewall software on your ePolicy Orchestrator server. If youdo, make sure that all required ports are open.

Installation and System RequirementsPre-installation guidelines


Installing McAfee Network Access Control 3.2Use this task to install the McAfee Network Access Control 3.2 on your ePolicy Orchestrator 4.xserver. At the end of the installation, the McAfee NAC content is added automatically to theePO master repository. The name of the package is Audit Engine Content. If you have modifiedyour Update Master Repository server task so that it only updates selected content, be sure toadd Audit Engine Content, which is listed under Other in the Available Source Site Packagesdialog box.

Before you begin

If the ePO server is a member of an MSCS cluster, do the following before installing McAfeeNetwork Access Control 3.2.

1 Stop these ePolicy Orchestrator services, then change their startup type to Manual.

• McAfee ePolicy Orchestrator 4.x Application Server

• McAfee ePolicy Orchestrator 4.x Event Parser

• McAfee ePolicy Orchestrator 4.x Server

2 Install McAfee Network Access Control 3.2 on each cluster member. No configurationchanges are required.

3 Test the cluster:

• Select the ePO group, then select Bring Online.

• Right-click any of the resources for the ePO group, then select Initiate Failover. Theresources should fail and come back online.

Task

For option definitions, click ? in the interface.

1 Download the product zip file from the McAfee product download site, and store it on yourePolicy Orchestrator server.

2 Unzip the archive, then double-click the Setup program.

3 In the Setup Requirements window, check that each section displays the message Allrequired applications were found, then click Next. Any required applications that werenot found are listed, and you must exit and install these applications. See Pre-installationguidelines.

4 Accept the license agreement, then click OK.

5 Accept the default installation path (recommended), or specify a different location on theePolicy Orchestrator server. Click Next.

6 Type your ePolicy Orchestrator global administrator user name and password. Click Next.

7 Accept the default port (8444) for Network Security Sensor communications with the NACclient, or specify a different port. This port cannot be changed unless you reinstall thesoftware. Click Next.

CAUTION: Changing from the default port number results in having to perform additionalconfiguration. If you use McAfee NAC in combination with McAfee Network Security Platform,be sure to read Setup and configuration in the Combining McAfee NAC with McAfee NetworkSecurity Platform chapter.

8 Verify that all information is correct, then click Next to start the installation.

Installation and System RequirementsInstalling McAfee Network Access Control 3.2


9 When the installation completes, a dialog box informs you that content is being checkedin to the ePO master repository, and that this process takes time to complete. Click OK.

Manually installing the NAC clientUse these tasks to install the NAC client manually on a system with:

• Any of the supported Windows operating systems.

• Any of the supported Mac operating systems.

• Any of the supported Linux operating systems.

Normally, you install the NAC client to systems through an ePO client task (see Deploying theNAC client). However, there might be situations where you need or want to install the NACclient directly on a system before allowing a network connection.

The NAC client is multi-lingual, and all supported languages for the operating system platformare installed. The NAC client automatically detects the language setting of the operating system.If the language is not supported, the default is English.

NOTE: The MAC OS and Linux versions of the NAC client only support English and German.

Tasks

Manually installing on Windows

Manually installing on Mac OS

Manually installing on Linux

Manually installing on WindowsUse this task to manually install the NAC client on a system running one of the supportedWindows operating systems.

Task


1 On the ePO server, go to Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\MNACSCNR3000\Install\0409. You need the entire contentsof this directory.

2 To install on a client system, you can:

• Run the installer remotely from the ePO server.

• Copy the installation files to a network share.

• Copy the installation files to the local system or a CD.

3 Run the Setup program, and click Next at the Welcome screen.

4 Accept the default location to install the NAC client, then click Next. McAfee does notrecommend installing to a different location.

5 Click Install. When the installation is done, click Finish.

Installation and System RequirementsManually installing the NAC client


Manually installing on Mac OSUse this task to manually install the NAC client on a system running one of the supported Macoperating systems.

Task


1 On the ePO server, go to Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\MNACSCNR3000MACX\Install\0409. You need the entire contentsof this directory.





3 Run the Setup script by double-clicking the .dmg or .pkg file, then click Next at the Welcomescreen.



6 To manually uninstall, navigate to /Library/McAfee/mnac/ and run the uninstall.sh script.

Manually installing on LinuxUse this task to manually install the NAC client on a system running one of the supported Linuxoperating systems.

Task


1 On the ePO server, go to Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\MNACSCNR3000LNYX\Install\0409. You need the entire contentsof this directory.





3 Run the Setup script using the command rpm -i MNAC and click Next at the Welcome screen.



6 To uninstall, use the command rpm -e MNAC.

Installation and System RequirementsManually installing the NAC client


Key differences in the non-Windows NAC clientThere are a number of differences for managed systems running non-Windows operatingsystems (compared to Windows operating systems), and use of the NAC client on these systems.Some general differences are:

• The McAfee Agent installation must be done manually.

• Firewall components are available, by default, with the Linux and Mac operating systems.The NAC client communicates with those components for enforcement.

• In Mac OS X, there are three user group levels: root or super user (su), administrators(admin user), and normal users. Most Mac users would be administrators and have lot ofprivileges as opposed to Windows. Only administrators have complete control over thesystem.

Other differences are categorized below.

User experience differences

The following are differences in the user experience on the client managed system.

• Tray icon and menu on client system. On Mac OS X systems, there is a menulet. Onsupported Linux platforms, the tray has been implemented using gtk+.

• Firewall integration. On Mac OS X systems, the NAC client uses ipfw, a system tool availableby default with all Mac operating systems. On supported Linux platforms, the NAC clientuses iptables, a system tool available by default with most flavors of Linux.

Policy updates

Policy updates are performed in a different way on Mac OS X and Linux client systems. OnWindows systems, the NAC client can initiate a "pull-down" of new and updated policies, butthe NAC client for Mac OS X and Linux cannot do this. Instead, new and updated policies mustbe "pushed".

Administrators can do this by setting up a Wake-up McAfee Agent task, with the Get fullproduct properties option selected. Administrators can run this task whenever needed, orset it to run on a schedule. Administrators should be familiar with the relationship betweenagent wake-up taks and the Agent-Server Communication Interval, or ASCI.

FAQ for non-Windows NAC clientThe following are common questions that have been asked about the NAC client for the supportednon-Windows operating systems. All commands listed below assume that the user knows howto enter system commands for the specified operating system.

1 How do I know whether McAfee NAC or McAfee Agent is installed?

Linux: rpm -q MNAC

The return value should be: MNAC-3.2-1

2 How do I check whether the McAfee NAC or McAfee Agent service is running?

Linux: Use service mnac status (for McAfee NAC) and service cma status (for McAfee Agent).

Mac OS X: Users can do the following:

• Type ps -ef | grep 'MNac' to see if there is a McAfee NAC process running. The outputdoes not necessarily mean the process is healthy.

Installation and System RequirementsKey differences in the non-Windows NAC client


• Type ps -ef | grep 'cma' to see if there is a McAfee Agent process running. The outputdoes not necessarily mean the process is healthy.

3 Where can I find the McAfee NAC or McAfee Agent log files?

Linux & Mac OS X: Users can do the following:

• To navigate to the folder where the McAfee NAC log files are stored, type cd/Library/McAfee/mnac/logs

• To display the end of any log file, type: tail -f /<filename>.log

• To display the end of the McAfee Agent log file, type: tail -f/Library/McAfee/cma/scratch/etc/log. Using this command requires root permissions.

4 How to view the logs in debug mode?

Linux & Mac OS X (for McAfee Agent): Users can do the following:

• Navigate to the folder /etc/cma.d, which contains policy folders like EPOAGENT3700LYNX,MNACSCNR3000 and NACPolicy3000.

• Open config.xml to modify McAfee Agent configurations or settings. You must restartMcAfee Agent for modifications to take effect.

Linux (for McAfee NAC): Users can do the following:

• Navigate to /opt/McAfee/mnac/config/McNacClientLog.cfg

• Edit the first line to remove INFO and replace it with DEBUG.

Mac OS X (for McAfee NAC): Users can do the following:

• Navigate to /Library/McAfee/mnac/config/McNacClientLog.cfg

• Edit the first line to remove INFO and replace it with DEBUG.

5 Where can I find the McAfee NAC or McAfee Agent policy objects?

Linux & Mac OS X (for McAfee Agent): Users can do the following:

• Navigate to the folder /etc/cma.d, which contains policy folders like EPOAGENT3700LYNX,MNACSCNR3000 and NACPolicy3000.

• Open config.xml to modify McAfee Agent configurations or settings. You must restartMcAfee Agent for modifications to take effect.

Linux (for McAfee NAC): Users can do the following:

• Use cd /opt/McAfee/mnac/data to go to the directory where all policy objects are availablein binary flat file format. Root permissions are required to access these files.

Mac OS X (for McAfee NAC): Users can do the following:

• Use cd /Library/McAfee/mnac/data to go to the directory where all policy objects areavailable in binary flat file format. Root permissions are required to access these files.

6 How can I check the current state of the firewall?

Linux: service iptables status

Mac OS X: ipfw show

7 How do I reset the firewall?

Linux: iptables -F to flush all entries, and iptables -D <chain-name> to delete a specific chain.

Mac OS X: ipfw flush to flush all entries, and ipfw delete <entry_number> to delete a specificentry.

Installation and System RequirementsFAQ for non-Windows NAC client


Post-installation considerationsAfter installing McAfee Network Access Control, additional installation or configuration stepsmight be necessary to make McAfee NAC work with another product. Determine or verifywhether:

• You will combine McAfee NAC with McAfee Network Security Platform as an access controlsolution. If so, see Combining McAfee NAC with McAfee Network Security Platform, and theMcAfee Network Security Platform documentation.

• You will combine McAfee NAC with Microsoft Network Access Protection as an access controlsolution. If so, see Combining McAfee NAC with Microsoft Network Access Protection, andthe Microsoft Network Access Protection documentation.

What happens when the license expires

When the license expires, the NAC client continues to scan systems using the current systemhealth policies, and continues to report compliance status to the server. The settings for theNAC client in the deployment task are unchanged.

Installation and System RequirementsPost-installation considerations


McAfee NAC Functional ArchitectureAt a conceptual level, the McAfee NAC software consists of a central manager and a system ofdistributed agents that perform specific functions. The following diagram illustrates thisarchitecture.

Figure 1: Functional architecture of McAfee NAC

Contents

NAC manager functionality

McAfee NAC distributed component functionality

Detectors and how they operate

Assessors and how they operate

Enforcers and how they operate


Remediators and how they operate

NAC manager functionalityThe NAC manager (central management portion of McAfee NAC) provides core managementfunctionality for all operations performed by the software. The manager provides for all policyconfiguration and management, and ensures that the policies are up-to-date. It also providesreporting and monitoring services in the form of queries and monitors, which gather and displaysystem and network information related to network access control.

Information reported from detectors, assessors, and enforcers is processed. If necessary, theNAC manager uses the information to make calculations or determinations of a system's stateand status.

Figure 2: NAC manager architecture

The following table describes the functions of the NAC manager.

DescriptionFunction

The policies that define health assessment and access enforcementcriteria for systems on your network. Provides all policy configurationand management, and ensures that the policies are up-to-date.

Assess and enforce policy configuration andmanagement

Server tasks that initially deploy and periodically update detectors,assessors, and enforcers and the policies used by each.

Deploy distributed components

System state and status calculations, message processing, and datastorage.

Process and store detection data

System health status, verification, checks for exemptions, comparisonsagainst administrator settings and event handling. Takes informationfrom any supported assessor (NAC client and guest client).

Process and store assessment data

Depending on the configured enforcer, get enforcement status, errors,and network access zones.

Process and store enforcement data

Sends a health level to the configured enforcer. When Microsoft NetworkAccess Protection is the enforcer, this is reduced to a Statement ofHealth.

Trigger enforcement actions

Processes rules and identifies matching systems. This happens whenthe manager gets information from a detector, assessor, or enforcer.

Evaluate and enforce exemption rules

McAfee NAC Functional ArchitectureNAC manager functionality


DescriptionFunction

Provides reporting and monitoring services in the form of queries andmonitors, which gather and display system and network informationrelated to access control.

Report stored data

For unmanaged systems, the NAC manager maintains setup configuration data, and sendshealth information to supported products that handle unmanaged system enforcement.

How a system's classification is determined

Classifying each system connected to a network is one of the core duties of the NAC manager.After receiving detector information, the NAC manager tries to determine which systems canbe managed and enforced, and which cannot. How precise the NAC manager can be dependson how much information a detector provides. For instance, if the NAC manager receives enoughinformation for it to use OS fingerprinting, it can determine manageability, and in some cases,whether the system can be enforced.

The NAC manager continually evaluates the information it receives, and re-classifies systemsas necessary. Situations that can trigger re-classification are:

• More information from a detector. For example, a system's first detection was by the RogueSystem Detection service, but subsequent detections are from the NAC client.

• Installation or uninstallation of the NAC client.

• A change to a system's exemption status.

• The OS fingerprinter runs against the system and identifies information the NAC managerdoes not have.

McAfee NAC Functional ArchitectureNAC manager functionality


McAfee NAC distributed component functionalityThe McAfee NAC distributed component architecture allows the detection, assessment,enforcement, and remediation functionality to be combined in one unit, or separated and handledby different components, even different products.

Figure 3: NAC distributed component architecture

McAfee NAC uses these distributable components:

• The NAC client, which can function as a detector, assessor, and enforcer on managedsystems.

• The NAC guest client, which can function as a detector and assessor on unmanaged systems.

The NAC client is deployed to system's in your organization using ePolicy Orchestrator featuresor manually (not recommended). The NAC guest client must be downloaded and installed byunmanaged system users.

Detectors and how they operateA detector identifies systems that are connected to your network, and reports these systemsto the NAC manager. To qualify as a detector, the component must report at least one form of

McAfee NAC Functional ArchitectureMcAfee NAC distributed component functionality


identifying information about a system or device to the NAC manager (see the Detector inputand output table).

NOTE: All discussion of detectors in this guide relates to managed systems only, unless explicitlystated otherwise.

The McAfee Network Access Control software as a standalone product (without the use ofadditional products), provides the following detectors:

Table 9: Detector operationsOperational descriptionDetector

Provides the primary level of detection information for ePO-managedsystems. Once the NAC client is deployed to a system (classification

Rogue System Detection (RSD) service

changes to a NAC-managed system), RSD moves to a secondary role,and the NAC client becomes the primary detector. The RSD service alsoprovides detection information about unmanaged and unmanageablesystems, such as printers. This information is important if you useexemptions. See Using Exemptions.

Provides the primary level of detection information for the NAC-managedsystems where it is deployed.

NAC client

Provides the primary level of detection information for the unmanagedsystems where it is installed.

NAC guest client

The following table lists the information that detectors use as input, and report as output. TheNAC manager uses the output.

Table 10: Detector input and outputOutputInputDetector

At least one of the following:McAfee Agent installation event andnetwork traffic, consisting of:

Rogue System Detection(RSD)service • An IP address

• DHCP requests • A MAC address• ARP broadcasts • A host name

• A subnet

• A McAfee Agent GUID

At least one of the following:Local operating system queriesNAC client

• An IP address

• A MAC address

• A host name

• A subnet


The specific implementation determines whether a detector reports some or all of the identifyinginformation that is listed under Output. In addition, some detectors might provide operatingsystem information. McAfee Network Access Control accommodates its own detectors as wellas detectors from other McAfee or third-party products.

Another supported detector is the Network Security Sensor, a hardware component of McAfeeNetwork Security Platform (formerly IntruShield). See Combining McAfee NAC with McAfeeNetwork Security Platform.

RSD as a detectorThe Rogue System Detection (RSD) service acts initially as the primary detector in anePO-managed system environment. Systems with the McAfee Agent installed are detected and

McAfee NAC Functional ArchitectureDetectors and how they operate


reported to the ePO server. However, these systems are not yet managed, according to theMcAfee NAC definition. See System classifications.

Once you deploy the NAC client, its detection service takes over to provide information aboutthe system where it resides. These systems are now managed, according to the McAfee NACdefinition.

If you deploy Rogue System Sensors, the RSD service can also provide limited information aboutunmanaged systems.

NOTE: The RSD service must be installed as an extension to ePolicy Orchestrator prior toinstalling the McAfee NAC software.

RSD features that are incompatible with McAfee NAC

McAfee NAC is not compatible with certain RSD features or capabilities. These RSD featurescause no harm, and are even useful, in connection with ePolicy Orchestrator. However, whenyou add network access control to your environment, certain practices with RSD can disable ornullify McAfee NAC functionality.

Prerequisites for using RSD as a detector

You must set the user permissions for the RSD service to View and Edit.

RSD detector functionality

The RSD service can function as a McAfee NAC detector with or without deploying a RogueSystem Sensor.

Detection functionalityRSD setup

The RSD service without sensor deployment provides:Without sensor deployment

• Information about managed systems only.

• Detections occur based on the McAfee Agent sending informationto the ePO server. The RSD service listens for this information fromthe McAfee Agent and records the system as ePO-managed withinePolicy Orchestrator.

• Detection information about ePO-managed systems, consisting ofnetwork data such as an IP address, MAC address, host name, andsubnet. The RSD service also obtains the McAfee Agent GUID forsystem identification.

The RSD service with sensor deployment provides all the functionalitylisted above, as well as:

With sensor deployment

• Detections occur based on the Rogue System Sensor sendinginformation to the ePO server. Sensors listen to DHCP requests andARP broadcasts.

• Unmanaged system information, consisting of network data suchas an IP address, MAC address, host name, and subnet.

• Systems detected by a sensor are reported on the Network |Detected Systems page in the Overall System Status pane.

Detection information provided by the RSD service is reported to the ePO server and is accessedon the Network | Detected Systems page. The status of these systems can be “Rogue” or“Managed”. If the system is listed as “managed” it might or might not mean the system ismanaged according to the McAfee NAC definition. You will need to use the NAC reports orqueries to determine whether a system is managed by McAfee NAC.



Use of RSD with deployed sensors

If you use the RSD service with deployed sensors, then this configuration has the followingimplications:

• Any exemption rules you create might not report correctly until the systems affected by therule have been detected. When you first create an exemption rule, it can be listed with zerosystems, even though you know the network has systems that match the rule. This happenswhen there is a delay between the creation of the rule and the next detection event.

• Rogue System Sensors detect when a system has an “alien” McAfee Agent. This happenswhen a system that reports to one ePO server is connected to a network controlled by adifferent ePO server. Most often this happens with laptops used during travel. If this occurs,the system health policies that are normally active for that system cannot be used as thebasis of a health assessment. Systems with alien agents can use the guest client for healthassessment.

NAC client used as a detectorThe NAC client automatically functions as a detector once it is deployed. To deploy the NACclient to a system, the system must have the McAfee Agent installed. Once the NAC client isdeployed, the system becomes managed, according to the McAfee NAC definition.

Once deployed, the NAC client functions as the primary detector, and automatically reports itsdetection information to the NAC manager. For a NAC-managed system, the RSD service movesto a secondary role. The RSD service still reports unmanaged and unmanageable systems, andalso takes over as primary detector if the NAC client is removed from a system or stopsfunctioning properly.

To operate as a detector, the NAC client does not require any specific configuration. For eachmanaged system, the detection information the NAC client reports consists of:

• IP addresses

• MAC addresses

• Host name

• Subnets

• McAfee Agent GUID

To uniquely identify a system, the NAC manager needs at least one of the listed pieces ofidentifying information.

The NAC client cannot provide any detection information for unmanaged systems.

Prerequisites for using the NAC client as a detector

You must deploy the NAC client to ePO-managed systems.

NAC guest client used as a detectorThe NAC guest client automatically functions as a detector once it is installed on an unmanagedsystem. To install the guest client on a system, users must download and run the installer. Thesystem does not require the McAfee Agent installed.

NOTE: Installing the guest client on a system does not classify it as managed, according to theMcAfee NAC definition. The guest client also functions as an assessor, but does not function asan enforcer.



Once installed, the NAC guest client functions as the primary detector, and provides the samedetection functionality as the NAC client. The Rogue System Detection service moves to asecondary role. The RSD service still reports unmanaged and unmanageable systems, and alsotakes over as primary detector if the guest client is removed from a system or stops functioningproperly.

To operate as a detector, the guest client does not require any specific configuration. The guestclient reports the following detection information:

• IP addresses

• MAC addresses

• Host name

• Subnets

To uniquely identify a system, the NAC manager needs at least one of these types of identifyinginformation.

Prerequisites for using the guest client as a detector

A user must download the guest client from an accessible network location and install it. SeeInstalling the guest client.

Assessors and how they operateAn assessor determines the health of systems that are connected to your network, and reportsthe assessment results to the NAC manager.

The McAfee Network Access Control software supports two assessors. The assessor that is useddepends on whether a system is managed or unmanaged, according to the McAfee NAC systemclassifications.

Table 11: Assessor operationsOperational descriptionAssessor

Provides a health level assessment for managed systems, according toone or more assigned system health policies. The NAC client assessorreports the following information to the NAC manager:

NAC client

• Assessed health level.

• Details about benchmarks and rules.

• Status of the assessment (scan) — whether it failed, or wassuccessful

• Version of content and policy that was used.

Provides a health level assessment for unmanaged systems, accordingto a single unmanaged system policy. The guest client assessor reportsthe following information to the NAC manager:

NAC guest client


• Details about benchmarks and rules.

• Status of the assessment (scan) — whether it failed, or wassuccessful

• Version of content and polciy that was used.

McAfee NAC Functional ArchitectureAssessors and how they operate


An assessor must have input to tell it what to assess on a system, and what to report aboutthe assessment. An assessor also provides output.

Table 12: Assessor input and outputOutput used byOutputInputAssessor

The reporting service of the NACmanager, and any supported enforcer fora managed system.

Remediators use the assessed healthlevel, and the benchmark and ruledetails.

A health level descriptorNAC client • Managed systemhealth policies.

• A NAC client policy.

• Benchmark content(checks and rules).

The reporting service of the NACmanager, and any supported enforcer for

A health level descriptorNAC guest client • A single unmanagedsystem policy.

an unmanaged system. Currently, a• Benchmark content(checks and rules).

McAfeeNetwork Security Sensor is the onlysupported enforcer for an unmanagedsystem.

There is no automated remediator atthis time for unmanaged systems.

When systems are assessed

An assessor runs a scan to determine the health of a system. The health assessment is basedon the system health policies that are applicable to each managed system, or the unmanagedsystem policy for unmanaged systems.

An assessor initiates a scan:

• At system startup.

• When the NAC client service is restarted.

• When a system is reconnected to the network or its network adapter changes.

• When a system is assigned a new IP address.

• When the NAC manager requests a scan or rescan. This can result automatically or from anadministrator request.

• When a NAC client receives a new or updated system health policy.

NAC client used as an assessorThe NAC client is the only assessor you can use with McAfee NAC to determine the health ofmanaged systems. Before you can use the NAC client as an assessor, you must deploy it toePO-managed systems. Once the NAC client is deployed, the system becomes managed,according to the McAfee NAC definition, and it automatically functions as an assessor.

To function as a assessor, the NAC client does not require any specific configuration. However,the NAC client policy contains configuration options that affect assessment operations. SeeMcAfee NAC Policies.

As an assessor, the NAC client is responsible for:

• Assessing a system's health.

• Setting a system's health level.

• Reporting assessment results to the NAC manager.

• Sending notifications to the system tray on the managed system.



How system health is assessed

The NAC client assesses system health by running a scan. The scan is based on the systemhealth policies that are applicable to each managed system.

An assessor initiates a scan:

• At system startup.

• When the NAC client service is restarted.

• When a system reconnects to the network or its network adapter changes.

• When a system is assigned a new IP address.

• When the NAC manager prompts for a scan or rescan.

• When a NAC client receives a new or updated system health policy.

How health levels are set

A system's health status is the result of several factors. A system has both an assessed healthlevel and and enforced health level, and it has an overall system health status. The overallsystem health status is derived from the assessed health level, and takes into account otherfactors such as exemptions.

The assessed health level is the result of evaluating all benchmarks in the system health policieswhose Enforcement Mode is Enforce or Audit Only. After completing a scan, the NAC client setsthe assessed health level at the most unhealthy value.

The enforced health level is the result of evaluating only those benchmarks in the system healthpolicies whose Enforcement Mode is Enforce. After completing a scan, the NAC client sets theenforced health level at the most unhealthy value.

The NAC client changes the health level of managed systems based on scan results or explicitadministrator instructions. If the health level is changed due to a scan, it is based on yourbenchmark rule properties. In each rule, you can specify the health level you want it to assignif the rule fails.

Administrators can manually change the enforced health level of a system when they viewsystem summary and system detail pages. These pages are accessed through monitors or asthe result of a query.

Reporting of assessment results

After a scan is completed, the NAC client reports the results to the NAC manager and checkswhether the NAC manager has newer policies. If so, the newer policies are downloaded, andthe system is rescanned. The NAC client policy allows you to configure the scan result's levelof detail that is sent to the NAC manager.

For each managed system, the assessment information the NAC client reports consists of:

• The benchmark names that were assessed and which, if any, failed.

• The benchmark rule names that were assessed and which, if any, failed.

• The assessed health level of the system.

• The assessment status (success or failure).

• The content and policy versions used in the assessment.



How notifications are sent

The NAC client notifies users of important events or situations using a popup dialog box accessedfrom the McAfee system tray. If the system tray is not installed, users cannot receive thesenotifications.

Notifications occur when:

• The system's health level changes. The user is informed of the new health level, and thestatus of the benchmarks that were assessed. The new health level might be Healthy or oneof the unhealthy states.

• The system is restricted to any network access zone other than the one assigned to theHealthy state. This occurs automatically based on the applicable network access policy, orbased on a manual action by the administrator.

• A scan is in progress.

• The NAC client fails to run a scan successfully.

• The NAC client is not running.

• Automatic remediation actions fail to run.

NAC guest client used as an assessorThe NAC guest client automatically functions as an assessor once it is installed on an unmanagedsystem. To install the guest client on a system, users must download and run the installer. Thesystem is not required to have the McAfee Agent installed.

NOTE: Installing the guest client on a system does not classify it as managed, according to theMcAfee NAC definition. The guest client also functions as a detector, but does not function asan enforcer.

Once installed, the NAC guest client provides the same assessment functionality as the NACclient, with the exception that it assesses a system's health based on a single unmanagedsystem policy, rather than a set of managed system health policies.

Enforcers and how they operateAn enforcer is responsible for restricting the network access of systems based on their currenthealth level. A system's health level can be set by several methods (see How health levels areset). Typically the restriction of network access is based on the definition of one or more networkaccess zones, which are mapped to each possible health level. However, different enforcerscan use different methods to restrict a system's access to a network.

The McAfee Network Access Control software supports three enforcers. The enforcer that isused depends on whether a system is managed or unmanaged, and the method you use torestrict network access.

Table 13: Enforcer operationsOperational descriptionEnforcer

Provides local enforcement of network access restrictions for managedsystems based on:

NAC client

• Enforced health level.

• Administrator-specified health level.

• Post-admission policy health level.

McAfee NAC Functional ArchitectureEnforcers and how they operate


Operational descriptionEnforcer

The NAC client enforcer reports the following information to the NACmanager:

• Network access zone being enforced.

• Success or failure of the enforcement.

Provides enforcement of network access restrictions for managedsystems from a central NPS server based on:

Microsoft Network Access Protection (NAP)



• Post-admission policy health level.

Regardless of the health level's origin, it is validated by the McAfeeSystem Health Validator SHV.

Provides enforcement of network access restrictions for unmanagedsystems when configured for health-based access control based on:

McAfee Network Security Sensor



• Post-admission policy health level.Provides enforcement of network access restrictions for managedsystems when configured for identity-based access control (IBAC) basedon:

• System properties.

• User identity credentials.

The McAfee NAC architecture is not involved when using McAfeeNetwork Security Platform in IBAC mode.

The following table lists the information that enforcers use as input, report as output, and whichcomponents use the output.

Table 14: Enforcer input and outputOutput used byOutputInputEnforcer

The reporting service of the NACmanager.

NAC client •• The network accesszone being enforced.

A health level from anassessor, postadmission policy, or • The success or

failure of theenforcement.

an administratoraction.

• A managed networkaccess policy.

• A NAC client policy.

The reporting service of the NACmanager, and the Microsoft NAP Statusapplication.

Microsoft NAP •• The NAP networkaccess zone beingenforced.

A health level from anassessor, postadmission policy, oran administratoraction.

• The success orfailure of theenforcement.• A McAfee SHV

configuration.


McAfee NetworkSecurity Sensor

•• The NetworkSecurity Managernetwork access zonebeing enforced.

A health level from anassessor, postadmission policy, oran administratoraction. • The success or

failure of theenforcement.

• The systemclassification(managed,

McAfee NAC Functional ArchitectureEnforcers and how they operate


Output used byOutputInputEnforcer

unmanaged, orunmanageable).

NAC client used as an enforcerTo have the NAC client operate as an enforcer, you must properly configure a NAC client policy.The default NAC client policy uses the NAC client as the enforcer. Before you can use the NACclient as an enforcer, however, you must deploy it to ePO-managed systems, and it must obtaina NAC client policy.

When the NAC client is the enforcer, a local firewall blocks new outgoing connections, basedon the system's current enforced health level, or the health level manually set by an administratorusing Modify health level. The network access zone associated with each health leveldetermines which network resources the system can or cannot access.

NOTE: The NAC client enforcement method option can be set so that enforcement actions arecontrolled by another product. This version of McAfee NAC supports Microsoft Network AccessProtection (NAP) and McAfee Network Security Platform as enforcers. Information aboutconfiguring the NAC client to use one of these enforcers is discussed in the chapters aboutintegrating with these products.

For each managed system, the enforcement information the NAC client reports consists of:

• The enforcement status (success or failure).

• The network access zone being enforced.

Remediators and how they operateA remediator automatically tries to fix systems that are not in compliance with your healthpolicies. McAfee Network Access Control 3.2 supports one remediator. Users of unhealthysystems also can make fixes to their systems manually. See Remediation of Unhealthy Systems.

If a system is unhealthy, it is typically restricted from accessing particular network resources,based on the current health level. A system's health level can be set by several methods. SeeHow health levels are set.

Table 15: Remediator operationsOperational descriptionRemediator

Runs remediation commands specified in the benchmarks that compriseeach system health policy. Commands can be:

NAC client

• Single executables.

• A script.

• A batch file.

The NAC client remediator reports the following information to theNAC manager:

• Success or failure of the remediation.

McAfee NAC Functional ArchitectureRemediators and how they operate


The input (required information) and output for the supported remediators, and what the outputis used for is described below.

Table 16: Remediator input and outputOutput used byOutputInputRemediator


NAC client •• The success orfailure of theremediation.

Managed systemhealth policies.

McAfee NAC Functional ArchitectureRemediators and how they operate


McAfee NAC PoliciesYou use various policy types to define and configure much of the McAfee NAC functionality fornetwork security. The assessors and enforcers use these policies to determine what data toreport and which actions to take.

Table 17: Policy typesDescriptionPolicy name

Defines your network security criteria for health assessment of managedsystems, specifies which systems must adhere to these criteria, and

Managed system health policy

specifies when to use the policy. This policy type uses benchmarks(based on the XCCDF and OVAL standards) to define compliance rules.Rules are built from predefined checks supplied by McAfee or customchecks you can construct.

Defines your network security criteria for health assessment ofunmanaged systems, specifies how often to run scans, how much

Unmanaged system policy

information is reported to the NAC manager, and whether you wantidentification messages sent onto the network. This policy type usesbenchmarks (based on the XCCDF and OVAL standards) to definecompliance rules. Rules are built from predefined checks supplied byMcAfee or custom checks you can construct.

Specifies the network access restrictions that you want to apply to eachsystem health level. This policy is a mapping between each health level

Network access policy

and a network access zone. How many network access zones you createdetermines your choices in the drop-down list.

Configures the features of the NAC client component, which is deployedto managed systems. The NAC client always functions as a detector

NAC client policy

and an assessor. By default, the policy configures the NAC client as theenforcer. If you integrate with other network access solutions such asMcAfee Network Security Platform, you can configure the use of adifferent enforcer.

Specifies a health level to assign systems that are reported as exhibitingmalicious behavior.

Post admission policy

McAfee NAC distinguishes between system health policies for managed systems and the singlepolicy used for all unmanaged systems. This topic discusses the structure and use of all policytypes except the post admission policy, which is discussed in Network Access Administrationand Monitoring.

Contents

System health levels and their function

Benchmarks for McAfee NAC

Managed system health policies

Unmanaged system policy

Network access policies

Network access zones and compliance

NAC client policies


System health levels and their functionSystem health levels represent the state of a system (managed or unmanaged) based on yournetwork security rules, as defined by your managed system health policies or your unmanagedsystem policy. McAfee NAC defines the following health levels:

• Healthy

• Fair

• Poor

• Serious

• Critical

• Unknown

The names of the health levels are arbitrary, and have no intrinsic meaning. What is meaningfulis the order, which represents a hierarchy of best (Healthy) to worst (Critical) states. TheUnknown health level is a special case. It is only assigned to systems by the NAC manager.Assignment of the Unknown health level most often occurs when a system on the networkstarts up.

System health levels are used in:

• Reports, monitors, and informational tables shown in the product interface.

• Benchmark rules, to associate a particular health level with the rule’s failure. Benchmarksare used in managed system health policies and the unmanaged system policy.

• The definition of a NAC client policy, where each health level is mapped to a specific networkaccess zone.

Health levels in benchmarks

The first five health levels indicate a system’s state relating to its compliance with the rulesdefined in your benchmarks. For each rule in a benchmark, you can set which health level toassign if the rule fails. If a system fails multiple rules, it is assigned the most severe healthlevel.

Typically, you rank each rule according to the level of risk a violation poses to your network.However, associating a health level with each benchmark rule is not required. If a health levelis not specified, the default value, which is specified in the Network Access Control serversettings, is used.

The Enforcement mode setting for each benchmark determines how the health level that resultsfrom rule evaluation is applied to systems and used by enforcers. See Benchmark enforcementmodes.

Health levels in network access policies

In a network access policy, each health level is mapped to a network access zone. Generally,you create multiple network access zones, each defining a different level of access to networkresources.

The health level hierarchy is designed such that you can progressively restrict network accessas a system's health status worsens. The level of restriction depends on how serious a threatis to your network security when a benchmark rule fails.

McAfee NAC PoliciesSystem health levels and their function


How the Unknown health level is used

Administrators cannot assign the Unknown health level to systems. This health level is reservedfor specific circumstances, and can be assigned only by the NAC manager. This health level isassigned when:

• A system starts up, and therefore, has not yet been assessed.

• The health grace period has expired. The grace period is an option in the Network AccessControl server settings, and is applied to managed and unmanaged systems.

Benchmarks for McAfee NACEach managed system health policy and the unmanaged system policy requires at least onebenchmark, but can contain multiple benchmarks. Benchmarks are created and edited usingthe Benchmark Editor. Before you can create health policies, you must have benchmarks thatare configured for McAfee NAC to use.

On the Add Benchmarks pages of the policy builders, only benchmarks with these characteristicsare displayed:

• The Status must be set to “active” using Activate from the Benchmark Editor interface.

• The NAC property must be enabled. This property is located in the Properties section whenyou create or edit a benchmark, and is enabled by default when McAfee NAC is installed.

For a benchmark to perform any compliance checking, it must contain at least one rule. Eachrule contains one or more compliance checks for assessing system health. If multiple checksare used, you can specify logic conditions.

For benchmarks you want to use with McAfee NAC, do the following within each rule:

• Set the NAC Health Level property to a health level value that is appropriate for the designatedcompliance checks.

• Make sure the Status property of each rule is set to Enabled.

• Optionally, to run a remediation action automatically when a rule is failed, type theremediation command and any parameters in the NAC Remediation Command and NACRemediation Command Parameters properties. See How to Use Remediation.

Benchmarks contain many other properties and attributes that are beyond the scope of thisdocument. For more information about creating and editing benchmarks and creating customchecks, see the Benchmark Editor documentation.

For each benchmark you add to a health policy, you can set these attributes:

• Enforcement mode. You can specify whether to enforce, audit, or disable the benchmark’srules (use Set Mode on the Select Benchmarks page). The default is Audit Only.

• Automatic remediation. You can enable or disable this feature. The default is Disabled. (useAuto-remediation on the Select Benchmarks page).

Automatic remediation can be used when systems fail a benchmark rule. Enabling this optionmeans that it is enabled for every rule in the benchmark. However, no remediation action occursunless a remediation command is explicitly specified for a benchmark rule, and the benchmark'senforcement mode is Enforce. See How to Use Remediation.

Recommendations

McAfee recommends the following when creating or editing benchmarks for use with McAfeeNAC:

McAfee NAC PoliciesBenchmarks for McAfee NAC


• Use the benchmark Tag feature to make groups to use as filters when adding benchmarksto your policies.

• Limit the number and scope of the rules you add to each benchmark. Building and debuggingyour policies is easier when the benchmarks are targeted toward particular security concerns,such as operating system patches or anti-virus issues.

• If you have a mixed operating system environment (client systems using Windows andnon-Windows operating systems), create separate benchmarks for non-Windows systems,and consider building separate managed system health policies for your Linux and Mac OSsystems.

• Limit benchmark rules to only one check, or one condition specified by multiple checks (forexample, that at least one anti-virus program from an approved set is installed). Focusingeach rule on a specific aspect of compliance works better than complex rules with numerouschecks that address multiple security risks.

• Give each benchmark rule a name that describes the type of check, and provide a descriptionthat informs users what the rule looks for. The rule description is displayed to users throughthe system tray in the system status dialog box, and in the remediation window.

Benchmark enforcement modesA benchmark's enforcement mode determines how an assessor uses the benchmark rules andreports the health of a system.

You can set an enforcement mode on every benchmark in a managed system health policy orin the unmanaged system policy. The enforcement mode affects all rules within a benchmark.

Table 18: Enforcement modesDescriptionMode

All benchmark rules are enforceable, and determine the value of the system's EnforcedHealth Level. The actual enforcement applied to the systems is based on the

Enforce

configured enforcer, the mapping in the network access policy, and whether thesystem has an enforcement exemption. The assessor reports the assessed healthlevel and assessment results to the NAC manager. The level of assessment detail isconfigurable: NAC client policy for managed systems and unmanaged system policyfor unmanaged systems.

All benchmark rules are not enforceable, and do not affect the value of the system'sEnforced Health Level. The assessor reports the assessed health level and assessment

Audit Only

results to the NAC manager. The level of assessment detail is configurable: NACclient policy for managed systems and unmanaged system policy for unmanagedsystems.

All benchmark rules are disabled. Rules are not evaluated, and results are not reportedto the NAC manager.

Disabled

Recommendations

McAfee recommends that you first test your policies with all benchmarks set to Audit Only mode.We also recommend this mode any time you add new benchmarks to your policies. SeeEnforcement mode monitoring.

McAfee NAC PoliciesBenchmarks for McAfee NAC


Managed system health policiesManaged system health policies define the security compliance criteria used to assess the healthof managed systems. There is no limit to how many managed system health policies you canhave.

Managed system health policies have two qualities that differ from other McAfee NAC policytypes:

• The assignment method.

• The policy can be active or inactive based on network connection conditions.

You assign managed system health policies to systems from the Select Systems page of thepolicy builder. Policy assignment is based on criteria you specify. The policy is assigned, anddownloaded, only to systems that match the criteria. As a result, each policy can use uniqueassignment criteria, and each managed system can be subject to multiple system health policies.

Policy activation is unique to managed system health policies, and is specified from the PolicyActivation page of the policy builder. Whether a policy is active is determined by a system'snetwork connection (see How policies are activated). Policy activation does not determinewhether a policy is downloaded to the NAC client, but does determine whether the NAC client,in its role as an assessor, uses the policy.

All other McAfee NAC policy types, except the unmanaged system policy, are assigned to systemsthrough the System Tree. Managed system health policies are the only type that are activatedby network connection conditions.

For an assessor to use a policy to determine system health on a specific managed system, thepolicy must be assigned to that system and the policy must be active for the system's networkconnection.

Once you create or edit a system health policy, it is downloaded to the NAC client:

• The next time the McAfee Agent performs an agent-to-server communication.

• When a manual or scheduled agent wake-up call occurs.

• When a system is scanned with an older policy.

The primary tasks to perform with a managed system health policy are:

• Add the benchmarks you want to use.

• Specify which systems need to use the policy.

• Specify the network conditions that activate the policy (for example, assess the policy whenthe system is on any network, or only when on a specific network).

• Set each benchmark's enforcement mode.

• Enable or disable automatic remediation for each benchmark.

McAfee NAC includes a default managed system health policy you can use as the basis forcontructing your own.

Recommendations

McAfee recommends the following for working with managed system health policies:

• Use only a few benchmarks in each managed system health policy. It is better to have manypolicies, each focused on a specific security requirement, than to have a few policiescontaining many different and potentially disparate security requirements.

• If possible, test your policies first in a controlled or non-production environment with allbenchmarks set to Audit Only mode, then switch to Enforce mode. See Benchmarkenforcement modes.

McAfee NAC PoliciesManaged system health policies


• If you plan to use automatic remediation, test your remediation commands in a controlledor non-production environment to verify they work correctly.

• If you want to gather information from certain security tests (for example, potentiallyunwanted programs) but not enforce them, create separate policies for those tests with allbenchmarks set to Audit Only mode, rather than mixing them with benchmarks you needto enforce.

System health policy structureA managed system health policy consists of:

• Unique identifiers (a name and description).

• A noncompliance message that is displayed on a client system when that system is out ofcompliance with any benchmark rules.

• One or more active benchmarks that have been designated for use with McAfee NAC.

• One or more managed system assignments.

• A policy activation mode specifying the condition that makes the policy active.

The following topics explain the different parts of a managed system health policy.

IdentifiersEach managed system health policy must have a name. This name should uniquely identify thepolicy. A description is optional but helpful, because a system health policy contains severaldistinct elements. For example, you might create similar policies with slight differences in optionsettings.

The system health policy naming convention is:

• A combination of alphanumeric characters, whitespace, underscores, and hyphens.

• A minimum of one character and a maximum of 64 characters.

• Must begin with a letter or number.

Noncompliance messageA noncompliance message, though optional, is an important element of a managed systemhealth policy. This message appears on managed systems that fail any of the policy’s benchmarkrules. Administrators can use this message to inform users about compliance issues on theirsystems that are specific to each managed system health policy, and how to fix them. With thenoncompliance message, you can customize information that cannot be generated automatically.

To display the noncompliance message on managed systems, you must enable the option forthe system tray icon in the NAC client policy (it is enabled by default). The system tray alsoprovides information about the system’s health level, the assessed benchmarks and rules, andremediation status. The level of benchmark and rule information displayed is determined bythe Scan results option in the NAC client policy.

McAfee recommends that you provide users with as much information as possible. A typicalmessage might include:

• Information about the benchmark rule or check that failed during the most recent scan.

• The path or active links to file servers or shared network resources that store updates orother content needed to make the system compliant. This is especially helpful for usersneeding to update their systems manually.



Once a system is noncompliant, its access to network resources is controlled by the mappingof network access zones to health levels in your network access policies. If automatic remediationcommands have been specified, these are run by the NAC client after all managed system healthpolicies have been assessed. Users can access a remediation status window through the systemtray menu. Some policy violations might require manual remediation. If so, make sure systemscan access the necessary network resources. See How to Use Remediation.

Health policies and system assessmentEach managed system health policy and the single unmanaged system policy must have atleast one benchmark. Otherwise, an assessor cannot determine a system's health.

Benchmarks are created with the Benchmark Editor, a common component that can be usedby products other than McAfee Network Access Control. A benchmark specifies your compliancerequirements for network access through one or more rule definitions. The rule definitions areused to assess system health. Each rule is constructed from security checks that target specificsystem configurations, security threats, the presence or absence of certain software, etc.. Ifmultiple checks are used, you can specify logic conditions. McAfee supplies a set of checks forbuilding your network security rules (see Installing content). You can also create custom checks.

Managed system health policies are created and edited using the Managed System Health Policybuilder. The unmanaged system policy is created and edited using the Unmanaged SystemPolicy builder. To add, modify, or remove benchmarks, use the appropriate policy builder fromthe console. Creating and editing policies requires the proper permissions (see Editing McAfeeNAC permission sets).

The Select Benchmarks page of each policy builder lists the benchmarks that have been addedto the policy. If no benchmarks have been added, a warning appears. Use Add Benchmarkto search for and select benchmarks for the policy.

Benchmarks contain many properties and attributes that are beyond the scope of this document.For more information about creating and editing benchmarks and creating custom checks, seeBenchmarks for McAfee NAC and the Benchmark Editor documentation.

How system health policies are assignedManaged system health policies must be assigned to systems on your network before yoursecurity rules can be assessed and enforced. The managed systems you want to assess musthave the following installed:

• The McAfee Agent.

• The NAC client.

Most policy types in the ePolicy Orchestrator 4.x environment are assigned to systems throughthe System Tree. Managed system health policies are an exception. These policies are assignedon the Select Systems page of the Managed System Health Policy Builder.

NOTE: The unmanaged system policy does not need to be assigned to systems specificallybecause it is part of the NAC guest client installation.

You can assign a managed system health policy to systems by specifying:

• One or more individual systems.

• One or more groups of systems.

• One or more tags.



Select individual systems

You can select individual systems to assign the policy using any of these criteria:

• System name

• User name

• IP address (in IPv4 dotted decimal format)

• MAC address (specified without dashes between the hex digit pairs; for example,00123F3871C0 rather than 00-12-3F-38-71-C0)

Select system groups

You can select systems based on their assignment to groups in the ePolicy Orchestrator SystemTree. The policy is assigned to all systems in the group, and in any subgroups along that branchof the hierarchy.

Select a tag

You can select systems based on any tag in the ePolicy Orchestrator Tag Catalog. For informationabout using tags, see the documentation for your version of ePolicy Orchestrator.

How policies are activatedPolicy activation specifies the conditions under which a managed system health policy is active.This setting designates whether a policy is assessed and enforced based on the managedsystem’s network connection.

A managed system health policy can be made active:

• Always, regardless of whether or not the system is connected to a network.

• When the system is connected to a specific network; for example, one of your corporatenetworks.

• When the system is not connected to a specific network.

When deciding how to activate your system health policies, remember that a managed systemgets every managed system health policy that has been assigned to it using Select Systems.For example, you define ten managed system health policies and you want five active forcorporate network connections, three active for non-corporate network connections, and twoalways active. If you assign all ten policies to every managed system, the only policies that areassessed and enforced are those that match the activation criteria for the system’s networkconnection.

If you are going to use policy activation based on connection to, or not to, a specific network,it is recommended you always use one mode or the other. Systems that have more than onenetwork interface card might experience conflicts if some policies activate based on a specificnetwork connection, and others activate based on not being connected to a specific network.

Policy is always active

Use this setting for managed system health policies you always want applied to your corporatesystems, regardless of which network a system is connected to or whether it is connnected atall.



Policy is active when connected to a specific network

Use this setting when you want a managed system health policy assessed and enforced whenevera system is connected to a specific network. Because you must identify a network for this mode,the most common use is for activating policies that you always want assessed and enforcedwhen systems are connected to one of your corporate networks.

See Network identification criteria for information about specifying a network.

Policy is active when not connected to a specific network

Use this setting when you want a managed system health policy assessed and enforced whenevera system is not connected to a specific network. Because you must identify a network for thismode, the most common use is for activating policies that you always want assessed andenforced when systems are not connected to one of your corporate networks.

See Network identification criteria for information about specifying a network.

Network identification criteria

A connection to a specific network can be determined by specifying one or more networkidentification criteria:

• The system can successfully connect to a domain controller for the Windows domain itbelongs to.

• The system’s IP address is within a range you specify.

• The system is connected to a network with a DNS suffix you specify.

If both network identification types are selected (domain controller and network property), alogical AND is performed. For example, the managed system health policy is active only if asystem successfully connects to any domain controller “and” it matches a specific IP addressrange or DNS suffix.

If you specify both types of network identification property (IP address range and DNS suffix),or more than one of each, the evaluation rules are:

• A logical OR is used for multiple entries of either an IP address range or DNS suffix.

• A logical OR is used when both an IP address range and DNS suffix are specified.

Using the network identification properties (IP address ranges and DNS suffixes) allows you tobe specific. For instance, you might have several network domains, and want some systemhealth policies active on one but not on others.

Working with managed system health policiesYou can perform a number of tasks with managed system health policies.

Tasks

Creating a NAC benchmark

Creating a NAC benchmark from checks

Creating and modifying managed system health policies

Exporting managed system health policies

Importing managed system health policies



Creating a NAC benchmarkUse this task to create a benchmark that can be used within your managed system healthpolicies or unmanaged system policy. This task prepares and sets the benchmark optionsnecessary for using a benchmark in McAfee NAC policies. Make sure to “activate” yourbenchmarks after you create or edit them.

Creating benchmarks and using the Benchmark Editor is beyond the scope of this guide. For acomplete description of creating benchmarks and compliance rules, see the Benchmark Editordocumentation.

Task


1 Go to Systems | Benchmarks.

2 Select More Actions at the lower left of the page, then select New Benchmark.

3 In the Add Benchmark dialog box:

a Type a name for the benchmark in the Benchmark Title field.

b Click in the Benchmark Id field. The name you entered in the Title field is copied, butwith spaces removed. You can edit this identifier if you want. Click OK.

The next page is titled with the name you specified, and includes three areas:

• The Edit panel at the top.

• The Benchmark Tree pane at the left.

• The Benchmark Content pane at the right.4 In the Edit panel, select a benchmark option. Most benchmarks used with McAfee NAC can

use Base Benchmark. Select the language you want for content. Content means the checksand benchmarks supplied by McAfee.

5 In the Benchmark Tree pane, click New Group to optionally add groups for organizingyour rules. Type a descriptive name for the Group Title, such as VirusScan. Click in theGroup Id field and the title is copied. You can edit this information as needed. Click OK.

6 In the Benchmark Tree pane, select the benchmark name. In the Benchmark Content pane,select the Properties page.

7 For the NAC property, make sure Make benchmark available to NAC is selected.

8 Click Apply Properties.

9 To add rules to the benchmark, click New Rule or New Rule from Checks. See theBenchmark Editor documentation for details about creating and structuring rules.

a For the NAC Health Level option, select the health level to assign a system that fails therule. The value, Use default, means that the value specified by the Default rule healthlevel option in the Network Access Control server settings is assigned to systems thatfail the rule.

b To use automatic remediation, type the remediation command and any commandparameters in the NAC remediation command and NAC remediation command parametersoptions. For information on using automatic remediation, see Automatic remediation ofunhealthy systems.

10 From the Rules list, verify that each rule you added has the desired Status (Enabled orDisabled), and the desired NAC Health Level. Click Close to return to the main Benchmarkspage.



11 Select the benchmark you created from the list and click Activate. You can now use thisbenchmark when creating managed system health policies or editing the unmanaged systempolicy.

Creating a NAC benchmark from checksUse this task to create a new benchmark by selecting one or more existing checks. This actionallows you to create a benchmark quickly. A separate rule is created for each check you select.

Task


1 Go to Systems | Benchmarks.

2 Select More Actions at the lower left of the page, then select New Benchmark fromChecks.

3 On the New Benchmark from Checks page:

a Type a name for the benchmark in the New Benchmark Title field.

b Click in the New Benchmark Id field. The name you entered in the Title field is copied,but with spaces removed. You can edit this identifier if you want.

4 In the Check Filter area, you can limit the displayed list of checks by operating systemplatform and by keywords entered in the Find field. Click Apply.

5 For more control when filtering the list of checks, click Advanced Filter. This opens theCheck Filter Criteria Builder, where you can select properties and comparison operators,and apply boolean logic. Click OK to apply the filter and return to the New Benchmark fromChecks page.

6 Select a check you want to use by clicking the checkbox. If the Actions column for a checkcontains a Set Parameters option, click it to open a dialog box where you specify valuesfor the check, such as a minimum DAT age. After setting any required check parameters,click Add Check(s).You can continue to add checks by using the Next/Previous page buttons, or by clearingthe existing filter and entering new filter options.

7 Click Next when you have finished adding checks. A summary page lists the benchmarktitle and ID, and the checks you added to the benchmark.

8 Click Save. The main Benchmarks page is displayed. The benchmark you created is listedwith its status set to Edit.

9 Click Edit. With the name of the benchmark highlighted in the Benchmark Tree pane, clickthe Properties tab.

10 Verify that the NAC property is enabled. If not, select the checkbox. You must do this sothat the appropriate properties related to using the benchmark with McAfee NAC aredisplayed in the rule properties. Click Apply Properties if you made changes to any ofthe benchmark properties.

11 Select the Rules tab. For each rule, select it and click Edit Rule.

a For the NAC Health Level option, select the health level to assign a system that fails therule. The value, Use default, means that the value specified by the Default rule healthlevel option in the Network Access Control server settings is assigned to systems thatfail the rule.

b To use automatic remediation, type the remediation command and any commandparameters in the NAC remediation command and NAC remediation command parameters



options. For information on using automatic remediation, see Automatic remediation ofunhealthy systems.

12 After editing all the rules, click Close to return to the main Benchmarks page.

13 Select the benchmark you created from the list and click Activate. You can now use thisbenchmark when creating managed system health policies or editing the unmanaged systempolicy.

Creating and modifying managed system health policiesUse this task to create or edit a managed system health policy.

Task


1 Go to Systems | Network Access Control, then select Managed System HealthPolicies from the left column.

2 Click New to open the Managed System Health Policy Builder, or click Edit in the Actioncolumn of an existing policy.

3 On the Description page, type a name and description to label and identify the policy.

4 In the Noncompliance message for client field, provide details about why the systemis not in compliance, and what to do to correct the situation. You can include links tosystems that contain the appropriate remediation resources.

5 Click Next.

6 On the Select Benchmarks page, click Add Benchmark to create a new policy, or to addmore benchmarks to an existing policy.

7 On the Add Benchmarks page, use the filters to display a list of available benchmarks. Youcan filter using a label, a name or part of a name, or a value of the Source field. From thelist, select one or more benchmarks to include in the policy. Click Add.

8 On the Select Benchmarks page, use the action buttons to set each benchmark’senforcement mode, enable/disable automatic remediation, or remove a benchmark. ClickNext.

9 On the Select Systems page, specify the systems you want the policy assigned to by usingAdd System, Add Group, and Add Tag. You can use any combination of these options.

a Click Add System. In the Add Systems dialog box, you can specify individual systemsby system name, user name, IP address, or MAC address. Do not use dashes in a MACaddress.

b Click Add Group. In the Add Group dialog box, you can add one group at a time byselecting from the displayed System Tree.

c Click Add Tag. In the Add Tag dialog box, you can add one system tag at a time byselecting from the drop-down list.

To view details about the systems you selected, or the groups and tags you used, clickSummary in the Actions column. You can remove selection assignments by clicking Deletein the Actions column of an entry.

10 Click Next.

11 On the Policy Activation page, select an Activation mode to specify the network connectioncondition that makes the policy active. Selecting a mode that activates the policy only whenconnected to or not connected to a specific network makes the Network Identificationoption available.



12 If activating the policy based on connecting to (or not connecting to) a specific network,select how you want to verify the connection. If you select Network Identification properties,you can add, edit, or delete one or more IP address ranges and DNS suffixes. Click Next.

13 On the Summary page, review the policy information. Click Save.

Exporting managed system health policiesUse this task to save managed system health policies by exporting them to disk. The defaultfile name is NAC_Managed_System_Health_Policies.zip.

Task

For option definitions click ? in the interface.


2 Click Export.

3 From the list, select the managed system health policies to export, and click OK.

4 On the Download File page, right-click the file name link and select Save Target As fromthe menu.

5 In the Save As dialog box, browse to the location where you want to save the file, renamethe file as needed, and click Save.

6 Click Close.

Importing managed system health policiesUse this task to import system health policies that you have stored on disk. The file you importmust be a zip file.

Task

For option definitions click ? in the interface.


2 Click Import.

3 In the Import System Health Policy dialog box, click Browse and navigate to the locationwhere you saved the zip file that contains managed system health policies. Select the file,then click Open.

4 Click OK to load the file or Cancel.

Unmanaged system policyThe unmanaged system policy defines the security compliance criteria used to assess the healthof unmanaged systems. Only the NAC guest client uses this policy, which is automaticallyincluded as part of the guest client installation package.

Though similar, the unmanaged system policy differs from managed system health policies inthese regards:

• A single policy applies to all unmanaged systems on your network.

McAfee NAC PoliciesUnmanaged system policy


• The unmanaged system policy is assessed by the NAC guest client, which can assess asystem's health but cannot enforce the system.

• The NAC guest client does not support automatic remediation.

• You do not select the systems that are assigned the policy. Any unmanaged systems thatinstall the NAC guest client are assessed using this single policy.

• You do not specify network conditions for activating the policy.

• You specify a time interval for how long an unmanaged system’s health level is valid beforea new scan is required.

• You specify whether you want a periodic identification message sent onto the network toidentify the system to a Network Security Sensor when using McAfee Network SecurityPlatform.

The primary task to perform with the unmanaged system policy is to add the benchmarks youwant to use, and set the configuration options as needed for your security requirements. Onceyou have added benchmarks, McAfee recommends that you first test this policy with thebenchmarks set to Audit Only mode. Once you test the policy, set all benchmarks to Enforcemode.

McAfee NAC includes a default unmanaged system policy to which you add benchmarks. Thispolicy cannot be renamed or have its description modified.

Benchmarks for the unmanaged system policy

McAfee recommends that you use separate benchmarks for the unmanaged system policy; thatis, not the same ones you use in your managed system health policies. The main reason is thatthe guest client does not support automatic remediation, and you must use a different methodfor giving users remediation instructions.

Remediation instructions in the unmanaged system policy

All unmanaged systems are assessed using a single policy. In most circumstances you wouldconfigure your unmanaged system policy with multiple benchmarks. Each benchmark can containany number of rules and checks, but benchmarks are easier to manage when they are configuredto check for specific network access rules, such as having an anti-virus product installed.

The unmanaged system policy has an option where you can specify a non-compliance message,but this one message is not sufficient for providing users with specific remediation instructionswhen their systems are unhealthy. Rather, you can use the non-compliance message to providegeneral information about compliance with your network security policy, and where to get helpfixing an unhealthy system.

McAfee recommends that you provide remediation instructions in each benchmark by using theRule Description field. By using this field, you can write benchmarks with multiple rules, witheach rule description providing the appropriate remediation information.

For example, if you write a benchmark to check for an anti-virus product, you could haveseparate rules for specific products. In each rule description, you could then provide informationabout where to find that product's installer.

Editing the unmanaged system policyUse this task to edit the unmanaged system policy. The default policy supplied with McAfeeNetwork Access Control 3.2 contains no benchmarks. You must add at least one for any healthassessment to occur.

McAfee NAC PoliciesUnmanaged system policy


Task


1 Go to Systems | Network Access Control, then select Unmanaged System Policyfrom the left column.

2 Click Edit in the Action column of the existing policy.

3 On the Description page, the name and description are read-only. Click Next.

4 If you are editing the policy for the first time, you must add at least one benchmark. If thepolicy already has benchmarks specified, you can set their enforcement mode, or deletethem.

5 On the Select Benchmarks page, click Add Benchmark.

6 From the list on the Add Benchmarks page, select one or more benchmarks to include inthe policy. You can filter the list using a label, a name or part of a name, or a value of theSource field. Click Add.

7 To change the enforcement mode, click Set Mode. In the Action window, select an optionfrom the drop-down list, then click OK. When finished adding benchmarks, click Next.

8 On the Configuration page, set these options:

• For Scan interval, specify how often (in minutes) you want a scan to occur on detectedunmanaged systems. The NAC guest client performs the scan.

• For Periodic identification, determine whether you want this enabled. If so, anidentification message is sent at an interval you specify between 1 and 10 minutes.

• For Scan results, set the level of detail you want reported to the NAC manager for eachunmanaged system assessment.

9 Click Next.

10 On the Summary page, review the policy information. Click Save .

Network access policiesA network access policy specifies which network resources a managed system can access foreach health state. The policy maps each system health level to a network access zone. Themapping is one-to-one; however, you can map the same network access zone to more thanone health level. Network access policies are created and edited using the Policy Catalog(Systems | Policy Catalog).

Unlike system health policies, a managed system can be assigned only one network accesspolicy. You can create multiple network access policies, then assign a specific policy to specificsystems.

The primary task you perform with network access policies is mapping a network access zoneto each system health level.

If you modify a network access policy (including modification to network access zones), theupdated policy is downloaded to the NAC client the next time:




Use the System Tree (Systems | System Tree) to assign and set the inheritance rules for anetwork access policy.

McAfee NAC PoliciesNetwork access policies


When the software is installed, two default network access policies are added to the PolicyCatalog:

• Network Access Policy Default, which cannot be edited but can be duplicated to create yourown policies.

• My Default, which can be edited, duplicated, and renamed.

Both policies assign the default Allow Full Access network access zone to all health levels exceptCritical, which is assigned the default Deny All Access zone.

Creating network access policiesUse this task to create or edit a network access policy. When installed, McAfee Network AccessControl 3.2 includes two default NAC client policies, Network Access Policy Default and MyDefault. The default policy cannot be edited, but it can be duplicated and used as the basis forcreating a new policy.

Task


1 Go to Systems | Policy Catalog.

2 For the Product field, select Network Access Control.

3 For the Category field, select Network Access Policy.

4 Click New Policy, or click Edit in the Actions column of an existing policy.

• For a new policy, select an existing policy from the drop-down list, and type a name.

• For an existing policy, type a new name in the dialog box, then click OK.

5 For the Health Level to Network Access Zonemapping option, select a network accesszone from the associated drop-down list for each health level. Click Save.

To create one or more new network access zones while creating or editing a policy, youcan click New Network Access Zone. However, if you do this, you must return manuallyto the Policy Catalog and begin the policy editing again.

Network access zones and complianceNetwork access zones designate which network resources a managed system can or cannotaccess when it is not compliant with one or more rules in the applicable system health policies.The network access zones you define in McAfee NAC apply only to managed systems when theNAC client is the enforcer.

You can create as many network access zones as needed to ensure network security. Oncethese zones are created, you use them when defining a network access policy by associatinga specific zone with each system health level.

The primary tasks to perform with network access zones are to set the access type and addnetwork resources to the resource list.

Two default zones are supplied with the software: an Allow Full Access zone and a Deny AllAccess zone. These zones are meant to provide a starting point for defining your own zones,and to allow you to conduct some immediate testing.

A network access zone consists of:

McAfee NAC PoliciesNetwork access zones and compliance


• A name (required) and a description (optional).

• An access type setting (Allow or Deny).

• A domain controller setting, which is automatically enabled when the access type is Allow.

• A network resource list.

Network access zones should be defined so that noncompliant systems are isolated from networkresources, such as critical servers and sensitive data, depending on the severity of the threatposed by each benchmark rule violation. However, you can always modify your zone definitions,so adding or removing a resource can be done at any time. When a network access zonedefinition is modified, it triggers an update to any network access policies that use the zone inthe health level mapping.

The updated network access zone and network access policies are downloaded to the NACclient:




Once a managed system receives the updated network access policy, changes to zone definitionsare applied immediately and enforced accordingly.

A network access zone's resource list can specify an internal or external network resource.Internal resources are ones that are not accessible from the Internet, and must be specifiedby an IP address. External addesses can be either a fully-qualified domain name (FQDN) or anIP address.

No matter how you define a network access zone, systems always have access to a core whitelistof network resources that consists of:

• DNS servers.

• DHCP servers.

• The ePolicy Orchestrator server.

• The local system.

A zone's Resource List does not list or identify the core whitelist resources. For informationabout why these resources cannot be blocked, see How host enforcement works. If you definea zone with an access type of Allow, then systems must be able to authenticate themselves toyour domain controllers. The Allow access type automatically enables the Domain controlleroption, which adds these resources to the core whitelist. If your zone's access type is Deny,the Domain controller option is not applicable, and is automatically disabled.

When the NAC client is the enforcer, it uses a local firewall to block a system’s outboundconnections, and enforce the access restrictions defined by your network access zones. If youuse a zone that allows all connections and this is the active zone for a system, the firewall iseffectively disabled. If you use an enforcer other than the NAC client, the behavior might bedifferent.

Network access zone names

The naming conventions for network access zones are:

• A combination of alphanumeric characters, whitespace, underscores, and hyphens.





Recommendations

For network access zones, McAfee recommends that you:

• Test your network access zones in a non-production environment or a small subset of yourproduction network, if possible, so you can determine whether users can access remediationresources.

• Carefully consider which health level to assign for each benchmark rule failure, and whichnetwork access zone you want to associate with each health level.

• Be careful using a zone that allows access to every resource. In a production environment,you might want to deny access to specific network resources or Internet sites even forhealthy systems.

• Do not disable the Domain controller option for zone's that have an access type of Allow,unless you are fully aware of the ramifications.

• If you create a zone that denies access, be sure you have made remediation resourcesavailable from one of the servers that systems cannot be denied access. The ePolicyOrchestrator server is recommended.

• Evaluate your organization’s network security policies before creating your network accesszones. This can save time later.

Creating network access zonesUse this task to create or edit a network access zone. McAfee Network Access Control 3.2includes two default zones. You can use these zones as is, or as a basis for creating new zones.

Task


1 Go to Systems | Network Access Control, then select Managed Network AccessZones from the left column.

2 Click New Access Zone, or to edit an existing zone, click Edit in the Actions column. TheNetwork Access Zone Builder opens.

3 Type a name and description.

4 Specify the zone’s access type (Allow or Deny).

5 Click New Resource to add a network resource to the definition of the zone.

6 In the Add Network Resource dialog box, specify the resource’s destination address, aprotocol type, and destination port, then click OK.

7 To add additional network resources, continue using New Resource. To edit or delete aresource from the zone’s resource list, click Edit or Delete in the Action column.

8 Click Save.

Importing and exporting network access zonesUse this task to import or export your network access zones. When you export, all of yourdefined network access zones are saved in a ZIP file. McAfee NAC sets a default filename, whichyou can change when saving the file. You cannot export only a subset of your zones. You canonly import network access zones that you previously saved by exporting them. If you importa zone that has the same name as an existing network access zone, the existing zone isoverwritten.



Task


1 Go to Systems | Network Access Control, then select Managed Network AccessZones from the left column.

2 Click Export to save your defined network access zones.

a On the Download File page, click NAC Network Access Zone Policies.

b Click Save in the File Download dialog box.

c In the Save As dialog box, select a location and optionally change the filename, theclick Save.

d Click Close in the Download Complete dialog box.

3 Click Import to load network access zones from a saved ZIP file.

a In the Import Network Access Zone page, type a filename or click Browse to locate apreviously exported networka ccess zone file.

b Click OK in the File Download dialog box.

NAC client policiesThe NAC client policy configures how the NAC client operates. This policy type is managed fromthe ePolicy Orchestrator Policy Catalog (Systems | Policy Catalog), and is assigned tomanaged systems using assignment mechanisms such as the System Tree (Systems | SystemTree). Depending on your network structure or organizational needs, you can use more thanone NAC client policy.

You can create a new policy, or edit, view, duplicate, export, rename, and delete an existingpolicy. You cannot edit, rename, export, or delete the supplied McAfee Default policy.

The primary task to perform with a NAC client policy is to set the configuration options yourequire. The configuration options are:

• Enforcement method — Sets the type of enforcement to use. The Microsoft Network AccessProtection option is valid only for client systems running Windows operating systems, anddoes not work for systems running a supported MAC OS or Linux operating system.

• Scan results — Sets how much detail is reported to the NAC manager for each managedsystem assessment.

• Automatic remediation — Sets whether automatic remediation is enabled and, if so, thecredentials to use for running the remediation commands.

• System tray icon — Sets whether to display the McAfee system tray icon on managed systems.

• Periodic identification — Specifies whether you want the NAC client to send an identificationmessage out on the network. If enabled, the message is sent every 60 seconds. This optionis only useful if you are also using McAfee Network Security Platform, and you have managedsystems on your network that use firewall software that blocks the communication port(8443 by default) used by a Network Security Sensor for client identification requests.

Once you create or edit a NAC client policy, it is downloaded to the NAC client:




McAfee NAC PoliciesNAC client policies


When the software is installed, two default network access policies are added to the PolicyCatalog:

• Network Access Client Policy Default, which cannot be edited but can be duplicated to createyour own policies.

• My Default, which can be edited, duplicated, and renamed.

The default configuration is to use the NAC client as the enforcer, report all benchmark andrule information, disable automatic remediation, show the system tray icon on managed systems,and disable the periodic identification message.

Creating and modifying NAC client policiesUse this task to create or edit a NAC client policy. When installed, McAfee Network AccessControl 3.2 includes default NAC client policies named Network Access Client Policy Default andMy Default.

Task


1 Go to Systems | Policy Catalog.

2 For the Product field, select Network Access Control Client 3.2.0.

3 In the Category field, select General.

4 To create a new policy, click New Policy or click Duplicate in the Actions column of anexisting policy.

5 In the popup, type a name for the new policy. If you use New Policy, you can also selectan existing policy as a basis for the new one. Click OK.

6 Select an enforcement method.

7 Select the level of detail you want for scan results.

8 Select whether to enable automatic remediation and the type of credentials to use.For automatic remediation to work, you must also specify a remediation command in abenchmark rule and enable automatic remediation for the benchmark.

9 Specify whether to display the McAfee system tray icon on managed systems.

10 Specify whether you want to send a periodic identification message. If enabled, the messageis sent every 60 seconds.

11 Click Save.

McAfee NAC PoliciesNAC client policies


Using ExemptionsExemptions allow you to exclude specific systems and devices, such as printers, from youroverall network security policy. They prevent specified systems and devices from being assessed(scanned) or enforced. There are two exemption types:

• Enforcement exemptions.

• Scan (assessment) exemptions.

You can designate an exemption by:

• Creating an exemption rule.

• Creating a text file of system MAC addresses and importing it. This method can be used forcreating scan exemptions only.

• Marking one or more systems, using Set NAC exempt, from a summary report or systemdetail page.

Exempt systems are always placed in a special Exempt network access zone, which imposesno access restrictions.

The NAC manager stores information about all exempt systems and their status. You can viewthis information using several predefined NAC dashboard monitors, or by creating your owncustom monitors. From summary reports and system detail pages, administrators can initiateactions and affect the status of systems manually. For information about which monitors displayinformation about exempt systems, and the manual actions that administrators can use, seeDashboards, Monitors, and Queries.

Contents

Enforcement exemptions

Scan exemptions

How system classification affects exemptions

How exemption rules work

Use of an imported exemption list

How manual exemptions work

Enforcement exemptionsAn enforcement exemption designates that a system is never enforced, no matter what itsassessed health level or how many benchmark rules it fails. Systems that have enforcementexemptions are assessed (scanned) and their system health determined according to theapplicable system health policies. The scan results for exempt systems are reported to the NACmanager, but if a system is unhealthy, no enforcement is applied and the system is not subjectto any access restrictions designated by your network access policies.


Enforcement exemptions are typically used on systems or devices that can host the NAC clientor guest client, but can be used for any device on your network.

You can view all exempt systems using the NAC: Exemption Status monitor. Exempt systemsalso appear in other NAC monitors, and administrators can initiate actions on systems manuallyfrom various report pages. See Dashboards, Monitors, and Queries.

CAUTION: Although an adminstrator can use the Modify health level action to change thehealth status of an enforcement exempt system, McAfee does not recommend this actionbecause it overrides the system's enforced health level, but does not affect the system's networkaccess status or its applied network access zone.

If automatic remediation commands are specified for failed benchmark rules and the featureis enabled (both in the benchmark and the NAC client policy), the NAC client, acting as theremediator, tries to run any designated commands to fix the system.

If you are using an enforcer other than the NAC client, see Using McAfee NAC with MicrosoftNAP or Using McAfee NAC with McAfee Network Security Platform.

Scan exemptionsA scan exemption designates that a system is never assessed and never enforced (the systemis exempt from enforcement). As a result, the only information the NAC manager knows aboutthese systems is what a detector provides. See Detectors and how they operate.

You can view all exempt systems using the NAC: Exemption Status monitor. Lists of exemptsystems also appear in other NAC monitors, and administrators can initiate actions on systemsmanually from various report pages. See Dashboards, Monitors, and Queries.

A scan exemption can be assigned to any system or device, regardless of whether it can hostthe NAC client or guest client. Typically, you use scan exemptions for printers, scanners, andother network devices that:

• Cannot host an assessor.

• Do not store data.

• Pose little or no security risk.

The NAC manager always considers a scan-exempt system or device as healthy. As a result,manual attempts by an administrator to change the health level of such systems are ignored.Furthermore, access restrictions cannot be imposed on scan-exempt systems. For instance, thenetwork access zone mapped to the Healthy health level in your network access policies is neverused on these systems.

How system classification affects exemptionsDepending on the method used to designate exemptions, you can make any of the systemclassifications (managed, unmanaged, unmanageable, and unenforceable) scan- orenforcement-exempt. The usefulness of applying an exemption to various systems often dependson your knowledge of a specific system, device, or system user.

Scan exemptionEnforcement exemptionSystem classification

Only recommended for critical systems thatmight be affected by the extra processorload of running a scan.

Can be used to prevent network accessrestrictions from being applied to criticalsystems, such as servers.

Managed

Using ExemptionsScan exemptions


Scan exemptionEnforcement exemptionSystem classification

Not recommended. Unmanaged systemstypically present a security risk to your

Only recommended for trusted guests orvisitors whose systems you do not wantto impact by your network security policy.

Unmanaged

network. Unmanaged systems can beassessed using the NAC guest client.

Recommended. Unmanageable systemscannot be assessed. The only information

Not recommended. There is no methodfor assessing the health of an

Unmanageable

the NAC manager can know about theunmanageable system (it cannot host ansystem is from detection. Printers, FAXassessor). Assigning an enforcementmachines, and similar devices fall into thiscategory.

exemption to these systems is possible,but not useful.

Only recommended for systems or devicesthat:

Not recommended. Typically,unenforceable systems are ones thatcannot be enforced by the NAC client or

Unenforceable

• Can be guaranteed to pose no securityrisk.guest client, or the NAC manager has not

or cannot receive an enforcement statusfor the system. • Cannot host the NAC client. Therefore,

the NAC client cannot be the enforcer.

• You do not want enforced by one ofthe other supported enforcers.

Typically, the classification of a system as unenforceable is rare. You can best deal with sucha system using methods other than exemptions. The most common use of exemptions is fordevices, such as printers, that are unmanageable, and for critical managed systems that youcannot afford to have affected by network access restrictions.

If you have unmanageable systems on your network, you might want to make these exemptfrom assessment; otherwise, the assessed health level of these systems is reported as Unknown.

How exemption rules workAn exemption rule allows you to specify properties that identify systems on your network, anddesignate whether those systems are exempt from scans or from enforcement. The propertiesallow identification of single systems or groups of systems with similar attributes, such as printersor servers. Depending on the properties used to specify an exemption rule, it is possible tomake any of the four system classifications exempt (managed, unmanaged, unmanageable,and unenforceable). You can create as many exemption rules as needed for your environment.

Systems that are marked as exemptions by a rule cannot have their exemption status removedmanually using the Remove NAC exempt action. To remove such a system's exemptionstatus, you must delete or modify the rule such that the system is no longer identified by therule's properties.

If a system is exempt from scans or enforcement by application of a rule, you can change theexemption type using Set NAC exempt. This changes the System Status from "exempt byrule" to "exempt by administrator". To return the system to its "exempt by rule" status, useRemove NAC exempt.

Once an exemption rule is created, it is applied to systems only after they are detected. If youcreate a rule and it reports zero systems, it might mean that the systems have not yet beendetected. Systems are detected when:

• The NAC client reports a managed system to the NAC manager.

• A Rogue System Sensor identifies a system.

• A McAfee Network Security Sensor identifies a system.

Scan exemption rules are intended for any system on your network you do not need or wantassessed for compliance with your health policies. Typically, these would be printers, fax

Using ExemptionsHow exemption rules work


machines, and other similar devices, but might also include unmanageable systems withunsupported operating systems. A scan exemption implies that the system is also exempt fromenforcement.

Enforcement exemption rules are intended only for managed systems. However, it is possibleto create a rule that includes systems that are unmanaged or unmanageable. If this occurs,these systems might be difficult to identify. It is also important to consider the implications ofenforcement exemptions if you are using McAfee NAC in combination with McAfee NetworkSecurity Platform or Microsoft Network Access Protection. See the appropriate deploymentoption chapter.

McAfee recommends that you create enforcement exemption rules only after you:

• Allow systems to be detected and known to the NAC manager.

• Test your system health policies in Audit Only mode.

Exemption rules can be imported and exported as XML files. When importing exemption rules,you have the option of overwriting any existing exemption rules in the process. If you overwrite,all the existing rules are deleted and replaced with the rules you import.

Exemption rule structure

An exemption rule consists of:

• Identifying information (a name and description of the rule).

• An exemption type (scan or enforcement).

• System selection criteria, written as a set of logic rules.

The naming convention for an exemption rule is:

• A combination of alpha-numeric characters, whitespace, underscores, and hyphens.



Creating exemption rulesUse this task to create or edit an exemption rule.

Task


1 Go to Systems | Network Access Control, and select Exemption Rules from the leftcolumn.

2 Click New, or to edit an existing rule, click Edit in the Actions column. The ExemptionRules Builder opens to the Description page.

3 Type a name and description.

4 For Type, specify whether the rule is a scan exemption (the system is never scanned) oran enforcement exemption (the system is scanned and the results reported, but noenforcement occurs if it is not compliant). Click Next.

5 On the Select Systems page, select properties from the left column as criteria for selectingthe systems to which the rule applies. You must use at least one, but you can specify asmany criteria as needed. Click Next.

6 Review the rule definition on the Summary page. To make changes, click Back. To saveand return to the Exemption Rules page, click Save.

Using ExemptionsHow exemption rules work


Exporting exemption rulesUse this task to export (save to disk) all your McAfee NAC exemption rules in an XML file. Thedefault filename is NAC_Exemption_Rules.xml.

Task


1 Go to the Systems | Network Access Control tab, and select Exemption Rules fromthe left column.

2 Click Export Rules.

3 At the Download File page, right-click the link and select Save Target As from the menu.

4 In the Save As dialog box, navigate to the location where you want to save the file, renamethe file if desired, and click Save.

5 Click Close.

Importing exemption rulesUse this task to load McAfee NAC exemption rules that were previously saved to disk.

Task



2 Click Import Rules.

3 In the Import Exemption Rules dialog box, click Browse and navigate to the XML filecontaining exemption rules. Select the file, then click Open.

4 To overwrite the exemption rules stored by the NAC manager, select Overwrite existingexemption rules. To add more rules to the existing set, do not select the Overwriteoption.

5 Click OK to load the file.

Use of an imported exemption listAn exemption list allows you to specify systems by MAC address in a text file, then import thefile to create scan exemptions for those systems or devices. With an exemption list, you canmake any of the system classifications exempt from scans (managed, unmanaged,unmanageable, and unenforceable). All systems you import have their System Status set toScan exemption by administrator. For information about administrator interaction withthese systems, see Manual control of exemptions.

This feature provides a quick way to create scan exemptions for devices, such as printers ansFAX machines, that cannot host the McAfee Agent or NAC client. Such a device would beunmanageable, and if you are only using McAfee NAC, also would be unenforceable. If you usethis method and a device is unmanageable, manually removing or changing the exemption onone of these systems might not produce the desired result.

The imported list must be an ANSI encoded text file containing a comma-separated list of MACaddresses. The MAC addresses must be:

Using ExemptionsUse of an imported exemption list


• Listed on one line (no carriage returns or line feeds allowed).

• Separated by a comma or a comma then a space.

• Entered using any of these formats:

• No separator (001122334455).

• Hyphen separator (00-11-22-33-44-55).

• Colon separator (00:11:22:33:44:55).

If your text file contains more than one line, only the MAC addresses listed before the firstcarriage return and/or line feed are imported.

Creating an exempt systems listUse this task to create a text file containing a list of systems you want to exempt from scanning.

Task


1 Open a text editor and create a new file.

2 Type the MAC address of a system. You can use no separator (001122334455), a hyphenseparator (00-11-22-33-44-55), or a colon separator (00:11:22:33:44:55).

3 Type additional MAC addresses, separating each with a comma. For example:001122334455, 002244668899, 113355774488

4 Save the file, making sure the extension is .txt and the encoding is ANSI.

5 Go to Importing an exempt systems list in this guide and follow the instructions.

Importing an exempt systems listUse this task to import a text file containing a comma-separated list of MAC addresses to systemson your network. A scan exemption is created for each system. This import list is only for scanexemptions.

Task



2 Click Import Exempt Systems.

3 In the Import Exempt Systems dialog box, click Browse and navigate to the text filecontaining the list of system MAC addresses. Select the file, then click Open.

4 Click OK to load the file.

How manual exemptions workMcAfee NAC has two commands that administrators can use to change the exemption statusof systems manually.

Using ExemptionsHow manual exemptions work


DescriptionCommand

Sets the exemption status of selected systems. You can specify a scanexemption or enforcement exemption. This action changes the value of

Set NAC exempt

these fields: Exemption Status, Network Access Status, Network AccessZone, and System Status.

Removes the exemption designation from the selected systems. Thiscommand is ignored for systems that are exempt by rule.

Remove NAC exempt

These commands are available when viewing information about one or more systems onsummary and system detail pages. Typically, you access these pages through McAfee NACdashboard monitors or by running queries. The command options and results are listed in theAction pane. Verify that the requested action was successful by checking the messages in theAction pane and the data values on the summary or system detail pages, specifically the SystemStatus and Exemption Status fields.

If you change a system's status from exempt to non-exempt, McAfee recommends that yourun a scan of the system as soon as possible. You can do this by using Request scan (alsoavailable on most summary and system detail pages).

Using ExemptionsHow manual exemptions work


Remediation of Unhealthy SystemsRemediation is the process of updating a system to make it compliant with your system healthpolicies. A system is assigned a health level depending on whether it passes all applicable systemhealth policies. If a system fails any policy rules, it is assigned the health level associated withthe failed rule. The network access policy assigned to the system determines which networkaccess zone the system is restricted to, based on which health level was assigned, until it isbrought back into compliance.

Once a user has taken the appropriate steps to remediate a noncompliant system, a rescan canbe requested. This can be done through the McAfee system tray. If the rescan assesses thesystem as compliant, the system is moved back to the network access zone that is appropriatefor healthy systems.

Contents

Types of remediation

Automatic remediation

Manual remediation

Types of remediationMcAfee Network Access Control 3.2 provides automatic remediation, and a guest portal thatyou can use for manual remediation, if desired.

Automatic remediation is part of your policy configurations, and allows you to specify commands,batch files, or scripts that run automatically after a system is scanned and one or morebenchmark rules have failed.

Manual remediation means that you provide information to users about how to fix their systems,either by setting up your own remediation web page or by modifying the guest portal. Theguest portal is designed to provide a location where users of unmanaged systems can downloadthe NAC guest client. McAfee does not support it as a remediation portal. See Manual remediation.

Automatic remediationFor managed systems, you can set automatic remediation options as part of the definition ofyour benchmark rules. When a managed system fails a rule, McAfee NAC attempts to remediatethe system automatically.

To use automatic remediation, you must:

• Enable automatic remediation and specify the credentials to use in your NAC client policies.

• Enable automatic remediation for each benchmark that contains remediation commands,scripts, or batch files you want to run.


• Specify your command, script, or batch file information for each benchmark rule in the NACRemediation Command and NAC Remediation Command Parameters fields. Notethat a rule can run only a single command, script, or batch file.

Because remediation commands are specified at the benchmark rule level, you can tailor theremediation action to each rule. Also, enabling the automatic remediation option at thebenchmark level does not mean you must specify remediation commands for any particularbenchmark rule. You can have commands for some rules and not others.

A remediation command is specified on the Properties page of the Benchmark Editor’s RuleBuilder. Only one remediation command is allowed. If you need to run more than one executableas a remediation response, you can specify a script or a batch file. Type a remediation commandas if you were typing it at a Windows command prompt. A separate field is used to specifycommand parameters, also typed as if on a command line.

For example, to run a batch file, you specify the Windows Command executable (cmd.exe) inthe NAC Remediation Command field, and the full path to the batch file in the NAC RemediationCommand Parameters field. The path used for the location of the batch file might be dependenton the credentials specified for the Automatic remediation option in the NAC client policy.

What to typeField Name on Properties page of theRule Builder

%windir%\system32\cmd.exe or %comspec%NAC Remediation Command

<full_pathname>\<name>.batNAC Remediation Command Parameters

If you use these automatic remediation options, you can include information in the noncompliancemessage of the system health policy. This way, you can inform users about the actions thathave been taken, and whether they should attempt a rescan immediately or take further manualremediation steps.

Automatic McAfee Agent update task

One option for automatic remediation is to run a McAfee Agent update task. You do this byspecifying $MAUPDATENOW in the NAC Remediation Command field for a benchmark rule.This task updates all products for the McAfee Agent, not just McAfee NAC.

Running the agent update task is useful when your benchmark rules have checks that requireregular content updates for McAfee point-products, such as the detection definition (DAT) filesfor VirusScan Enterprise.

Common remediation commandsThis section provides examples of some common remediation commands. These are enteredon a per rule basis in your benchmarks. You must enable automatic remediation for thebenchmark, and you must enable the Auto-remediation option in your NAC client policies.

NAC remediation command parametersNAC remediationcommand

Purpose

<leave blank>$MAUPDATENOWTo run a McAfee Agent Update Nowcommand for DAT updates and otherproduct content updates

/C "<server>\<share>\<file>"

For example:

/C "\\172.16.1.50\sharedfolder\bginfo.exe"

%ComSpec%To execute a file from a remote share

Remediation of Unhealthy SystemsAutomatic remediation


NAC remediation command parametersNAC remediationcommand

Purpose

/C copy "<server>\<share>\<file>" "<Localfolder>"

For example:

/C copy“\\172.16.1.50\sharedfolder\bginfo.exe”“C:\utils\”

%ComSpec%To copy a file from a remote share

/C GPUpdate.exe /force%ComSpec%For group policy type commands, suchas enabling the Vista firewall

/C net user Administrator /active:no%ComSpec%To set a value, such as disabling theAdministrator account

/C Reg.exe ADDHKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

%ComSpec%To add a registry value, such as "RestrictAnonymous to named pipes and shares"

/v restrictnullsessaccess /t REG_DWORD /d 1/f

/C "C:\Program Files\Internet Explorer\iexplore.exe" http://update.microsoft.com

%ComSpec%To launch a browser to a specific page,such as Windows update

Manual remediationFor manual remediation, you can establish a remediation portal and provide one or more pagescontaining information for users who need to remedy problems with their systems.

Typically, your managed systems can be remediated using automatic remediation. However,your circumstances might dictate use of manual remediation for managed systems. Anyunmanaged systems on your network must be remediated manually. An important aspect ofmanual remediation is making sure you inform users of the remediation portal's location. Bothmanaged system health policies and the unmanaged system policy have a Noncompliancemessage option that is displayed through the system tray icon on client systems. This messageis the preferred and most reliable method of providing users with your remediation portal'slocation.

A remediation portal should always provide users with the following information:

• A description of the corporate network security policy.

• Remediation instructions that specify how the user’s system is noncompliant, and the stepsnecessary to correct the problem.

• A list of what must be installed for the system to be compliant (for example, resources,patches, and applications).

• Instructions for rescanning the noncompliant system once the user has corrected theproblems.

• A link to the guest client installer (for unmanaged systems).

McAfee recommends providing information or training to users about the remediation processprior to switching your system health policies to full enforcement mode.

After a user has performed the necessary remediation steps, they should start a scan todetermine whether their system is now healthy. Users can start a scan using the McAfee systemtray.

McAfee NAC includes a guest portal that you can install. However, the guest portal, as designed,is intended only for downloading the guest client to unmanaged systems. You can include

Remediation of Unhealthy SystemsManual remediation


manual remediation instructions, but you might find it is easier to use your existing internalweb server.

If you decide to use the McAfee guest portal for manual remediation, you must:

• Install the guest portal.

• Customize the portal file, and optionally add additional pages as needed for remediationinstructions and links to remediation resources.

For information about installing and uninstalling the guest portal, see Installation and SystemRequirements.

Elements needed for manual remediationTo allow users to fix their systems through use of a remediation portal, you need to set up andmake available the elements listed in this table.

DescriptionRemediation element

A web server that hosts one or more pages, which provide users with theresources they need to fix an unhealthy system.

Remediation portal

One or more web pages that provide users with information about yourcorporate security policies, the steps they must take to correct the situation,and links to resources they must install to correct problems.

Remediation web pages

A message that displays on a user’s system after a scan determines that arule has failed. A specific message can be written for every system healthpolicy.

Noncompliance message in systemhealth policies (optional, butrecommended)

One of the pages on your remediation portal should provide a link fordownloading the guest client. This is only important for unmanaged systems.Managed systems use their installed NAC client for scanning.

Access to the NAC guest client (forunmanaged systems)

Remediation resources users must accessYour network access zones must provide access to the remediation resources needed bynoncompliant systems. In the resource list of each zone, be sure to include:

• Your default IP gateway.

• The web server hosting your remediation portal pages.

• All file servers and other systems that have links from your portal.

To avoid issues with the availability of remediation resources, McAfee recommends locating theremediation portal on the ePO server. Access to the ePO server is always available from anynetwork access zone.

Remediation of Unhealthy SystemsManual remediation


Dashboards, Monitors, and QueriesTo monitor network access and security, you use the ePolicy Orchestrator dashboard, monitor,and query features. Dashboards consist of monitors, and monitors are based on queries.Dashboards have many options for the display layout. Most default dashboards contain sixmonitors. For details about these features, see the ePolicy Orchestrator 4.x documentation.

McAfee Network Access Control 3.2 provides:

• A default NAC Summary dashboard.

• Predefined queries you can use as monitors for system health, enforcement, benchmarkassessment, exemptions, and more.

Administrators can modify the NAC Summary dashboard to suit their needs, or create additionalcustom dashboards. Similarly, custom queries can be created to form monitors for displayingother information stored by the NAC manager (see Useful queries for NAC monitors).

Monitors are updated based on the refresh interval setting or manually using the refresh button.

Contents

NAC dashboards and monitors

Queries for network access monitoring

Creating NAC monitors

Running McAfee NAC queries

NAC dashboards and monitorsAdministrators use dashboards to monitor network access control information. Dashboardscontain informational monitors that show the state or status of systems, and other data storedby the NAC manager.

The predefined NAC Summary dashboard contains six monitors, explained in the following table.

Table 19: Monitors in the NAC Summary dashboardDescriptionMonitor name

Presents a pie chart that shows the current health status of every detectedsystem on your network. Systems are identified by their Host ID value. The

NAC: System Health Status

System Health Status represents the overall assessed health level of thesystem from benchmarks that are set to either Enforce or Audit Only mode.It reports the system health level of each system on your network, and thenumber of systems in each health level.

Presents a pie chart that shows the current network access status of everydetected system on your network. Systems are identified by their Host ID

NAC: Network Access Status

value. The Network Access Status represents the current state of accessrestrictions applied to all systems on your network. The values are eithera network access zone name, or one of the following: None, Exempt,Disconnected, Full Access, NAP Full Access, NAP Limited Access, NAP-Notcapable.


DescriptionMonitor name

Presents a pie chart that shows the current exemption status of everydetected system on your network. It reports the type of exemption (scan

NAC: Exemption Status

or enforcement) and how many systems are marked with each exemptiontype.

Presents a pie chart that shows the enforcement method used for everydetected system on your network. It reports the enforcement types being

NAC: Client Enforcement Method

used (host-based, network-based, or NAP-based), and the number ofsystems using each enforcement type.

Presents a summary table that shows benchmark IDs. It reports the fivebenchmarks in Enforce mode that have failed most often, and the numberof systems that have failed each benchmark.

NAC: Top 5 Failed Benchmarks

Presents a summary table that shows the version number of all the NACclient’s that have been deployed to systems, and the number of systemswith each version of the client.

NAC: Client Version Summary

For details about the queries used by these monitors, see Queries for network access monitoring.

Queries for network access monitoringQueries allow you to construct a report from information stored by the NAC manager, such assystem health status and network access status. Because McAfee NAC combines its databasetables with the ePO database tables, the data you can query consists of the combined ePolicyOrchestrator, Rogue System Detection, and McAfee NAC data. Typically, the data specific toMcAfee NAC and Rogue System Detection is of the most interest to administrators.

Queries are accessed by going to the Reporting tab and opening the Queries pane. All predefinedMcAfee NAC queries begin with “NAC:”, followed by a descriptive name.

Queries can be run on their own, or used as dashboard monitors. You can use the defaultqueries supplied with the product, and create your own.

Default NAC queries

McAfee NAC supplies several default queries you can use as monitors.

DescriptionChart valuesChart labelResult typeQuery name

Displays a pie chart that showsthe different enforcement

Host IDEnforcementMethod

NAC Detected SystemStatus

ClientEnforcementMethod methods (host-based,

network-based, or NAP-based)currently being used for alldetected managed systems, andthe number of systems usingeach method.

Filter: Detected System field"Ignored" is false.

Displays a pie chart that showsthe systems that currently have

Host IDExemption StatusNAC Detected SystemStatus

Exemption Status

exemptions, and which exemptiontype. Only shows systems thathave been detected.


Displays a table that shows theversion number of the NAC client

Host IDClient versionNAC Detected SystemStatus

NAC clientversion summary

installed on all detected managed

Dashboards, Monitors, and QueriesQueries for network access monitoring


DescriptionChart valuesChart labelResult typeQuery name

systems. Reports the versionnumbers of the NAC clients thathave been deployed to systems,and the number of systems witheach version number.


Displays a pie chart that showsthe access status of all detected

Host IDNetwork AccessStatus


Network AccessStatus

managed systems. The values areeither a network access zonename, or one of the following:None, Exempt, Disconnected, FullAccess, NAP Full Access, NAPLimited Access, NAP-Not capable.


Displays a pie chart that showsthe system health of all detected

Host IDSystem HealthStatus


System HealthStatus

managed systems and thenumber of systems in each healthlevel.


Displays a table that shows theIDs of the five benchmarks that

Host IDBenchmark IDNAC CurrentBenchmark Results

Top 5 FailedBenchmarks

had a rule failure most often. Thisincludes benchmarks that are setto either Enforce or Audit mode.The query applies to all knownsystems. Reports the fivebenchmarks in Enforce mode thathave failed most often, and thenumber of systems that havefailed each benchmark.

Filter: Current BenchmarkResults field "Benchmark ErrorCode" equals 0; AND CurrentBenchmark Results field "HealthLevel" not equal to Healthy;AND Detected System field"Ignored" is false.

Displays a table that shows theIDs of the five benchmarks that

Host IDBenchmark IDNAC CurrentBenchmark Results

Top 5 FailedBenchmarks inAudit Mode had a rule failure most often. This

query reports only thebenchmarks that are set to Auditmode, and the number ofsystems that have failed eachbenchmark.

Filter: Current BenchmarkResults field "Benchmark ErrorCode" equals 0; AND CurrentBenchmark Results field "HealthLevel" not equal to Healthy;AND Current Benchmark Resultsfield "Enforcement Mode"equals false; AND DetectedSystem field "Ignored" is false.



Constructing your own queries

McAfee NAC exposes nine database tables you can use for constructing your own customqueries. Each table represents what is called a Result Type in the ePolicy Orchestrator QueryBuilder.

Most of the data you can access through queries fall into two categories: current and historical.

DescriptionResult Type

A collection of data that describes a single system that has been detected,and its current status. The detected status includes identifying information

NAC Detected System Status

about the system and status details about its health, enforcement, networkaccess, exemptions, applied health policies; that is, its status as a knownsystem to McAfee NAC.

A collection of data that describes the current (most recent) enforcementstatus of a system. Enforcement status indicates whether a system is

NAC Current Enforcement (the most recentenforcement status event applied to asystem) being enforced, which enforcement method (enforcer) is being used, and

whether enforcement was triggered manually (by an administrator). Otherinformation related to enforcement status are the system's health leveland the network access zone to which the system is restricted.

A collection of data that describes any change in the enforcement statusof a system. This includes events such as changes to a system's health

NAC Historical Enforcement (allenforcement status events for a system)

level, network access zone, and enforcement method or status (is it beingenforced).

A collection of data that describes the most recent scan (assessment)results for a system. Assessment results include information such as the

NAC Current Scan Results

scan status, the assessed health level, which system health policies wereassessed and which ones failed, and which benchmarks failed. It alsoincludes information about the scan, such as when it occurred and whenthe next scan will occur.

A collection of data that describes all assessment results for a system,from an established start point up to and including the most recent scan.

NAC Historical Scan Results

The original start point for this result type is the date and time of productinstallation. Purging scan results or deleting scan result entries sets anew start point for the scan history.

A collection of data that describes the most recent assessment resultsfor each benchmark used to assess any system. Benchmark results include

NAC Current Benchmark Results

information such as the benchmark ID and profile, which rules failed, thebenchmark's enforcement mode, and the health level resulting fromassessing the benchmark. It also includes information about the systemthat was assessed.

A collection of data that describes all benchmark assessment results forall systems, from an established start point up to and including the most

NAC Historical Benchmark Results

recent scan. The original start point for this result type is the date andtime of product installation. Purging scan results or deleting scan resultentries sets a new start point for the benchmark history.

A collection of data that describes the most recent assessment resultsfor each benchmark rule used to assess any system. Rule results include

NAC Current Rule Results

information such as the rule title, the result of assessing the rule, thehealth level assigned when the rule fails, and the message explainingwhy the rule failed. Rule results are collected only when the NAC clientpolicy is configured to gather rule information.

A collection of data that describes all benchmark rule assessment resultsfor all systems, from an established start point up to and including the

NAC Historical Rule Results

most recent scan. The original start point for this result type is the dateand time of product installation. Purging scan results or deleting scanresult entries sets a new start point for the rule history. Rule results arecollected only when the NAC client policy is configured to gather ruleinformation.



Creating NAC monitorsUse this task to create a monitor that provides network access information.

Task


1 Go to the Dashboards page.

2 Select Options | New Dashboard.

3 In the Name field, type a descriptive name.

4 From the drop-down list, select a dashboard size.

5 Choose a dashboard panel and click New Monitor.

6 For Category, select Queries.

7 For the Monitor option, select a NAC query from the drop-down list. All McAfee NAC queriesbegin with “NAC:”. Click OK.

8 To add additional monitors, repeat steps 5-7, then click Save.

9 Click Yes when prompted to Make Active. You can only add active dashboards to theDashboards page.

10 On the Manage Dashboards page, click Close.

Running McAfee NAC queriesUse this task to run an existing query. McAfee Network Access Control 3.2 includes severalpredefined queries. You also can construct your own queries using the Query Builder.

Task


1 Go to Reporting | Queries.

2 From the Queries column, select the query to run. All McAfee NAC queries begin with “NAC:”followed by the query name.

3 Click Run.

4 The query results page shows you the details. Click Close when finished viewing the queryresults.

Dashboards, Monitors, and QueriesCreating NAC monitors


Network Access Administration andMonitoringUsing McAfee NAC can be viewed as two distinct sets of tasks. First there is setup andconfiguration, where you deploy NAC clients, define how to assess systems, create and assignpolicies, and optionally, configure McAfee NAC to work with other supported products. Thenthere are the infrequent configuration tasks, and the the day-to-day tasks of monitoring yournetwork security, system maintenance, and responding to access control events or unusualoccurrences.

This section provides information about the infrequent configuration tasks and the day-to-daytasks a NAC administrator performs.

Contents

NAC manager configuration

Deployment and configuration tasks

Useful queries for NAC monitors

Health compliance auditing

System health assessment of managed systems

Health level overrides

Events and responses

Manual control of exemptions

Unmanageable devices and what to do with them

Post admission control for malicious systems

Assessment and enforcement histories

NAC manager configurationThe NAC manager's configuration settings have default values that work well in mostcircumstances where McAfee NAC is used by itself for network access security. Of the availableconfiguration settings, three apply only when you combine McAfee NAC with another product,such as McAfee Network Security Platform or Microsoft Network Access Protection. These are:

• Network Security Manager location

• Client identification request setup

• Trusted communication setup

These configuration settings are discussed in the Combining McAfee NAC with McAfee NetworkSecurity Platform and Combining McAfee NAC with Microsoft Network Access Protection chapters.

The other two configuration settings apply to general NAC manager operations. The healthgrace period setting allows you to specify how long a system's assessed health level stays validif the next scheduled scan does not occur. This option defaults to the maximum value of twohours.


The default rule health level specifies the health level to assign a system if it fails a benchmarkrule that does not have a value for its NAC Health Level property. The default setting is Critical.

Deployment and configuration tasksUse these tasks to deploy the client, configure NAC manager settings, and edit permission sets.These tasks are usually performed infrequently, or only as necessary.

Tasks

Deploying the NAC client

Editing McAfee NAC server settings

Editing McAfee NAC permission sets

Deploying the NAC clientUse this task to deploy the NAC client to managed systems. The NAC client is required for asystem to be classified as "managed" by McAfee NAC.

Task


1 Go to Systems | System Tree, then click Client Tasks on the menu bar.

2 Highlight the root node of the System Tree.

3 Click New Task.

4 Type a name for the task and any descriptive text you want.

5 For the Type, select Product Deployment (McAfee Agent) from the drop-down list,then click Next.

6 On the Configuration page:

a For Target platforms, select the operating system options you want (Windows, Mac,Linux) for deploying the client.

b For Products and components, select McAfee NAC Client 3.2.0 for the appropriateoperating systems from the drop-down list. Make sure the Action is set to Install, andselect the language.

c As needed, you can set the Run at every policy enforcement option. This ensuresthat the NAC client is always going to be on your managed systems, preventing usersfrom circumventing network security policy by removing it.

d Click Next.

7 On the Schedule page:

a For Schedule status, select Enabled. You can later disable the task if you are not yetready.

b For Schedule type, select when you want the task to run. The remaining configurationoptions depend on your selection.

c Set Options choices. If you need help, click ?.

Network Access Administration and MonitoringDeployment and configuration tasks


d If available for your selected Schedule type, set a start date and an end date for thetask. If you set the Run at every policy enforcement option on the Configurationpage, it is recommended you use the No end date option.

e If available, specify whether to use the local system time or Coordinated Universal Time(UTC) for running the task.

f If available, select a Schedule option from the drop-down list for how to run the task,and the desired time value or values. You can run the task once at a specific time,repeatedly between two times, or repeatedly starting at a specific time.

g If available, set Daily to how often (in number of days) you want the task to run.

h Click Next.

8 Click Next to view the task summary, then click Save.

Editing McAfee NAC server settingsUse this task to change the values of McAfee NAC server configuration options. Typically, thesesettings would change infrequently. Several options are used only when you are combiningMcAfee NAC with another product, such as McAfee Network Security Platform.

Task


1 Go to Configuration | Server Settings, and in the Setting Categories column, selectNetwork Access Control.

2 Click Edit.

3 On the Edit page, enter values for the options you want to change.

4 Click Save.

Editing McAfee NAC permission setsUse this task to set product permissions for any defined permission set. Any administratoraccount you want used for McAfee NAC must have View and change settings permissionfor these products:You should set appropriate options for each permission set for these products:

• Network Access Control

• Network Access Control Client

• Benchmark Editor

• Rogue System Detection

You might also want to grant reviewers permission to view these settings.

Depending on your security administration structure for ePolicy Orchestrator and McAfee NAC,and the number of different permission sets you use, consider also setting permissions fordifferent types McAfee NAC users (administrators and reviewers) for these ePolicy Orchestratorfeatures:

• Audit log

• Automatic Responses

• Dashboards

• Event log

• McAfee Agent

Network Access Administration and MonitoringDeployment and configuration tasks


• Queries

• Server tasks

• Systems

• System Tree access

Task


1 Go to Configuration | Permission Sets, and in the Permission Sets column, select thepermission set you want to edit (for example, Group Admin).

2 In the right column, scroll to the product or feature (for example, Network Access Control),and click Edit.

3 On the Edit page, select the type of permissions to grant for the selected product or feature.

4 Click Save.

Useful queries for NAC monitorsMcAfee NAC includes predefined queries you can use for dashboard monitors. However, thepredefined queries might not cover all the information you want to monitor as an administrator.This topic discusses creating additional NAC queries you might find useful.

Use these tasks to create your own custom queries.

Tasks

Creating an Enforced Health Level query

Creating a Manual Enforcement Request query

Creating a Malicious System query

Creating a NAC Client Started query

Creating a Benchmark Enforcement Mode query

Creating an Enforced Health Level queryAll system's have a System Health Status, an Assessed Health Level, and an Enforced HealthLevel. The predefined System Health Status monitor is useful when the majority of systems areassessed with enforced benchmarks, and you have few exemptions or systems enforcedmanually. However, the System Health Status monitor becomes increasingly unclear when moresystems are subject to exemptions, manual enforcement requests, and audited benchmarks.

Use this task to create a monitor that shows the Enforced Health Level of systems. This queryis useful because it can show which systems are enforced differently than their system healthstatus indicates.

Task


1 Go to Reporting | Queries, then click New Query.

2 On the Result Type page, select NAC: Detected System Status, then click Next.

3 On the Chart page, complete the following then click Next:

Network Access Administration and MonitoringUseful queries for NAC monitors


From the Display Results As list, select Grouped Bar Chart.a

b From the Group labels are drop-down menu, select Enforced Health Level.

c From the Bar labels are drop-down menu, select System Health Status.

d For Bar values, select Number of different values of, and select Host Id from thedrop-down menu.

4 On the Columns page, accept the default database fields to display on a summary or detailspage, or modify the data, then click Next.

5 On the Filter page, you can specify criteria for filtering the query results, but this is notrecommended for this query.

6 Click Run, then click Save.

7 On the Save Query page, type a descriptive name and add notes about the query, if desired.

NOTE: All predefined McAfee NAC queries begin with "NAC:" so naming your queries thisway groups all NAC queries in the query selection list.

Creating a Manual Enforcement Request queryIf you enforce a system manually using Modify health level, it can be difficult to identify thatsystem from the standard predefined monitors. The only way to reset the system and have itenforced based on assessed health is to use Reset health level.

Use this task to create a monitor that provides quick access to systems that have been enforcedmanually.

Task





a From the Display Results As list, select Pie Chart.

b From the Pie slice labels are drop-down menu, select Manual Enforcement Request.

c For Pie slice values, select Number of different values of, and select Host Id fromthe drop-down menu.


5 On the Filter page, you can filter the query results if you know there are specific systemsyou would never enforce manually.


7 On the Save Query page, type a descriptive name, and add notes about the query, ifdesired.




Creating a Malicious System queryIf a system is marked as "malicious," it can be enforced differently than it would otherwise. Usethis task to create a monitor that gives you a quick way to identify malicious systems.

Task






b From the Pie slice labels are drop-down menu, select Is Malicious







Creating a NAC Client Started queryAn aspect of network security that is useful to monitor is whether the NAC client is running.Such a query can tell you whether a deployed client has stopped working. This query can alsoprovide quick access to systems that are unmanageable.

Use this task to create a query that shows whether the NAC client is running.

Task






b From the Pie slice labels are drop-down menu, select Client Started.









Creating a Benchmark Enforcement Mode queryTo monitor whether systems are being assessed against audited benchmarks or enforcedbenchmarks (or if the enforcement mode is disabled), you can create a monitor based onquerying the NAC Current Benchmark Results. See Dashboards, Monitors, and Queries. Thistype of query is useful because you can compare the enforcement mode against the healthlevel of systems that are assessed against specific benchmarks.

Use this task to create a monitor that shows the enforcement mode setting of your benchmarks.

Task



2 On the Result Type page, select NAC: Current Benchmark Results, then click Next.


a From the Display Results As list, select Grouped Bar Chart.

b From the Group labels are drop-down menu, select Enforcement Mode.

c From the Bar labels are drop-down menu, select Health Level.

d For Bar values, select Number of different values of, and select Host Id from thedrop-down menu.






Health compliance auditingBenchmarks have three enforcement modes: Enforce, Audit Only, and Disable (see Benchmarkenforcement modes).

In the discussion on policies, we recommended that you test benchmarks in Audit Only modebefore actively enforcing the benchmark in your production environment. If you have followedthis recommendation, you might want to have a monitor that allows you to see how manysystems are subject to the different enforcement modes, and what their health levels are.

McAfee NAC does not have a predefined query for this, so you will need to create your own.See Useful queries for NAC monitors.

Network Access Administration and MonitoringHealth compliance auditing


System health assessment of managed systemsRegularly assessing a system's health is an important aspect in maintaining network security.System health assessments for managed systems can be:

• Scheduled and run automatically, using an ePolicy Orchestrator client task.

• Initiated manually for one or more systems by an ePO/NAC administrator.

• Initiated manually from the system tray icon by users of Windows systems with the NACclient installed.

The McAfee system tray is not supported on RedHat Enterprise Linux 4 systems. Users canenter the following commands at a system command line:

Type at the command line...To...

MNacClient -rhsRun a system health scan

MNacClient -shsView the system health status

MNacClient -shsView the remediation status

MNacClient -vView the client's About dialog box

The level of detail reported about a system assessment is controlled by the NAC client policy.

Assessment results are reported for any benchmarks with the enforcement mode set to Enforceor Audit Only. If the enforcement mode is Disable, no results are reported.

Any time a system is assessed, the NAC client uses its current policies. When results are reportedto the NAC manager, it verifies whether the policies used in the assessment are up-to-date. Ifthey are not, updated policies are sent to the NAC client, and the assessment is automaticallyrepeated.

Scheduling managed system scansUse this task to create a schedule for running scans on managed systems. Scheduling is notassociated with any particular NAC client policy.

Task


1 Go to Systems | System Tree, then click Client Tasks.

2 Click New Task.

3 Type a name for the task, and add other information about the task in the Notes option.

4 For the Type option, select Network Access Control Client Scan Task.

5 Click Next twice to go to the Schedule page of the wizard.

6 Set the scheduling options to specify when and how often to run a scan.

a For Schedule status, set Enabled or Disabled. You can enable the task later if you arenot yet ready.

b For Schedule type, select when you want the task to run. The remaining configurationoptions depend on your selection.

c Set Options choices. If you need help, click ?.

d If available for your selected Schedule type, set a start date and, if available, an enddate for the task. The No end date option is often used for scan tasks.

Network Access Administration and MonitoringSystem health assessment of managed systems


e If available, set whether to use the local system time or Coordinated Universal Time(UTC) for running the task.

f If available, select a Schedule option from the drop-down list for how often to run thetask, and the desired time value or values. You can run the task once at a specific time,repeatedly between two times, or repeatedly starting at a specific time.

g If available, set Daily to define how often (in number of days) you want the task torun.

h Click Next.

7 Click Next to view the task summary, then click Save.

Requesting an immediate scanUse this task to request an immediate scan (health assessment) for one or more systems fromthe ePolicy Orchestrator console.

Task


1 Go to Dashboards | NAC Summary, or to any dashboard containing a monitor thatreports McAfee NAC managed systems.

2 Click in the monitor to display a summary page or system details page. For informationabout using NAC monitors, see Dashboards, Monitors, and Queries.

3 If you are viewing a system details page, click Request scan. If you are viewing a summarypage, you must select the systems to assess from the list before Request scan is active.

System health assessment of unmanaged systemsMcAfee NAC is designed to detect, assess, and enforce managed systems on your network.McAfee NAC, by itself, cannot enforce unmanaged system, but can detect unmanaged systemsthrough the Rogue System Detection service. It can also assess the health of an unmanagedsystem using the NAC guest client, which can be installed from the Guest Portal.

The NAC guest client is not the same as the NAC client, and will not install on a system thathas the NAC client. The guest client differs from the NAC client as follows:

• The guest client does not require the McAfee Agent.

• The guest client is not configured by a NAC client policy.

• The guest client is intended to be a temporary executable that is automatically removedafter a specified time, which is set from the Guest Portal.

• The guest client can assess a system only with the unmanaged system policy.

• The guest client cannot use automatic remediation. Unmanaged systems must be remediatedmanually.

NOTE: A system with the guest client installed is not a managed system according to the McAfeeNAC or ePolicy Orchestrator definitions.

The guest client's role is to evaluate system health and report the results to the NAC manager.The guest client evaluates only the unmanaged system policy, and scans the system accordingto the policy’s scan interval. The NAC manager reports the system's health level to the Network

Network Access Administration and MonitoringSystem health assessment of unmanaged systems


Security Sensor. All enforcement decisions are under Network Security Manager control. McAfeeNAC does not play a role in unmanaged system enforcement.

The guest client's configuration is set as shown in the table below. Most of this configurationis fixed, except where noted.

None. This means thatenforcement is controlled byNetwork Security Sensors.

=Enforcement method

All benchmark and ruleinformation.

=Scan results

Disabled.=Automatic remediationEnabled.=System tray iconEnabled by default. Thisoption is configurable in theunmanaged system policy.

=Periodic identification

For details about setting the health policy for unmanaged systems, see Unmanaged systempolicy.

Running a scan

How users run a scan manually on an unmanaged system depends on the operating system.For Windows users, scans can be run, and health status and remediation status checked byusing the McAfee system tray.

The McAfee system tray is not supported on RedHat Enterprise Linux 4 systems. Users canenter the following commands at a system command line:

Type at the command line...To...

MNacClient -rhsRun a system health scan

MNacClient -shsView the system health status

MNacClient -shsView the remediation status

MNacClient -vView the client's About dialog box

The guest portal and guest clientThe Guest Portal provides an access point to which you can direct unmanaged systems so userscan install the NAC guest client. The portal is a pre-configured web page, but you can customizeit with your company's logo and statement of network security policy.

The Guest Portal is installed as an extension when you install McAfee NAC. All files andexecutables are located on the ePolicy Orchestrator server. To verify this, check the ePolicyOrchestrator Extensions page.

To configure the Guest Portal, you should:

• Have a written network security policy statement to display on the portal page.

• Set portal configuration options on the NAC Guest Portal server settings page.

For details, see Guest portal configuration and the associated task.

Re-directing unmanaged systems detected by a Network Security Sensor to the Guest Portal isconfigured using the Network Security Manager. For information, see the Network SecurityManager documentation.



How users install the guest client

The guest client can be installed only through the Guest Portal. The guest client installer is partof the Guest Portal extension. If you uninstall the Guest Portal extension, the guest client installeris also removed.

When users are re-directed to the Guest Portal, they must select values for two options:

• The Network access period, which sets how many days the guest client remains installedon their system before being automatically uninstalled.

• Their computer's Operating system. The system tries to automatically detect the operatingsystem and defaults to that value, but users can choose the correct operating system(Windows, Linux, Mac OS, or Other). If a user selects Other, it means they are running anoperating system that is not supported by the guest client.

With these options set, users can install the guest client and have their systems scanned.

Behavior for no guest client installed

The Guest Portal does not force a user to install the guest client. If a user clicks Cancel on theguest portal, they receive a warning that their network access might be restricted or denied.Administrators should set the Health level for no guest client option on the NAC GuestPortal server settings page to an appropriate value for their company security policy. This optiondefaults to Critical.

Alternately, a user might be running an operating system on which the guest client cannot beinstalled (the "Other" value). If a user selects this value, they receive a warning that theirnetwork access might be restricted or denied. Administrators should set the Health level for'Other' OS option on the NAC Guest Portal server settings page to an appropriate value fortheir company security policy. This option defaults to Unknown.

Guest portal configurationConfiguring the Guest Portal is done by setting option values on the NAC Guest Portal serversettings page. The options you can set are:

DefinitionOption

Sets the filepath to the image file you want to use as the logo displayed on the GuestPortal. This is typically your company logo. Place the logo image file anywhere on the

Guest portal logo

ePolicy Orchestrator server, and give the absolute path for this option. The JPG and GIFfile formats are recommended, but you should be able to use any format supported byWeb-standard HTML.

Sets the statement you want to display on the Guest Portal describing your company'snetwork security policy for unmanaged, or guest, systems on your network. This is a textfield that can contain approximately 10,000 characters.

Guest system policystatement

Sets the default value, in days, for the Network access period option on the GuestPortal page. This setting determines how long the NAC guest client is active on a guest

Default guest clientauthorization

system before the client is automatically uninstalled. The allowed values are 0, 1, 2, 5,15, 30, and 90. A value of zero means the NAC guest client scans the system once, thenis immediately uninstalled.

Sets the default health level that is assigned to unmanaged systems on your network thatdo not have the NAC guest client installed. One way this would happen is if the usercancels out of the Guest Portal.

Health level for no guestclient

Sets the default health level that is assigned to unmanaged systems on your networkwhen the user of the system selects the value "Other" for the Operating system optionon the Guest Portal page.

Health level for 'Other' OS



Configuring the guest portalUse this task to set option values that configure the McAfee NAC guest portal. Typically, thesesettings would change infrequently.

Task


1 Go to Configuration | Server Settings, and in the Setting Categories column, selectNAC Guest Portal.

2 Click Edit.

3 On the Edit page, enter values for these options:

• Guest portal logo

• Guest system policy statement

• Default guest client authorization

• Health level for no guest client

• Health level for 'Other' OS4 Click Save.

Health level overridesUsing the Modify health level action, you can force a managed system be enforced at aspecific health level. You can use this action at any time on any managed system except thosethat are exempt by rule or exempt by administrator.

Enforcing systems this way places a managed system in a permanent enforcement state thatis no longer affected by the assessor. That is, if the system is subsequently assessed, the newassessment result does not influence the system's enforcement status.

Systems that have been enforced manually must be reset using the Reset health level action.This removes the Manual Enforcement Request flag, and sets the System Health Status to thecurrent value of Enforced Health Level. The system's enforcement status changes accordingly.

Enforcing systems manually can be useful when you are evaluating benchmarks (that is, theirmode is Audit Only). For example, you are auditing a new benchmark, and discover that severalsystems have been assessed as Critical. Though you might still be testing the benchmark, if ittests for a serious security violation, you might want to enforce any systems that are notcompliant.

Modifying a system's health levelUse this task to manually override a system's assessed health level. The effect is to force thesystem to be enforced at the health level you specify. This action has no effect on systems withexemptions.

Task


1 Go to Dashboards | NAC Summary, or any other active dashboard with McAfee NACmonitors.

Network Access Administration and MonitoringHealth level overrides


2 From a NAC monitor, click an entry to open a summary page or the NAC Detected SystemStatus Details page.If a summary page opens, select the checkbox for one or more listed systems.

3 Click Modify health level.

4 In the Actions Taken pane, select a health level from the drop-down list for Set enforcedhealth level.

5 Click OK.A message in the Actions Taken pane informs you whether the action was successful.

6 On the NAC Detected System Status Details page for the system, verify that the EnforcedHealth Level field has changed, and that the Network Access Status and Network AccessZone fields indicate that the system is enforced correctly, according to the system's networkaccess policy.

Resetting a system's health levelUse this task to remove a manual enforcement override, which was set by an administratorusing Modify health level. This action sets the enforced health level of a system to the mostrecently assessed health level.

Before you begin

Systems that have manual enforcement overrides can be difficult to locate using only thesupplied NAC queries as monitors. To track manual enforcement overrides more easily, createa query that reports the Enforced Health Level or Manual Enforcement Request fields. SeeCreating an Enforced Health Level query or Creating a Manual Enforcement Request query.

Task



2 From a NAC monitor, click an entry to open a summary page or the NAC Detected SystemStatus Details page.

3 Locate and select a system or systems that have an enforcement override you want toremove.

4 Click Reset health level.

5 Check the Action Taken pane to verify that the action completed successfully.

Events and responsesEvent reporting is a core feature of ePolicy Orchestrator. However, McAfee NAC does not usethe ePO common event format because it is a network-based assessment and control productrather than a point-product that is deployed to individual systems. This means that McAfee NACevents are not reported and used the same way as standard ePO events. In addition, the McAfeeNAC events are reported by the NAC client directly to the server; they do not go through theMcAfee Agent.

NOTE: Rogue System Detection events are of the same category as McAfee NAC events. It canbe useful to set up automatic responses for events of both types.

Network Access Administration and MonitoringEvents and responses


McAfee NAC events are unlike standard ePO events because:

• McAfee NAC events are not included in the event log (Reporting | Event Log).

• McAfee NAC events are not available for creating notification rules (Automation |Notification Rules).

McAfee NAC events are used for response generation, and use the automatic response feature(Automation | Responses), which is a core feature of ePolicy Orchestrator 4.0 and higher.The allowed response types, such as sending an email or running a command, depend on theevent type. This is also true of Rogue System Detection. McAfee NAC generates these events:

• System no longer healthy — Occurs when a system’s health level changes from Healthyto any other value.

• Malicious system detected — Occurs when a message is received from a Network SecuritySensor that it has detected behavior that is defined as malicious. See Malicious systems.

• System is not enforceable — Occurs when a system is detected that cannot be enforced(see the information on unenforceable systems in the System classifications section).

• Failed to apply network access policy to system — Occurs when a system does nothave any applicable system health policies that can be assessed by the NAC client. This isdetermined by the policy activation settings of your system health policies.

These events are reported in the audit log (Reporting | Audit Log).

Creating automatic event responsesUse this task to create or edit an automatic event responses for predefined NAC events.

Task


1 Go to Automation | Responses, and click New Response to create an event response,or click Edit in the Action column for an existing event response.

2 On the Description page:

a Type a name and description for the response.

b For Event group, select Network Access Control Events from the drop-down list.

c For Event type, select the event type for which to generate an automatic response.

d For Status, select whether you want the response Enabled or Disabled.

3 On the Filters page, set one or more properties to use as event filters.

4 On the Aggregation page, specify an aggregation level for the event type. You can specifyno event aggregation, or aggregation based on a time interval or an event count.

5 On the Actions page, specify the actions to initiate in response to the event.

Manual control of exemptionsYou can control the exemption status of systems manually, using Set NAC exempt andRemove NAC exempt. You can set an exemption on any system that has been detected. TheSet NAC exempt action works under any circumstances. You can remove an exemption onlyon systems where the System Status is "exempt by administrator." If the System Status is"exempt by rule," the Remove NAC exempt action is ignored (see How exemption ruleswork).

Network Access Administration and MonitoringManual control of exemptions


Imported scan exemptions

Typically, the Import exempt systems action is used to create scan exemptions for devicesthat are unmanageable, such as printers and FAX machines. These systems report as rogueson the Network | Detected Systems page. Since these systems are not truly rogues (thatis, you know they are legitimate devices and are inherently unmanageable and unenforceable),McAfee recommends that you mark these systems as exceptions, so that they are not reportedas rogues.

If you remove the scan exemption using Remove NAC exempt, the system or device is stillreported in the NAC monitors with a health level of Unknown, and a network access status ofNone. If you are using only McAfee NAC, removing the exemption does not create any problemsbecause these devices cannot be enforced using Host enforcement; that is, the NAC client asthe enforcer.

However, if you are using McAfee NAC with another enforcer (Microsoft Network AccessProtection or McAfee Network Security Platform), you might end up quarantining the device.In the case of a printer or FAX machine, this might not be critical, but certainly not desired.

When removing an exemption, you are notified in the Action pane if the NAC manager determinesthat the system might be unenforceable.

At any time, you can reapply an exemption to these systems manually, using Set NAC exempt.

If you are retiring or replacing a device such as a printer or FAX machine, you might want toclean up the database by removing the device. See Removing retired or invalid systems.

Setting a system's exemption statusUse this task to set or remove an exemption by administrator status from systems. Exemptionsspecified by an administrator with Set NAC exempt have different properties compared toexemptions that result from an exemption rule. See Using Exemptions.

Task



2 From any NAC monitor, click a chart section to list the systems where you want to set orremove a scan or enforcement exemption.

3 If you are on a summary page listing more than one system, select the checkbox next toeach system you want to affect; otherwise, you are on a details page for a single system.

4 To set an exemption, click Set NAC exempt. In the Action Taken pane, select theexemption type, then click OK.

5 To remove an exemption, click Remove NAC exempt. Be sure that the system's currentexemption status is Exempt by administrator.If removing an exemption would result in a system or device becoming unenforceable, amessage appears in the Action Taken pane.

Network Access Administration and MonitoringManual control of exemptions


Unmanageable devices and what to do with themMost networks have legitimate devices connected to it that are inherently unmanageable, suchas printers and FAX machines. Since these systems cannot host the McAfee Agent, the NACclient, or the NAC guest client, they:

• Are detected as rogues (by the Rogue System Detection service).

• Cannot be assessed.

• Are not subject to enforcement by the NAC client or guest client.

However, if you are also using Microsoft NAP as an enforcer, or McAfee Network SecurityPlatform (potentially as both a detector and enforcer), not treating these devices correctly canresult in undesirable consequences, such as a printer being quarantined.

Unmanageable systems initially are reported as rogues by the Rogue System Detection serviceon the Network | Detected Systems page. Since these systems are not truly rogues (youknow they are legitimate devices and are inherently unmanageable and unenforceable), McAfeerecommends that you mark these systems as exceptions. This way, all your unmanageablesystems are identified and grouped as exceptions. For details, see the information about RogueSystem Detection in the ePolicy Orchestrator Product Guide.

However, marking an unmanageable system as an exception from the Rogue System Detectioninterface does not influence how the NAC manager views it. In McAfee NAC, an unmanageablesystem is always assigned a health level of Unknown, and a network access status of None.

Because an unmanageable system cannot host the NAC client, the most useful action is to markthese systems as exempt from scans.

NOTE: McAfee NAC exemptions are not the same as Rogue System Detection exceptions. SeeUsing Exemptions.

How to handle unenforceable systemsTo McAfee NAC, an unenforceable system is one that cannot be enforced by the NAC client, orits enforcement status has not been or cannot be reported to the NAC manager.

Managed systems might become temporarily unenforceable if the NAC client is shut down orstops working. In this case, you can use a query that tests for the NAC client being started (seeCreating a NAC Client Started query).

Unmanaged systems are, by definition, unenforceable if you are only using McAfee NAC: youmust use McAfee Network Security Platform to enforce unmanaged systems. Unmanageablesystems are also unenforceable to McAfee NAC because such systems cannot host the NACclient.

A system that is identified as unenforceable does not imply that the system cannot be enforced.The NAC manager can only determine that a system cannot be enforced by the NAC client.Managed systems that are unenforceable by McAfee NAC might be enforceable by one of theother supported enforcers, depending on your enforcement configuration. See Enforcers andhow they operate.

Removing retired or invalid systemsUse this task to remove a system from the database that is no longer on your network. Thisallows you to clean up the database so that these systems are no longer reported on yourmonitors.

Network Access Administration and MonitoringUnmanageable devices and what to do with them


This task is most commonly used for guest systems that you have allowed to access yournetwork, and for printers and other devices that you replace or retire.

Task


1 Go to Network | Detected Systems.

2 In the Overall System Status window, click Rogue or Exceptions. The category you selectdepends on how you marked a system when it was detected. See Unmanageable devicesand what to do with them and How to handle unenforceable systems.

3 Identify, then select the systems to remove from the list. To identify the correct systems,you might need to know a MAC address, canonical name, or the text of a comment youentered for a system or group of systems.

4 Click Delete.

Post admission control for malicious systemsThe post admission control (PAC) feature allows you to set the health level of managed systemsfor which the NAC manager has received a malicious system detected event or an administratorrequest. Post admission control is not applicable to unmanaged systems because they cannotbe assigned a post admission policy.

One source of events is from a McAfee Network Security Sensor. For details about using postadmission control with McAfee Network Security Platform, see Malicious system events.

There are two parts to using the PAC feature, both of which must be configured for postadmission enforcement to work:

• An enabled post admission policy that is deployed to managed systems.

• An enabled event response to a Malicious system detected event that has the responseaction set to Enforce malicious system (see Malicious system event responses).

What are malicious systemsMalicious behavior is whatever you define it to be using the tools available in the McAfee NetworkSecurity Manager, or any other software that reports a Malicious system detected event tothe NAC manager. It could be anything from a malware threat to a system trying to accessanother system it should not be allowed to access. The McAfee NAC software does not play arole in defining what is or is not malicious behavior.

Identifying and enforcing systems as malicious automatically depends on two settings:

• A post admission policy.

• A Response that catches the Malicious system detected event.

McAfee NAC also allows administrators to mark systems as malicious manually using the Setmalicious status action. You can use this action as a precaution if a system demonstratesunusual behavior. Under these circumstances, you would be bypassing any rules you haveestablished for identifying malicious behavior. You would then need to determine whether asystem is a real security threat or has been infected by some other method.

Malicious systems are enforced using a different methodology compared to systems that areunhealthy according to your system health policies. See How post admission control works andPost admission control enforcement.

Network Access Administration and MonitoringPost admission control for malicious systems


How post admission control worksThe NAC manager listens for messages from a Network Security Sensor that it has establishedtrusted communications with, or other supported products. When the NAC manager receivesthe message, it ascertains the current status of each system the message identifies, then setseach system's Is Malicious flag to true.

NOTE: The NAC manager changes the Is Malicious flag to true even if a system is exempt.For exempt systems, the post admission policy and malicious system event response are ignored.

Whether other actions like enforcement occur, depends on the actions specified in the responseto a Malicious system detected event and how your post admission policies are configured.

The following table describes the result of different configurations of your post admission policiesand your response settings for the malicious system detected event.

ResultResponse settingsPost admission policysettings

No change in health level and no enforcement occurs asa result of a system being identified as displaying malicious

No response configured,response is disabled, or

Admission control optionset to Disable.

behavior. All systems identified by the incoming "malicioussystem" message have their Is Malicious flag set to true.

response is enabled, the Eventtype is set to Malicioussystem detected, and theAction is set to Enforcemalicious system.


Response enabled. Event typeis set to Malicious system

behavior. All systems identified by the incoming "maliciousdetected. Action is any valuesystem" message have their Is Malicious flag set to true.other than Enforcemalicious

system. Depending on the action specified in the response, anemail notification can be sent or an external command canbe run.


No response configured, orresponse is disabled.

Admission control optionset to Enforce

behavior. All systems identified by the incoming "malicioussystem" message have their Is Malicious flag set to true.

The health level changes to the value specified by theMalicious system health level option in the post

Event type is set to Malicioussystem detected, and the

admission policy only if that value is more severe than aAction is set to Enforcemalicious system. system's current health status. If the value is less severe

or the same, no change in health level occurs. All systemsidentified by the incoming "malicious system" messagehave their Is Malicious flag set to true. Enforcementoccurs, but is dependent on which enforcer is configuredin the NAC client policy assigned to a system (see Postadmission control enforcement).


Response enabled. Event typeis set to Malicious system

behavior. All systems identified by the incoming "maliciousdetected. Action is any valuesystem" message have their Is Malicious flag set to true.other than Enforcemalicious

system. Depending on the action specified in the response, anemail notification can be sent or an external command canbe run.

McAfee NAC does not include a predefined query or monitor that specifically shows systemswhose Is Malicious is set to true. To identify malicious systems, you must look at the NACDetected System Status Details page. The boolean data field "Is Malicious" allows you todetermine if the system is unhealthy due to potentially malicious behavior. This page alsocontains Actions that allow you to set or remove the malicious status of a system manually.

To determine whether a system is marked as malicious, you can:



• Check the NAC Network Access Status monitor for systems that are restricted to the networkaccess zone you mapped to the health level specified in the post admission policy.

• Check the NAC System Health Status monitor for systems with the health level specified inthe post admission policy.

• Create a query to use as a monitor that tests the Is Malicious flag. See Creating a MaliciousSystem query.

Once a system is marked as malicious, the only way to remove this status is for the administratorto use the Remove malicious status action from a NAC Detected System Status page (eithersummary or details). If the system has been enforced as malicious (its health level was changed),removing the malicious status also resets the system's health to its last known value. For details,see Resetting the malicious status flag.

An administrator can manually mark a system as malicious using the Set malicious statusaction on a NAC Detected System Status summary or details page. Whether enforcement occursas a result of this action is subject to the same configuration rules involving the malicious systemevent response and post admission policy. The same behavior occurs regardless of whether asystem is marked as malicious due to a "malicious system" message (for instance, from aNetwork Security Sensor), or an administrator action.

Post admission control enforcementPost admission control enforcement of managed systems depends on which enforcer is configuredin a system's network access policy. Like any enforcement request, malicious systems areallowed or denied network access based on a health level. Normally, the health level is derivedfrom a system's applicable health policies. However, if a system is marked as malicious, thepost admission policy allows for the potential of a health level override.

If post admission control is configured so that enforcement occurs, the health level sent to theenforcer comes from one of these sources:

• The current value of the enforced health level resulting from the latest scan.

• The value of the Malicious system health level option in the post admission policy.

Whichever health level value is the most severe is the one that is sent to the enforcer, and setas the enforced health level. For example, if a system with a health level of Poor is identifiedas malicious, and the post admission policy sets the health level at Critical, the configuredenforcer is sent a value of Critical. If a system with a health level of Critical is identified asmalicious, and the post admission policy sets the health level at Serious, the configured enforceris still sent a value of Critical, even though that value did not come from the post admissionpolicy.

Whether enforcement occurs, and the end result of any enforcement action, depends on whichenforcer is configured for a managed system.

Post admission control enforcementEnforcer

Enforcement is based on the mapping of network access zones to healthlevels in the network access policy that is assigned to a managedsystem.

NAC client

The NAC client, acting as the NAP System Health Agent (SHA), passesthe health level to the McAfee System Health Validator (SHV), which

Microsoft NAP

then forwards it to the Microsoft NPS server. Enforcement is based onyour NAP policies. See Combining McAfee NAC with Microsoft NetworkAccess Protection.



Post admission control enforcementEnforcer

The NAC manager passes the health level to the Network SecuritySensor. This health level can be used by the Sensor if health-basedpolicies are configured in McAfee Network Security Manager.

McAfee Network Security Sensor

CAUTION: Depending on your Network Security Sensor configurations, it is possible for themto override enforcement by other enforcers. See Combining McAfee NAC with McAfee NetworkSecurity Platform.

When you are using post admission control, McAfee recommends that you define a suitablenetwork access zone for restricting malicious systems. Both McAfee NAC and McAfee NetworkSecurity Manager use the concept of network access zones. If you are using Microsoft NAP forenforcement, you might want to configure your health and network policy rules such that thehealth level used for malicious systems is a special case and is associated specifically with yourorganization's definition of a malicious system.

Post admission policiesA post admission policy is required for assigning a health level to managed systems that havebeen identified or marked as malicious. The policy contains two options: one that enforces thepolicy, and one that sets the system's health level if malicious behavior is detected. How theseoptions affect a system depends on several factors. For details, see How post admission controlworks.

Like other McAfee NAC policies, a post admission policy must be assigned to your managedsystems for it to have an effect. You cannot assign a post admission policy to unmanagedsystems.

Configuring a post admission policyUse this task to configure a post admission policy. You can specify whether to enforce managedsystems that are identified as displaying malicious behavior and reported to the NAC manager,and which health level to assign to those systems.

NOTE: Enforcement only occurs if you have also created and enabled an event response. Fordetails, see Malicious system event responses.

After you configure a post admission policy, you must assign it to your managed systems usingthe standard ePolicy Orchestrator policy assignment features.

Task


1 Go to Systems | Policy Catalog, then from the Product drop-down menu, selectNetworkAccess Control 3.2.0.

2 From the Category drop-down menu, select Post Admission Policy.

3 To create a new policy, click New Policy or click Duplicate in the Actions column of anexisting policy.

4 Type a name for the new policy. If you use New Policy, you also select an existing policyas a basis for the new one. Click OK.

5 Set the Admission control option to Enforce (required for the policy to have an effecton system enforcement).



6 Set Malicious system health level to the health level value you want assigned if thesystem displays malicious behavior.For a post admission policy to have an effect, the health level you select must be moresevere than a system's enforced health level. For this reason, the Healthy and Unknownhealth levels are not listed.

7 Click Save.

Malicious system event responsesA malicious system event response informs the NAC manager that you want to take a particularaction or set of actions when a Network Security Sensor or other supported product sends aMalicious system detected message.

To create a response to the Malicious system detected event, you use the Responses featurein the ePolicy Orchestrator interface (Automation | Responses). If you don't create andenable this event response, the only action that occurs due to a Malicious system detectedmessage is the NAC manager sets each identified system's Is Malicious flag to true.

To enforce the "malicious" health level set in your post admission policies, at least one of theactions you specify for the Malicious system detected event must be Enforce malicioussystem, and the response must be enabled (see Configuring a malicious system event response).Other actions, such as sending an email notification, also can be specified as part of an eventresponse.

Responses can also contain filters, which allow you to identify systems according to variousproperties. Using filters is one way to limit or restrict which systems are subject to the actionsyou specify. For example, you might want to enforce one set of systems when detected asmalicious, but only receive email notification for a different set.

Configuring a malicious system event responseUse this task to configure a response for a malicious system event. This event response mustbe configured and enabled to enforce the health level specified in the post admission policy(see Configuring a post admission policy).

NOTE: For enforcement to occur, the Admission control option of the post admission policymust be set to Enforce. For details, see How post admission control works.

Task


1 Go to Automation | Responses, then click New Response, or click Edit in the Actioncolumn for an existing event response.

2 On the Description page:

a Type a name and description that indicates the type of response or type of event.

b For Event, set Event group to Network Access Control Events, and Event type toMalicious system detected.

c Set Status to Enabled.

3 On the Filter page, select properties you want to use to filter event reporting.Using filters is not recommended for the Malicious system detected event.

4 On the Aggregation page, set Aggregation to Trigger the response for every event.Aggregating on multiple events over a time period is not recommended.



5 On the Actions page, select Enforce malicious system from the drop-down list.

6 Click Save.

Setting a system's malicious statusUse this task to manually designate a system as malicious.

Task



2 From any monitor that includes the system you want to mark as malicious, click a chartsection.

3 If there are multiple systems in the chart section, select the checkbox of the system(s)from the summary page. If there is only one system for the chart section, the NAC DetectedSystem Status Details page opens.

4 Click Set malicious status.

Removing a system's malicious statusUse this task to remove a system's malicious status once you have determined that there is nolonger a threat. This is the only method available for resetting a system's Is Malicious statusflag.

If the system has been enforced by a post admission policy, removing the malicious status alsoresets the system's enforced health level to the last value it had before being changed. If noenforcement occurred resulting from the malicious system event, then removing the maliciousstatus does not change the system's current enforced health level.

Before you begin

Make sure you have an active dashboard that contains the NAC: System Health Status monitorso that you can access the NAC Detected System Status Details page.

Task



2 From any monitor that includes one or more malicious systems, click the appropriate chartsection. For details about identifying malicious systems through monitors, see How postadmission control works.

3 If there are multiple systems in the chart section, select the checkbox of the system(s)from the summary page. If there is only one system for the chart section, the NAC DetectedSystem Status Details page opens.

4 On the NAC Detected System Status Details page, check that the Is Malicious field is setto true.

5 Click Remove malicious status.

6 Check the Action Taken pane to verify that the action completed successfully.



Assessment and enforcement historiesMcAfee NAC stores information every time a system is assessed, and every time an enforcementaction occurs. You can view an assessment or enforcement history through specific NAC monitors.These histories allow you to track a sequence of actions, and can be useful for testing policies.

When you view an individual assessment (scan) result, you can then access the benchmarkresults for that scan. This allows you to find out which rules passed and which rules failed.

You can also delete the historical assessment and enforcement results if or when you no longerneed them. Assessment results can be deleted for individual systems from the Scan History forHost page. You can also delete all scan results for all systems using an ePolicy Orchestratorserver task (see Purging scan results automatically). Enforcement results can be deleted forindividual systems from the Enforcement History for Host page.

Purging scan results automaticallyUse this task to create or edit a server task to purge all McAfee NAC scan results from thedatabase. You can schedule this task to run at an interval you define.

This task relies on the ePolicy Orchestrator Server Tasks feature, and assumes you understandthe process of working with server tasks.

Task


1 Go to Automation | Server Tasks.

2 On the Actions page of the Server Task Builder, select McAfee NAC: Purge Scan Resultsfrom the drop-down list.

3 For Purge records older than, set the number of days, weeks, months, or years.

4 On the Schedule page, set how often you want to run the task.

5 When you are done setting values, go to the Summary page and click Save.

Deleting scan or enforcement results manuallyUse this task to remove scan or enforcement results for an individual system.

This task relies on accessing the Scan History for Host and Enforcement History for Host pagesthrough McAfee NAC monitors or queries.

Task



2 From any NAC monitor, click a chart section to list the systems where you want to removeall or part of the scan or enforcement history.

3 If you are on a summary page that lists more than one system, select the checkbox nextto a system; otherwise, you are at a details page for a single system.

a To list the system's scan history, click Show scan history. This displays the ScanHistory for Host page.

Network Access Administration and MonitoringAssessment and enforcement histories


b To list the system's enforcement history, click Show enforcement history. Thisdisplays the Enforcement History for Host page.

4 Select the checkbox for one or more entries.

5 Click Delete scan history or Delete enforcement history, depending on the page youare viewing.

Network Access Administration and MonitoringAssessment and enforcement histories


Combining McAfee NAC with McAfee NetworkSecurity Platform

McAfee Network Access Control 3.2 supports McAfee Network Security Platform, specificallythe Network Security Sensor, as a detector and an enforcer. The two products can work togetherto provide network access control for both managed and unmanaged systems. When McAfeeNetwork Security Platform is configured for health-based access control, it handles unmanagedsystem enforcement, and McAfee NAC handles managed system enforcement. When McAfeeNetwork Security Platform is configured for identity-based access control, it can handleenforcement for both managed and unmanaged systems.

To use McAfee Network Security Platform for detection and enforcement, these componentsmust communicate with each other:

• The ePolicy Orchestrator server that hosts McAfee NAC.

• Your Network Security Sensors.

• The NAC client.

When McAfee Network Security Platform is configured to use health-based access control, theprimary information communicated from McAfee NAC to a Network Security Sensor is a systemhealth level. Once communicated, enforcement decisions for unmanaged systems are controlledby your Network Security Manager policies. Also, your Network Security Sensors must establishtrusted communications with the NAC manager.

The information presented here assumes that you are familiar with McAfee Network SecurityPlatform, its requirements, its operation, and its user interface.

Contents

Configuration requirements

Operations when combined with McAfee Network Security Platform

Network Security Sensor as a detector

Network Security Sensor as an enforcer

Health-based access control

Identity-based access control

NAC manager configuration

Assessment of unmanaged systems

Configuration requirementsTo operate correctly with McAfee Network Security Platform, you need to configure severalcommunication channels, and let the NAC manager know the location of your Network SecurityManager server. In McAfee NAC, the configuration for using both products involves:


• Setting the port for communication between Network Security Sensors and NAC clients.

• Specifying the location of the Network Security Manager server.

• Setting a shared secret for trusted communication between the NAC manager and NetworkSecurity Sensors.

• Optionally specifying that the NAC client send out a periodic identification message for theNetwork Security Sensors.

• Optionally configuring a NAC client policy if you are going to use McAfee Network SecurityPlatform as an identity-based enforcer (see Identity-based access control).

During installation, you are asked to specify a Network Security Sensor to NAC clientcommunication port. This corresponds to the Client identification request setup option inthe Network Access Control server settings. The default port listed in the installer the the sameport ePolicy Orchestrator uses for the Server-to-sensor communication port. The port waschosen because ePolicy Orchestrator already opens it. If you want to use a different port, enterthat port number in the installer. However, you cannot change the port number after McAfeeNAC is installed unless you uninstall the McAfee NAC application and re-install it. You must alsomake sure that this new port is open, and not blocked by any firewalls in between your sensorsand the ePO server. Communication between sensors and NAC clients is over an unsecurechannel.

Sensors communicate with the NAC manager using a secure communication channel. Thissecure, trusted communication uses port 8443, and can be configured to use a shared secret.When McAfee NAC is installed, the Trusted communications setup shared secret is blank(no value). This setting is valid, but you can also type a text string of your choice. You thenuse this string when you configure your Network Security Sensors. If communication is notworking, check that your shared secret values are identical.

The periodic identification message setting in the NAC client policy is needed only if a managedsystem has a firewall that blocks the configured Network Security Sensor to NAC clientcommunication port. This is the port listed for Client identification request setup in theNetwork Access Control server settings. Enabling this option causes the NAC client to initiateidentification messages to the Network Security Sensors. For unmanaged systems, this optionis configured in the Unmanaged System Policy, and applies only to the NAC guest client.

If you are using McAfee Network Security Platform as a health-based enforcer, no specialconfiguration is needed for the NAC client policy.

If you are using McAfee Network Security Platform as an identity-based enforcer for bothmanaged and unmanaged systems, you also need to configure a NAC client policy with theEnforcement Method set to None.

All other configuration to make McAfee NAC work with McAfee Network Security Platform isdone through the Network Security Manager and Network Security Sensor interfaces. For details,see the McAfee Network Security Platform documentation.

Operations when combined with McAfee NetworkSecurity Platform

When setting up an environment where McAfee NAC and McAfee Network Security Platformare used together, the McAfee Network Security Sensor can perform both system detection andenforcement.

A Network Security Sensor is an appliance that monitors network traffic and managespre-admission and post-admission access. The Sensor can:

Combining McAfee NAC with McAfee Network Security PlatformOperations when combined with McAfee Network Security Platform


• Uniquely identify systems as part of an IP stream.

• Send detection messages for systems it detects to the NAC manager.

• Respond to enforcement requests (status messages) from the NAC manager.

• Enforce ACL’s on the IP streams of these systems.

Detection

When setting up Network Security Sensors for detection, the primary consideration is to makesure that you cover all parts of the network you want to protect, and that each Network SecuritySensor is communicating with the NAC client or guest client, and the NAC manager. Use theinformation provided in the McAfee Network Security Platform documentation.

Enforcement

When using Network Security Sensors for enforcement, the primary consideration is that clientsystems in your production and quarantine networks must be able to communicate with theePO server. Other considerations might be involved depending on the McAfee Network SecurityPlatform access control type you use. For instance, if you use identity-based access control,you must configure and deploy a NAC client policy that has the Enforcement method option setto None. See Network Security Sensor as an enforcer, and McAfee Network Security Platformaccess control types.

Automatic remediation

Combining McAfee NAC with McAfee Network Security Platform has no effect on automaticremediation because all automatic remediation commands are always run by the NAC client.Therefore, which enforcer you configure is irrelevant. You only need to be sure that unhealthysystems can access remediation resources, such as required applications and operating systempatches, from your quarantine networks.

Operations unaffected by the Network Security Manager accesscontrol mode

Regardless of whether you are using health-based or identity-based access control in McAfeeNetwork Security Platform, the way that McAfee NAC detects systems and assesses systemhealth are unaffected. However, the access control mode does determine whether, and how,the detection and assessment information is used.

Scan results for managed and unmanaged systems (presuming the guest client has beeninstalled) are reported to the NAC manager, allowing you to access or generate reports. TheNAC client scans systems at whatever interval you have specified using the features availablethrough ePolicy Orchestrator and McAfee NAC. The guest client scans systems according to thescan interval setting in the unmanaged system policy.

Automatic remediation of managed systems is unaffected by McAfee Network Security Platform,regardless of the access control mode. You only need to be sure that an unhealthy managedsystem can access remediation resources, such as required applications and operating systempatches, from your quarantine networks. For information about Network Security Manageroperations when a system is unhealthy, refer to its documentation set.

Combining McAfee NAC with McAfee Network Security PlatformOperations when combined with McAfee Network Security Platform


Client systems that use firewall softwareIf firewall software is running on a client system, regardless of whether it is managed orunmanaged, and the firewall is blocking the communication port used by a Network SecuritySensor for client identification requests, this can affect the detection and enforcement behavior,especially for managed systems.

To ensure that your Network Security Sensors always can get client identification information,make sure the Periodic identification option is enabled in both your NAC client policies, and inyour unmanaged system policy. This option causes the client to send an identification messageonto the network every 60 seconds, but the timing can be configured. By default, this optionis enabled in the unmanaged system policy and disabled in the NAC client policy.

Network Security Sensor as a detectorA detector identifies systems that are connected to your network, and reports these systemsto the NAC manager. To qualify as a detector, the component must report at least one form ofidentifying information about a system or device to the NAC manager.

McAfee NAC can use Network Security Sensor detection information, and combine it withinformation it receives from other supported detectors (see Detectors and how they operate).Any Rogue System Sensor on your network still functions normally and reports detections.

A Network Security Sensor can be configured for different detection types. The following tablelists the detection information that a Network Security Sensor reports to the NAC managerbased on its configuration. The specific deployment and configuration determines whether aNetwork Security Sensor reports some or all of the identifying information listed.

Table 20: Network Security Sensor detector configurationVPN detectionDHCP detectionIn-line detection

At least one of the following:At least one of the following:At least one of the following:

• An IP address• An IP address• An IP address

• A MAC address • A host name• A MAC address

• •A host name A McAfee Agent GUID


Multiple detectors do not interfere with each other. The most recent detection informationreceived that includes an IP address is considered valid for the detected host, independent ofthe detector. This is because the IP address of a system is the one piece of information thatmight change under normal circumstances. All other information from multiple detectors iscombined for the same detected host. For example, if one detector reports a MAC address, anda different detector reports a MAC address and host name, the NAC manager combines thisinformation with existing detection results that match; otherwise, the system is new, andpreviously unknown to the NAC manager.

Network Security Sensor as an enforcerAn enforcer is responsible for restricting the network access of systems on your network. ANetwork Security Sensor can use health-based or identity-based access control enforcementdepending on your Network Security Manager configuration. No matter which Network SecurityManager access control configuration you use, network access restrictions are based on your

Combining McAfee NAC with McAfee Network Security PlatformNetwork Security Sensor as a detector


definitions of network access zones. Both McAfee NAC and McAfee Network Security Platformuse network access zones, so McAfee recommends you name these such that the product theyare associated with is easily identifiable.

When configured for health-based access control, a Network Security Sensor enforces networkaccess restrictions for unmanaged systems based on the health level it is sent from McAfeeNAC. For an unmanaged system, this can be the enforced health level, an administrator-specifiedhealth level, or the post-admission policy health level.

Other information regarding a system's status — such as whether it has an exemption, has amanual enforcement request, or has been marked as malicious — is communicated to theNetwork Security Sensor by the NAC manager after it receives the assessment results from theNAC client or guest client.

When configured for identity-based access control (IBAC), a Network Security Sensor enforcesnetwork access restrictions for managed and unmanaged systems based on system propertiesor user identity credentials. The McAfee NAC architecture is not involved when using McAfeeNetwork Security Platform in IBAC mode. When you configure the NAC client to support IBAC,it no longer functions as an enforcer. The enforcement of unhealthy systems becomes solelythe responsibility of the Network Security Sensor.

The determination of whether a system is healthy, whether it is enforced, and how it is enforced,is controlled by your policy Network Security Manager configuration.

For details about the input used by and output supplied by a Network Security Sensor, seeEnforcers and how they operate. For information about Network Security Manager policies andthe operation of components, see the McAfee Network Security Platform documentation.

Health-based access controlIf you are using health-based access control in McAfee Network Security Platform, then McAfeeNAC enforces managed systems using the NAC client, and Network Security Manager enforcesunmanaged systems using Network Security Sensors.

Most of the behavioral differences that occur when you use McAfee Network Security Platformin combination with McAfee NAC involve enforcement, and to a lesser degree, detection.

When a system’s health status changes, the NAC manager sends a message containing thenew health level to the Network Security Sensor. If the system is managed, the Network SecuritySensor does not take any enforcement action. If the system is unmanaged, the Network SecuritySensor is responsible for restricting network access of the system using the network accessrestrictions configured by the network access zones in Network Security Manager.

NOTE: For easier identification of network access zones in monitors and reports, McAfeerecommends that you use a prefix for all network access zone names created in Network SecurityManager. This way, you can avoid conflicts and confusion trying to determine whether a systemis affected by a McAfee NAC network access zone or a Network Security Manager networkaccess zone.

Configuration changes

When using Network Security Manager for health-based access control, make these configurationchanges in McAfee NAC:

• Specify the location of your Network Security Manager (recommended) in the Network AccessControl server settings.

• Set all benchmarks in the unmanaged system policy to Enforce mode.

Combining McAfee NAC with McAfee Network Security PlatformHealth-based access control


• Optionally set a Trusted communications shared secret in the Network Access Control serversettings.

System detection

When you use McAfee Network Security Platform with McAfee NAC, the Network Security Sensoradds another detection service. Nothing changes regarding detections performed by the RogueSystem Detection service and the NAC client. In other words, a Network Security Sensor canbe added when using health-based access control without requiring changes to the detectionaspects of an existing McAfee NAC deployment.

System assessment

The NAC client assesses managed systems using your managed system health policies and yourestablished scan schedule. The NAC manager reports any health status changes on managedsystems to the Network Security Sensor.

For unmanaged systems, users must download the NAC guest client. Once installed, the guestclient uses the unmanaged system policy to assess the system. Scans are repeated accordingto the policy’s scan interval setting. Scan results and system health and reported to the NACmanager, which then sends the health status to Network Security Sensor.

System enforcement

When using health-based access control in McAfee Network Security Platform, enforcement isstill based on a system's health. As described, the NAC client and guest client assess systemsaccording to your McAfee NAC policies, and report those results. McAfee Network SecurityPlatform enforcement of unmanaged systems is based on the enforced health level.

Using health-based access control, a Network Security Sensor always enforces unmanagedsystems, and the NAC client always enforces managed systems.

Exemptions

When using health-based access control, the NAC manager reports information about exemptionsto the Network Security Sensor. Any systems marked as exempt, using any McAfee NAC method,might or might not be respected by the Network Security Sensor, depending on how itsconfigured. Your exemption rules and any systems manually marked as exemptions can beoverridden by other aspects of an Network Security Manager network policy.

Identity-based access controlIf you are using identity-based access control (IBAC) in McAfee Network Security Platform, allsystems, managed and unmanaged, can be enforced by Network Security Manager usingNetwork Security Sensors. If every managed system has a NAC client policy with the Enforcementmethod set to None, then McAfee NAC has no control over enforcement in this configuration,and system health is not used as the basis for enforcement. However, you can combine thesolution, and have some managed systems enforced by the NAC client, and some enforced byNetwork Security Sensors.

Configuration changes

To use identity-based access control, you need to make these configuration changes in McAfeeNAC:

• Set the Enforcement method option in your NAC client policies to None.

Combining McAfee NAC with McAfee Network Security PlatformIdentity-based access control


• Specify the location of Network Security Manager server (recommended) in the NetworkAccess Control server settings.

• Optionally set a Trusted communications shared secret in the Network Access Control serversettings.

When a system’s health status changes, the NAC client sends a message containing the newhealth level to the Network Security Sensor. However, when using identity-based access control,the Network Security Sensor ignores this information. The McAfee NAC network access policythat designates network access zones is not used. Instead, the network access restrictionsconfigured by the network access zones in Network Security Manager are used.

NOTE: For easier identification of network access zones in monitors and reports, McAfeerecommends that you use a prefix for all network access zone names created using NetworkSecurity Manager. This way, you can avoid conflicts and confusion trying to determine whethera system is affected by a McAfee NAC network access zone or a Network Security Managernetwork access zone.

System detection

When you use McAfee Network Security Platform with McAfee NAC, the Network Security Sensoradds another detection service. Nothing changes regarding detections performed by the RogueSystem Detection service and the NAC client. In other words, a Network Security Sensor canbe added when using identity-based access control without requiring changes to the detectionaspects of an existing McAfee NAC deployment.

System assessment

The NAC client assesses managed systems using your managed system health policies and yourestablished scan schedule. The NAC manager reports any health status changes on managedsystems to the Network Security Sensor.

For unmanaged systems, users must download the NAC guest client. Once installed, the guestclient uses the unmanaged system policy to assess the system. Scans are repeated accordingto the policy’s scan interval setting. Scan results and system health and reported to the NACmanager, which then sends the health status to the Network Security Sensor.

System enforcement

When using identity-based access control in McAfee Network Security Platform, enforcementis no longer based on a system's health. Enforcement is based solely on system properties oruser identity credentials, and all managed and unmanaged systems can be enforced by aNetwork Security Sensor.

To do this, your NAC client policies must have the Enforcement method option set to None. Inthis configuration, the NAC client no longer performs enforcement. All enforcement actions arecontrolled by the Network Security Sensor, and configured using the Network Security Managerconsole.

Exemptions

When using identity-based access control, the NAC manager reports information aboutexemptions to the Network Security Sensor. Any systems marked as exempt, using any McAfeeNAC method, might or might not be respected by Network Security Manager depending on howits configured. Your exemption rules and any systems manually marked as exemptions can beoverridden by other aspects of an Network Security Manager network policy.

Combining McAfee NAC with McAfee Network Security PlatformIdentity-based access control


NAC manager configurationYou must properly configure the NAC manager so it operates with McAfee Network SecurityPlatform. The main consideration is making sure that all components can communicate witheach other.

If you want to use the Guest Portal so that unmanaged systems can install the NAC guest client,see The guest portal and guest client.

To configure the NAC manager to operate with McAfee Network Security Platform, set theseoptions in the Network Access Control server settings:

• Network Security Manager location

• Client identification request setup

• Trusted communications setup

For details about this task, see Editing McAfee NAC server settings.

Network Security Manager location

This configuration option is used to create links within the McAfee NAC interface to the NetworkSecurity Manager console. It informs the NAC manager where the Network Security Managerserver is located. McAfee NAC assumes that the default Network Security Manager console portis port 80. If the console uses a different port, you must set it using the optional port specificationformat (<server_name>[<port>]).

Client identification request setup

This configuration option sets an encryption key that is used for communication between a NACclient and a Network Security Sensor. The Network Security Sensor must communicate directlywith the NAC client to uniquely identify the system and determine whether it is managed. TheNAC manager distributes this key to a Network Security Sensor when it establishescommunications. The NAC manager distributes this key to the NAC client after it sends its startupmessage.

Trusted communications setup

This configuration option sets a shared secret (effectively a password) that establishes trustedcommunications between the NAC manager and a Network Security Sensor at sensor startup.The value of this option must be used when configuring a Network Security Sensor. If the valuesdo not match, the Network Security Sensor cannot communicate with the NAC manager. Thedefault value is blank. This can be used, or you can specify your own password.

Configuring a NAC client policyUse this task to configure the NAC client to operate with McAfee Network Security Platform.

Task


1 Go to Systems | Policy Catalog, then select Network Access Control Client 3.2.0from the Product drop-down menu. There is only one category value: General.

2 Select an existing policy from the list to edit, or click New Policy.

Combining McAfee NAC with McAfee Network Security PlatformNAC manager configuration


3 If creating a new policy, select an existing policy as a template, and type a name for thenew policy. The name should indicate that the policy is for use in a network enforcementenvironment.

4 Set the Enforcement method option to:

• NAC client, if using health-based access control.

• None, if using identity-based access control.

5 Set the automatic remediation option to use and specify credentials. This only applies tomanaged systems.

6 Specify whether you want the NAC client to display the McAfee system tray icon.

7 Specify whether you want the NAC client to send periodic identification messages out onthe network for a Network Security Sensor to pick up.

8 Deploy this NAC client policy. McAfee Network Security Platform only enforces unmanagedsystems regardless of whether it is using health-based access control or identity-basedaccess control.

Assessment of unmanaged systemsWhen using McAfee Network Security Platform in health-based access control mode, managedsystems are assessed by the NAC client using your managed system health policies, andunmanaged systems are assessed by the NAC guest client using the unmanaged system policy.Unmanaged systems are detected by your Network Security Sensors.

The NAC guest client is not the same as the NAC client, and will not install on a system thathas the NAC client. The guest client differs from the NAC client as follows:

• The guest client does not require the McAfee Agent.

• The guest client is not configured by a NAC client policy.

• The guest client is intended to be a temporary executable that is automatically removedafter a specified time, which is set from the Guest Portal.

• The guest client can assess a system only with the unmanaged system policy.

• The guest client cannot use automatic remediation. Unmanaged systems must be remediatedmanually.

NOTE: A system with the guest client installed is not a managed system according to the McAfeeNAC or ePolicy Orchestrator definitions.

The guest client's role is to evaluate system health and report the results to the NAC manager.The guest client evaluates only the unmanaged system policy, and scans the system accordingto the policy’s scan interval. The NAC manager reports the system's health level to the NetworkSecurity Sensor. All enforcement decisions are under Network Security Manager control. McAfeeNAC does not play a role in unmanaged system enforcement.

The guest client's configuration is set as shown in the table below. Most of this configurationis fixed, except where noted.

None. This means thatenforcement is controlled byNetwork Security Sensors.

=Enforcement method

All benchmark and ruleinformation

=Scan results

Disabled=Automatic remediation

Combining McAfee NAC with McAfee Network Security PlatformAssessment of unmanaged systems


Enabled=System tray iconEnabled by default. Thisoption is configurable in theunmanaged system policy.

=Periodic identification

For details about setting the health policy for unmanaged systems and providing remediationinstructions, see Unmanaged system policy.

The guest portal and guest clientThe Guest Portal provides an access point to which you can direct unmanaged systems so userscan install the NAC guest client. The portal is essentially a pre-configured web page, but youcan customize it with your company's logo and statement of network security policy.

The Guest Portal is installed as an extension when you install McAfee NAC. All files andexecutables are located on the ePolicy Orchestrator server. To verify this, check the ePolicyOrchestrator Extensions page.

To configure the Guest Portal, you should:

• Have a written network security policy statement to display on the portal page.

• Set portal configuration options on the NAC Guest Portal server settings page.

For details, see Guest portal configuration and the associated task.

Re-directing unmanaged systems detected by a Network Security Sensor to the Guest Portal isconfigured using the Network Security Manager. For information, see the Network SecurityManager documentation.

How users install the guest client

The guest client can be installed only through the Guest Portal. The guest client installer is partof the Guest Portal extension. If you uninstall the Guest Portal extension, the guest client installeris also removed.

When users are re-directed to the Guest Portal, they must select values for two options:

• The Network access period, which sets how many days the guest client remains installedon their system before being automatically uninstalled.

• Their computer's Operating system. The system tries to automatically detect the operatingsystem and defaults to that value, but users can choose the correct operating system(Windows, Linux, Mac OS, or Other). If a user selects Other, it means they are running anoperating system that is not supported by the guest client.

With these options set, users can install the guest client and have their systems scanned.

Behavior for no guest client installed

The Guest Portal does not force a user to install the guest client. If a user clicks Cancel on theguest portal, they receive a warning that their network access might be restricted or denied.Administrators should set the Health level for no guest client option on the NAC GuestPortal server settings page to an appropriate value for their company security policy. This optiondefaults to Critical.

Alternately, a user might be running an operating system on which the guest client cannot beinstalled (the "Other" value). If a user selects this value, they receive a warning that theirnetwork access might be restricted or denied. Administrators should set the Health level for'Other' OS option on the NAC Guest Portal server settings page to an appropriate value fortheir company security policy. This option defaults to Unknown.



Guest portal configurationConfiguring the Guest Portal is done by setting option values on the NAC Guest Portal serversettings page. The options you can set are:

DefinitionOption

Sets the filepath to the image file you want to use as the logo displayed on the GuestPortal. This is typically your company logo. Place the logo image file anywhere on the

Guest portal logo

ePolicy Orchestrator server, and give the absolute path for this option. The JPG and GIFfile formats are recommended, but you should be able to use any format supported byWeb-standard HTML.

Sets the statement you want to display on the Guest Portal describing your company'snetwork security policy for unmanaged, or guest, systems on your network. This is a textfield that can contain approximately 10,000 characters.

Guest system policystatement

Sets the default value, in days, for the Network access period option on the GuestPortal page. This setting determines how long the NAC guest client is active on a guest

Default guest clientauthorization

system before the client is automatically uninstalled. The allowed values are 0, 1, 2, 5,15, 30, and 90. A value of zero means the NAC guest client scans the system once, thenis immediately uninstalled.

Sets the default health level that is assigned to unmanaged systems on your network thatdo not have the NAC guest client installed. One way this would happen is if the usercancels out of the Guest Portal.

Health level for no guestclient

Sets the default health level that is assigned to unmanaged systems on your networkwhen the user of the system selects the value "Other" for the Operating system optionon the Guest Portal page.

Health level for 'Other' OS

Configuring the guest portalUse this task to set option values that configure the McAfee NAC guest portal. Typically, thesesettings would change infrequently.

Task


1 Go to Configuration | Server Settings, and in the Setting Categories column, selectNAC Guest Portal.

2 Click Edit.

3 On the Edit page, enter values for these options:

• Guest portal logo

• Guest system policy statement

• Default guest client authorization

• Health level for no guest client

• Health level for 'Other' OS4 Click Save.



CombiningMcAfeeNACwithMicrosoft NetworkAccess Protection

McAfee Network Access Control 3.2 supports Microsoft Network Access Protection (NAP) as anenforcer. Microsoft NAP enforces network access restrictions for managed systems from acentral NPS server. The NAC client, acting as a System Health Agent (SHA), passes a Statementof Health to the NPS server, which is validated by the McAfee System Health Validator and theNAC manager. How the Statement of Health is used to affect enforcement depends on yourMicrosoft NAP policy configuration.

To use Microsoft NAP as an enforcer, these components must communicate with each other:

• The ePolicy Orchestrator server that hosts McAfee NAC.

• The Microsoft 2008 Server that hosts the Network Policy Server (NPS).

• The NAC client.

For the NAC client to communicate with both the NPS and ePO servers, both servers must bedeployed in the NAP boundary network.

The McAfee NAC components that support using Microsoft NAP as an enforcer are a customMcAfee System Health Validator (SHV) that is installed on the NPS server, and the NAC client.The NAC client must be set to NAP enforcement mode in the NAC client policy. McAfee NetworkAccess Control 3.2 also supports NAP enforcement on managed systems with some Microsoftoperating systems that are not natively supported by Microsoft NAP with a DHCP Agent.

NOTE: You cannot use Microsoft NAP enforcement for client systems running a supported MACOS or Linux operating system.

In addition, you must configure the Network Access Control Server Settings so that the McAfeeSHV can communicate with the NAC manager. Once it is installed on the NPS server, the McAfeeSHV is configured using the NPS console.

The information presented here assumes that you are familiar with the Microsoft NAP product,its requirements, its operation, and its user interface components.

Contents

Setup requirements

ePolicy Orchestrator considerations

Microsoft NAP as an enforcer

Support for non-native operating systems

McAfee System Health Validator operations

System Health Validator failure categories

System Health Validator error conditions


Setup requirementsEach component that supports the use of Microsoft Network Access Protection (NAP) as anenforcer has specific setup and configuration requirements.

Table 21: Setup requirements for using Microsoft NAP as an enforcerRequirementsComponent

The server machine must be deployed into the NAP boundary network.McAfee Network Access Control 3.2 must be installed.

ePolicy Orchestrator server

The server machine must use the Windows 2008 Server 32-bit operatingsystem. The NPS role must be configured and deployed into the NAP

Microsoft NPS server

boundary network. The McAfee System Health Validator (SHV) mustbe installed.

The NAC client policy on any managed system you want Microsoft NAPto enforce must have the Enforcement method set to MicrosoftNetwork Access Protection (NAP).

NAC client

The McAfee SHV must be installed on the Microsoft NPS server, andconfigured through the NPS console. In the McAfee SHV Properties

McAfee System Health Validator

interface, the Communication port number on the Setup tab, 8444by default, must match the setting for Server-to-sensorcommunication port on your ePO server. On the Request NewCertificate dialog box, the Server UI Port number, 8443 by default,must match the setting for Console-to-application servercommunication port on your ePO server.

The DHCP Agent must be installed on a DHCP server running theWindows 2008 Server 32-bit operating system. You must have MicrosoftNAP policies that are configured for DHCP-based enforcement.

McAfee DHCP Agent (optional)

ePolicy Orchestrator considerationsA typical ePolicy Orchestrator deployment in a Microsoft NAP environment has the ePO serverin the boundary network. This means it should be able to communicate with client systems ineither the trusted or non-trusted networks. To be trusted, the ePO server must have a validhealth certificate.

Typically, a health certificate is obtained manually, using the Certificates MMC snap-in for thelocal computer account. If Active Directory has been configured properly for NAP, you selectthe Personal certificate store, then create a certificate request for a System Health Authenticationcertificate.

A more subtle issue with ePolicy Orchestrator in a NAP environment is that it might becomeimpossible for ePolicy Orchestrator to issue agent wake-up calls to client systems. In someconfigurations, for example when using IPsec enforcement, the ePO server cannot establishcommunication with a non-trusted client. The client can initialize communication with the ePOserver, but not the other way around. When using DHCP and 802.1x enforcement methods, itshould be possible to get around this via network configuration.

Microsoft NAP as an enforcerMicrosoft Network Access Protection can enforce network access restrictions for McAfee NACmanaged systems from a central NPS server. When you configure the NAC client for NAP mode,it no longer functions as an enforcer. The enforcer role is transferred to Microsoft NAP.

Combining McAfee NAC with Microsoft Network Access ProtectionSetup requirements


The NAC client continues to function as a detector and assessor, but its assessor role is expandedso that it also functions as a Microsoft NAP System Health Agent (SHA). In its role as an SHA,the NAC client sends a Statement of Health to the McAfee System Health Validator (SHV) onthe NPS server every time the system is assessed. The Statement of Health contains a healthlevel, and other information needed to identify the system and determine its status.

The determination of whether a system is healthy, whether it is enforced, and how it is enforced,is controlled by your Microsoft NPS policy configuration. Typically, most enforcement in MicrosoftNAP is controlled by your health and network policies, which receive information from SystemHealth Validators. The McAfee SHV is only one of potentially many SHVs that can be used byMicrosoft NAP to determine a system's health, and whether an enforcement action is required.Any enforcement decision based on information from McAfee NAC depends on the configurationof the McAfee SHV, and how it is evaluated in your NAP policies.

Other information regarding a managed system's status — such as whether it has an exemption,has a manual enforcement request, or has been marked as malicious — is communicated tothe McAfee SHV by the NAC manager. This communication occurs after the McAfee SHV hasreceived the Statement of Health. See McAfee System Health Validator operations.

For information about Microsoft NAP policies and the operation of its components, see theMicrosoft Network Access Protection documentation.

Exemptions and NAP enforcement

A system's exemption status, whether from an exemption rule or set by an administrator, iscommunicated to the NPS server by the McAfee SHV. Your NAP policies are not required to acton this information, and can choose to respect or ignore the McAfee NAC exemption status asis appropriate for your environment. Systems that are considered exempt in McAfee NAC canbe quarantined if your NAP network policy configuration determines that the system is unhealthy.

Automatic remediation with NAP enforcement

When using McAfee NAC in a Microsoft NAP environment, McAfee recommends that you configureyour system health policies and NAC client policies according to your remediation requirements.All McAfee NAC automatic remediation features must be enabled, and your NAP policies mustenable automatic remediation. When configured this way, Microsoft NAP attempts to run allautomatic remediation actions specified in your McAfee NAC managed system health policies.

In addition, for the McAfee NAC automatic remediation feature to work properly, your NAPpolicies for noncompliant systems cannot use the Deny Access option. Instead, use the AllowLimited Access option. You must also configure a NAP Remediation Server Group that allowsaccess to:

• The ePO server.

• Network systems that host or allow access to remediation resources, such as requiredapplications and operating system patches.

• Optionally, your DNS server, DHCP server, and domain controllers.

NAC client operations in NAP modeWhen the NAC client is configured in NAP enforcement mode, its operation changes.

• It no longer functions as an enforcer. As a result, your McAfee NAC network access policiesare invalid when the NAC client is in NAP mode.

• Its assessor role is expanded so that it also functions as a Microsoft System Health Agent(SHA).

Combining McAfee NAC with Microsoft Network Access ProtectionMicrosoft NAP as an enforcer


There are no changes to the NAC client's normal operations as an assessor. All applicable systemhealth policies are assessed and reported to the NAC manager.

NOTE: A managed system in a Microsoft NAP environment might have several System HealthAgents installed.

The NAC client as a System Health Agent

As an SHA, the NAC client is responsible for sending a Statement of Health to the McAfee SystemHealth Validator (SHV) installed on the NPS server. The Statement of Health contains a healthlevel and other information the McAfee SHV needs to obtain validation of the managed systemfrom the NAC manager. The health level contained in the Statement of Health is always thesystem's assessed health level.

The NAC manager attempts to validate the system, and returns that information to the McAfeeSHV, along with other information it knows about the system, such as whether it has anexemption, has an enforced health level override, or is marked as malicious and has an associatedpost admission policy health level. The McAfee SHV then reports all the information it has tothe NPS server, which is acted on according to your configured NAP health and network policies.

When a system’s enforcement status changes, the NAP Agent on the managed system sendsan Isolation State Change event to the NAC client (and any other SHAs installed on the system).The NAC client reports these events to the NAC manager, which updates the system's status.These events can be useful for generating reports about enforced systems, because anenforcement change can be caused by an SHA other than the NAC client.

Configuring a NAC client policy for NAP modeUse this task to configure the NAC client to operate in Microsoft NAP enforcement mode.

Task


1 Go to Systems | Policy Catalog, then select Network Access Control Client 3.2.0from the Product drop-down menu. There is only one category value: General.

2 Select an existing policy to edit or duplicate, or click New Policy.

3 If creating a new policy, select an existing policy as a template, and type a name for thenew policy. The name should indicate that the policy is for use in a Microsoft NAPenvironment.

4 For Enforcement method, select Microsoft Network Access Protection (NAP).

5 If your NAP policies allow remediation to be requested from McAfee NAC, see Configuringautomatic remediation for NAP mode.

6 Specify whether you want the McAfee system tray icon enabled, then save the policy.

7 Go to Configuration | Server Settings, then select Network Access Control fromthe category list. Check the value for Default rule health level. This health level is sentin the Statement of Health if a benchmark rule does not explicitly set a health level toassign when a rule fails. To change the value, click Edit, and select the health level youwant reported from the Default rule health level drop-down menu.

8 Deploy this NAC client policy to all managed systems you want enforced by Microsoft NAP.

Combining McAfee NAC with Microsoft Network Access ProtectionMicrosoft NAP as an enforcer


Configuring automatic remediation for NAP modeUse this task to configure your NAC client policies and managed system health policies so thatMicrosoft NAP can request that McAfee NAC attempt to remediate unhealthy systems.

Before you begin

This task assumes that you have already configured a NAC client policy to use the MicrosoftNAP enforcement method. If not, combine this task with Configuring a NAC client policy forNAP mode.

Task


1 Go to Systems | Policy Catalog, then select Network Access Control Client 3.2.0from the Product drop-down menu.

2 For an existing NAC client policy configured for NAP enforcement, click Edit.

3 For Automatic remediation, select Use local system credentials or Use the followingcredentials. Type administrator credentials for Username and Password if you are specifyingcredentials. Click Save.


5 For every system health policy:

a Click Edit.

b In the policy builder, click the Select Benchmarks page.

c Select every benchmark that specifies a remediation command, then clickAuto-remediation.

d In the Action Taken pane, select Enable auto-remediation, then click OK.

6 Click Save.

Support for non-native operating systemsMcAfee Network Access Control includes a DHCP Agent that allows you use Microsoft NAPenforcement on managed systems running some operating systems that are not nativelysupported by NAP (Microsoft refers to these as Down Level Clients or DLCs). Therefore, youcan enforce any system that can host the NAC client, but cannot host the Microsoft NAP SystemHealth Agent.

The DHCP Agent allows you to use Microsoft NAP enforcement on:

• Windows XP SP2 systems.

• All 32-bit versions of Windows 2000 where the NAC client can be installed.

• All 32-bit versions of Windows 2003 where the NAC client can be installed.

NOTE: The Windows 2008 operating system is not supported by the DHCP Agent as a clientsystem.

In the Microsoft NAP interface, all Down Level Client systems will look like Windows XP SP3systems. If your NAP policies evaluate the Windows System Health Validator, DLC systems willalways pass. All compliance assessment you need performed on DLC systems must be specified

Combining McAfee NAC with Microsoft Network Access ProtectionSupport for non-native operating systems


in your McAfee NAC system health policies. Enforcement of these systems by Microsoft NAP isbased solely on the Statement of Health received from the McAfee System Health Validator.

Installing the DHCP AgentUse this task to install the McAfee DHCP Agent. This agent allows you to enforce systems, usingMicrosoft NAP, that run some operating systems that are not natively supported by NAP. Youalso run this installer to modify, repair, or remove the DHCP Agent.

Before you begin

The DHCP Agent can be installed only on a Windows 2008 DHCP server.

CAUTION: The McAfee DHCP Agent is compatible only with 32-bit operating systems. YourDHCP server must be running a 32-bit version of Windows 2008.

Task


1 Download the DHCPAgent.zip file from the McAfee product download site to your Windows2008 DHCP server. The DHCP Agent installation files are also located on the ePO server atProgram Files/McAfee/Network Access Control/Server/DHCP Agent. Copy this folder to your DHCPserver.

2 Unzip the DHCPAgent.zip file, and run the Setup program. If you copied the DHCP Agentfolder from your ePO server, run the Setup program.

3 On the Destination Folder screen, accept the default path (recommended), or click Changeto specify an alternate location. Click Next.

4 Click Install.

McAfee System Health Validator operationsThe McAfee System Health Validator (SHV) requires secure communications with the NACmanager to authenticate client systems in a Microsoft NAP environment. Certificate provisioningis the process of establishing the certificates needed for these activities.

Certificate provisioning is essential for the proper operation of the McAfee SHV. Without it, theSHV cannot retrieve accurate system information from the NAC manager, and the full powerof McAfee NAC cannot be utilized.

If it cannot communicate with the NAC manager, the SHV must trust the information about asystem provided by the NAC client (in its role as an SHA). Information about the system's policyage and exemption status, for example, could be out-of-date or an approximation.

The McAfee SHV configuration allows you to set compliance values for error conditions, suchas communication problems. Though it is possible to configure the SHV to ignore communicationproblems, this should not be considered a normal operating condition, and used only as asolution for temporary communication outages. However, the ability to ignore communicationproblems, even though the trust level is reduced, can be useful to customers who do not wantto risk many client systems becoming noncompliant because a communication channel wastemporarily lost.

The SHV configuration interface opens before the installation finishes, allowing you to performsome initial certificate provisioning as part of the installation process.

Combining McAfee NAC with Microsoft Network Access ProtectionMcAfee System Health Validator operations


Certificate status and the certificate store

The two most common Certificate Status values in the SHV configuration interface are:

• PROVISIONED — Indicates that the local system certificate store contains what it considersvalid certificates.

• NOT PROVISIONED — Indicates that no certificates could be found.

The SHV configuration interface does not attempt to validate the certificates in the store beforedisplaying the status. The displayed status indicates only whether there are certificates in thestore specific to the McAfee SHV. The interface can also show errors that occur during theprovisioning process.

In unusual circumstances, it is possible to have certificates in the store that cannot be used forcommunication. One example is when the SHV is provisioned against one ePO server, then laterreconfigured to use a second ePO server, without re-provisioning. This situation can leavecertificates in the store that do not work when communication with the second ePO server isattempted. In this case, you must re-provision the certificates against the second ePO server.

If the McAfee SHV is uninstalled from the NPS server, any certificates it has provisioned areremoved from the system certificate store.

How certificate provisioning is performed

Certificate provisioning configuration is performed by running the McAfee SHV configurationinterface from the NPS console. By default, McAfee NAC and the McAfee SHV are installed witha blank value for the Trusted communications setup shared secret. The blank value is valid,and allows initial certificate provisioning to occur.

When you request a new certificate from the McAfee SHV configuration, you must provide theTrusted communications setup shared secret that is set in the Network Access Controlserver settings. Regardless of the actual value, the requirement is that the Trustedcommunications setup shared secret and the Shared secret for certificate provisioningmust match. If you experience problems, verify these two settings.

Installing the McAfee System Health ValidatorUse this task to install the McAfee System Health Validator (SHV) on your Microsoft NPS server.

CAUTION: The McAfee System Health Validator is compatible only with 32-bit operating systems.Your Microsoft NPS server must be running a 32-bit operating system.

Before you begin

During installation, the McAfee SHV configuration interface is opened. If you want to setconfiguration options at this time, see Configuring the McAfee System Health Validator fordetails.

Task


1 Download the McAfeeSHV.zip file from the McAfee product download site to your NPS server.

2 Unzip the file, and run the Setup program.

3 On the Destination Folder screen, accept the default path (recommended), or click Changeto specify an alternate location. Click Next.

4 Click Install.



5 After you click Finish, the SHV configuration interface opens. If you want to configure theSHV later, click Cancel.

Configuring the McAfee System Health ValidatorUse this task to configure the McAfee System Health Validator properties once it is installed onthe Microsoft NPS server.

Before you begin

If you want to use a shared secret for trusted communications between your ePO server andthe McAfee System Health Validator, do the following before configuring the McAfee SHV:

1 Go to Configuration | Server Settings, and select Network Access Control from thecategory list.

2 Click Edit.

3 For Trusted communications setup, enable Password required, then type and confirma password for Shared secret.

4 Click Save.

Make a note of the string you entered for the shared secret. You will need it for Step 7 below.

Task


1 Open the NPS console, and under Network Access Protection, go to System HealthValidators.

2 Select the McAfee System Health Validator to open the Properties interface.

3 On the Settings tab under Error code resolution, set the compliance value to use for SHVunable to contact required services and SHA not responding to NAP Client.

4 Click Configure. On the Configuration tab:

a Set a minimum health level value. If the Statement of Health from the NAC client containsat least this value (see the description on the Configuration tab), the McAfee SHV reportsthe system's status as healthy.

b Enable or disable the quarantine of systems based on the interval between policyupdates. If enabled, you can set the number of days allowed between updates.

c Enable or disable whether the SHV is allowed to trust the information about a systemit receives in the Statement of Health without validation from the NAC manager.

5 Click the Setup tab.

6 Under McAfee ePO server details, type the name or IP address of the ePO server you wantthe McAfee SHV to communicate with. Do not change the Communication port.

NOTE: The communication port number, 8444 by default, must match the setting forServer-to-sensor communication port on your ePO server.

7 Under SHV authentication certificate, click Request new certificate.

a Type the name or IP address of the ePO server you want the McAfee SHV tocommunicate with.

b Do not change the Communication port. This port number must match the setting forConsole-to-application server communication port on your ePO server.



c For Shared secret for certificate provisioning and Shared secret confirmation, type thevalue of the shared secret you set for Trusted communications setup in the NetworkAccess Control server settings. If the shared secret for Trusted communicationssetup is blank, then leave these options blank in the SHV.

System Health Validator failure categoriesThere are two situations in which the McAfee System Health Validator (SHV) might not be ableto fully validate a Statement of Health from a NAC client:

• When communication with the ePO server is lost.

• When the NAC client, functioning as a System Health Agent, stops communicating with thelocal NAP Agent.

In these situations, the McAfee SHV might fall back on compliance settings configured for it inthe NPS console. These settings are sometimes referred to as Failure Category settings.

To establish these failure category settings, you open the McAfee System Health ValidatorProperties interface in the NPS console. The “Error code resolution” section defines the failurecategories. Of the five possible failures, the McAfee SHV supports only:

• SHV unable to contact required services.

• SHA not responding to NAP Client.

Changes to the other settings are ignored by the McAfee SHV.

When the McAfee SHV loses contact with the ePO server, it immediately tries to re-establishthe connection. By default it tries every ten seconds. If a Statement of Health arrives from aNAC client during this time, the McAfee SHV cannot get current configuration data from theNAC manager for the system. If the SHV has been configured to ignore ePO communicationproblems, after it validates the certificate it is forced to trust the information sent by the NACclient and make the best compliance decision it can.

If the McAfee SHV is not configured to ignore ePO communication problems, it defers thecompliance decision to the value of the “SHV unable to contact required services” setting.

It is also possible for the NAP Agent to send a Statement of Health based on cached data fora NAC client that is no longer responding to it. The McAfee SHV never accepts this type ofStatement of Health and always defers to the “SHA not responding to NAP Client” failure categorysetting.

NOTE: Changes to the failure category settings do not take effect until the IAS service isrestarted. This can be done from the command line by typing net stop ias, followed by net startias.

System Health Validator error conditionsThe McAfee System Health Validator (SHV) uses a set of error codes for conveying informationabout problematic conditions to a NAC client in its role as a System Health Agent. The McAfeeSHV determines the error condition and reports it to the NAC client, where it can be displayedon the client system.

Other errors are possible, such as out-of-memory, but they are not defined here because theyare generic errors.

The main sources of errors are:

Combining McAfee NAC with Microsoft Network Access ProtectionSystem Health Validator failure categories


• Certificate provisioning problems, such as an attempt to re-provision but the port and/orshared secret is wrong, or an attempt to change ePO servers without re-provisioning.

• Loss of communication with the ePO server.

• Loss of communication with the SHA; that is, the NAC client.

Most of the error codes are condition codes that indicate the reason a system was considerednoncompliant by the McAfee SHV. The condition codes and their meaning are listed in the table.

DefinitionCondition code

The SHV cannot contact the ePOserver.No ePO server communications

The NAP Agent on a system is serving as a proxy for the NAC client becausecommunication between them has failed or been interrupted.

No NAC client communications

The proprietary data structure that contains health information passed betweenthe SHA and SHV is not what the SHV expected.

Invalid Statement of Health

The proprietary data structure passed from the SHA contained a bad certificate.The common causes are that the data structure didn't exist or was the wrongsize.

Bad certificate

The proprietary data structure that was passed from the SHA contained a badsignature. The common causes are that the data structure didn't exist or wasthe wrong size.

Bad signature

The proprietary data structured that was passed from the SHA contained acertificate that was not recognized by the SHV. The most likely reason is thatthe certificate was signed by the wrong ePO server.

Invalid certificate

The client could not be authenticated. The most likely reason is that thesignature was created using an unrecognized key (a key different from whatwas found in the certificate).

Authentication failed

The client was authenticated but the NAC manager has no information aboutthe system.

Unknown client

The health level provided by the NAC client was less than the required levelconfigured in the SHV.

Insufficient health

The policy provided by the NAC client was out-of-date.Policy too old

The SHV hasn't responded with a compliance status. The status is used bythe SHA to display a message on startup.

Unknown status

Combining McAfee NAC with Microsoft Network Access ProtectionSystem Health Validator error conditions


Glossary

definitionterm

Regulation of the use of system resources according to a security policy.access control (AC)

A list of the services available on a server, each with a list of the hostspermitted to use the service.

Access Control List(ACL)

A network device (commonly called a wireless router) that plugs intoan Ethernet hub or switch to extend the physical range of service for a

access point (AP)

wireless user. When wireless users roam with their mobile devices,transmission passes from one access point to another to maintainconnectivity.

The predefined response to an event such as a detection or an alert.The available actions depend on the application or component. See alsoresponse.

actions

The Microsoft Directory Service available with Windows 2000 Serverand Windows Server 2003 operating systems.

Active Directory

A software component used by programs or web pages to addfunctionality that appears as a normal part of the program or web page.

ActiveX control

Most ActiveX controls are harmless; however, some might captureinformation from your computer.

A user account with read, write, and delete permissions that managesuser accounts, installs software, and receives status emails andnotifications. Sometimes abbreviated as “admin.”

administrator

See McAfee Agent.agent

The Setup program and all files needed to install the McAfee Agent.agent installationpackage

Agent-server communication initiated from the ePO server. Compareto SuperAgent wake-up call.

agentwake-up call

Any communication between the McAfee Agent and the ePO serverwhere data is exchanged.

agent-servercommunication

The time between agent-server communications.agent-to-servercommunicationsinterval (ASCI)

In Rogue System detection, a rogue state that characterizes a systemwith an agent that is not in the ePO database. See also inactive agent,rogue system.

alien agent

See Application Program Interface.API


definitionterm

A purpose-built hardware system that can be installed at key points inyour network to carry out various tasks.

appliance

Software that can be installed on a computer. It can be a complexcombination of executable (EXE) files, DLLs, data files, registry settings,and install/uninstall files. Compare to potentially unwanted program.

application

The interface by which an application program accesses the operatingsystem and other services.

ApplicationProgram Interface(API)

See agent-to-server communications interval.ASCI

The process of evaluating a system, device, network group, or otherassets for compliance against a set of defined criteria. For example,identifying policy violations and vulnerabilities.

assessment

A specific workstation, server, router, switch, or other type of resourcethat needs to be protected or monitored. Examples include computersystems, databases, and networks.

asset

An examination or assessment of one or more assets against a set ofstandards.

audit

The process of verifying the digital identity of the sender of an electroniccommunication.

authentication

A feature of ePolicy Orchestrator that enables customers to takeautomatic actions in response to incoming events.

automaticresponse

The amount of data (throughput) that can be transmitted in a fixedperiod of time.

bandwidth

A specific script file format (.bat) that runs on Microsoft-compatibleoperating systems, including DOS and Windows.

batch file

A collection of rules for assessing system compliance. Theimplementation of a benchmark in McAfee software conforms to theOVAL/XCCDF specifications.

benchmark

Action taken to intercept and prevent a communication attempt.blocking

A standard TCP/IP address, which transmits the message to all systemswithin a local subnet.

broadcast address

A type of detection where the Rogue System Sensor monitors broadcastpackets to identify systems as they request access to the network.Compare to DHCP detection.

broadcastdetection

A method to prove identity by many cryptographic systems, and amethod many websites use to authenticate that the site is genuine. Acertificate contains a user’s name and public key.

certificate

A mechanism for evaluating a specific condition of a system or asset,such as the presence of security products and patches, or threats.

check

A program that runs on a personal computer or workstation and relieson a server to perform some operations. For example, an email clientis an application that lets you send and receive email.

client

Glossary


definitionterm

Part of client-server software architecture; a computer system thatrequests a service of another computer system (a server) and acceptsthe server’s responses.

client computer

A software module, installed on each client computer, that serves asan intelligent link between the client computer and a server.

client software

Tasks that are initiated by a server and distributed to and executed oneach client system connected to the server. Compare to server task.

client task

The state of any system that has been scanned and assessed and meetsthe criteria specified by one or more McAfee policy types, such as aconfiguration policy or a network access policy.

compliant

The settings that determine how each product that can be managed byePolicy Orchestrator behaves on managed computers.

configurationpolicy

See System Tree.console tree

Product data that is periodically retrieved from the McAfee website.content package

The user name and password required to perform scanning, installation,and other functions.

credentials

Collections of user-selected and configured monitors that provide currentdata about your environment. Monitors can be anything from a

dashboards

chart-based query to a small web-application, like the My Avert ThreatService. See also query, reports.

Detection definition files, also called signature files, containing thedefinitions that identify, detect, and repair viruses, Trojan horses,spyware, adware, and other potentially unwanted programs (PUPs).

DAT files

The process of distributing and installing software and data to systemsfrom a central location.

deployment

The right pane of the ePolicy Orchestrator interface, which shows detailsof the currently selected item in the System Tree.

details pane

See DAT files.detectiondefinition files

A term used to refer to computers, printers, routers, and other hardware.device

See Dynamic Host Configuration Protocol.DHCP

A type of detection where the Rogue System Sensor monitors DHCPresponse packets to identify systems as they request access to the

DHCP detection

network. Compare to broadcast detection. See also Dynamic HostConfiguration Protocol.

See System Tree.Directory

Domain Name System. A database system that translates an IP address,such as 11.2.3.44, into a domain name, such as www.mcafee.com.

DNS

A local subnetwork or a descriptor for sites on the Internet. On a localarea network (LAN), a domain is a subnetwork made up of client and

domain

server computers controlled by one security database. On the Internet,

Glossary


definitionterm

a domain is part of every web address. For example, inwww.mcafee.com, mcafee is the domain.

The McAfee website (http://www.mcafee.com/us/downloads) forretrieving McAfee products and updates (for example, DAT file andengine).

download site

A protocol used to dynamically allocate IP addresses to computers ona local area network.

Dynamic HostConfigurationProtocol (DHCP)

A legal contract between the producer of software and its user. TheEULA might contain limitations on how you can use or remove the

end-user licenseagreement (EULA)

product, or disclose functionality of the product that might not be readilyapparent.

The process of changing or updating asset configurations, software, ornetwork access based on assessment results or administrator action.Compare to assessment, remediation.

enforcement

The time between predefined enforcement actions.enforcementinterval

A setting in a network access policy that specifies how rules in abenchmark are applied to noncompliant systems.

enforcementmode

A component of security software programs that scans systems ornetworks for threats, vulnerabilities, and potentially unwanted programs.

engine

For example, anti-virus and anti-spyware programs use DAT files toscan system for viruses and other malware.

The back-end component of ePolicy Orchestrator software.ePO server

A McAfee solution to manage security applications and suites from acentral console. It helps organizations streamline their security processand enforce protection policies.

ePolicyOrchestrator (ePO)

In a computer system or program, an incident or occurrence that canbe detected by security software, according to predefined criteria.

event

Typically an event triggers an action, such as sending a notification oradding an entry to an event log.

A list of systems, identified by MAC address, that you want to be exemptfrom NAC scanning.

exemption list

A set of criteria used to identify detected systems that you want to beexempt from NAC scanning or exempt from NAC enforcement.

exemption rule

ZIP files that are installed on the ePO server to manage other securityproducts in your environment. Extensions contain the files, components,and information necessary to manage such products.

extension

A system (hardware, software, or both) designed to preventunauthorized access to or from a private network. Firewalls are

firewall

frequently used to prevent unauthorized Internet users from accessingprivate networks connected to the Internet, especially an intranet. Allmessages entering or leaving the intranet pass through the firewall,

Glossary


definitionterm

which examines each message and blocks those that do not meet thespecified security criteria.

A user account with read, write, and delete permissions, as well asrights to all operations; specifically, operations that affect the entireinstallation and are reserved for only the global administrator.

globaladministrator

Any computer on a network that is distinguished by name, IP address,or MAC address, and that has full two-way access to other computerson the Internet.

host, hostcomputer

A security application that functions by virtue of being installed on andprotecting each host computer in a network.

host-basedsecurity system

In Rogue System Detection, a rogue state that characterizes a systemwith an agent in the ePO database, but it has not communicated in aspecified time. See also alien agent, rogue system.

inactive agent

Systems that are listed in the ePO database, but have not been detectedby a Rogue System Sensor in a specified time. Typically these are

inactive systems

systems that are shut down or disconnected from the network, such aslaptops. See also managed systems, rogue system.

A preemptive approach to host and network security used to identifyand quickly respond to potential threats. An intrusion prevention system

IntrusionPrevention System(IPS) monitors individual host and network traffic. However, because an

attacker might carry out an attack immediately after gaining access,intrusion prevention systems can also take immediate action as presetby the network administrator.

Internet Protocol address. An address used to identify a computer ordevice on a TCP/IP network. In IPv4, the current version, the format

IP address

of an IP address is a 32-bit numeric address written as four numbersseparated by periods. Each number can be 0 to 255 (for example,192.168.1.100). In IPv6, the format is a 128-bit numeric address.

A range of IP addresses.IP range

A series of letters and numbers used by two devices to authenticatetheir communication. Both devices must have the key. See also WEP,WPA, WPA2, WPA2-PSK,WPA-PSK.

key

In public key cryptography, the public key and private key used toencrypt and decrypt data. Information encrypted using the private key

key pair

can only be decrypted using the public key. Conversely, informationencrypted using the public key can only be decrypted using the privatekey. See also certificate, certificate authority, private key, public key.

A record of an application’s activities. Log files record the actions takenduring an installation, scanning, or updating.

log file

Media Access Control address. A unique serial number assigned to aphysical device (NIC, network interface card) accessing the network.

MAC address

Security products (McAfee and third-party) that are managed by ePolicyOrchestrator.

managed products

Glossary


definitionterm

Systems on which the McAfee Agent is installed, with an activecommunication link between the agent and the ePO server.

managed systems

A type of distributed software repository whose contents is the standardfor all distributed repositories. Typically, the contents of the master

master repository

repository are defined from the source repository contents and additionalfiles added manually. See also pull, replication.

The distributed component of ePolicy Orchestrator that must be installedon each system in your network that you want to manage. Systems

McAfee Agent

cannot be managed without an installed agent. The agent collects andsends information among the server, update repositories, managedsystems, and products. Compare to SuperAgent.

The base policy settings that provide out-of-the-box protection.McAfee Defaultpolicy

See download site.McAfee downloadsite

A distributed component of McAfee Network Access Control, installedon managed computers throughout the network and in the VPN

McAfee NAC client

environment. It determines whether computers meet the minimumrequirements of the compliance policy.

A collection of rules that a system must comply with to be grantedaccess to the network.

network accesspolicy

A designation of the network resources that a noncompliant system canor cannot access.

network accesszone

Network Interface Card. A card that plugs into a laptop or other deviceand connects the device to the LAN.

NIC

The text that appears on managed computers when they are deemednoncompliant while attempting to access the network locally.

noncompliancemessage

A message about a computer state, such as a threat detection orcompliance status, which can be sent automatically to administratorsor users according to a predefined configuration. See also alert.

notification

In ePolicy Orchestrator, the component that sends messages to usersor performs user-specified actions when certain conditions are met.

Notifications

Object IDentifier. Defines the location of variables in MIBs. See alsoManagement Information Base (MIB).

OID

See OVAL.Open Vulnerabilityand AssessmentLanguage

The most important program that runs on a computer. Everygeneral-purpose computer must have an operating system to run other

operating system(OS)

programs. Operating systems perform basic tasks such as recognizingkeyboard input, sending output to the display screen, keeping track offiles and directories on the disk, and controlling peripheral devices suchas disk drives and printers. Examples of operating systems include DOS,Windows, Sun/OS, UNIX, Linux, FreeBSD, PalmOS, and MacOS.

Glossary


definitionterm

A series of algorithms to determine a remote host’s operating system,architecture, platform, or device type. This process might involve TCP/IP

OS identification

stack fingerprinting as well as application-layer protocol tests. See alsovulnerability assessment.

Organizational Unique Identifier. Identity of the vendornetwork-connected systems, consisting of the first 24 bits of a system’sMAC address.

OUI

Open Vulnerability and Assessment Language. Aninternationally-accepted community standard designed to promote

OVAL

publicly available security content and to standardize the transfer ofthis information across diverse security applications. OVAL definitionscontain information that allows OVAL-compliant software to determinewhether a specific software vulnerability, configuration, application, orpatch is present on a system. OVAL is used by some regulatorystandards, such as SCAP, to define a complaint machine state. Seehttp://oval.mitre.org/. See also XCCDF, SCAP.

A code (usually consisting of letters and numbers) you use to gain accessto your computer, a program, or a website.

password

Intermediate releases of a product that address specific issues.Patch releases

In ePolicy Orchestrator, a group of permissions, divided in sections, thatcan be granted to any user by assigning it to a user’s account. One or

permission sets

more permission sets can be assigned to any user that is not a globaladministrator (global administrators have all permissions to all productsand features).

A small software program that adds features to or enhances a largerpiece of software. For example, plug-ins permit a web browser to access

plugin, plug-in

and execute files embedded in HTML documents that are in formatsthe browser normally would not recognize, such as animation, video,and audio files.

A collection of rule sets or security criteria (configuration settings,benchmarks, network access specifications) assigned to any managed

policy

system or device. For assets, devices, and systems, policies definecompliance, which is assessed or enforced by a McAfee security productlike ePolicy Orchestrator. The types of McAfee policies depend on theapplication and include: threat detection and response; network access;configuration control; frequency of tasks such as scans and updates;and other security features. See also compliant, ePolicy Orchestrator,network access policy.

A location in the ePO interface where policies are stored.Policy Catalog

Small windows that appear on top of other windows on your computerscreen. Pop-up windows are often used in web browsers to displayadvertisements.

popups

A hardware location for passing data in and out of a computing device.Personal computers have various types of ports, including internal ports

port

for connecting disk drives, monitors, and keyboards, as well as externalports for connecting modems, printers, mice, and other peripherals.

Glossary


definitionterm

A software program that might be unwanted, despite the possibility thatusers consented to download it. It can alter the security or the privacy

potentiallyunwantedprogram(PUP) settings of the computer on which it is installed. PUPs can — but does

not necessarily — include spyware, adware, and dialers, and might bedownloaded with a program that the user wants.

A set of rules enabling computers or devices to exchange data. In alayered network architecture (Open Systems Interconnection model),

protocol

each layer has its own protocols that specify how communication takesplace at that level. Your computer or device must support the correctprotocol to communicate with other computers. See also Open SystemsInterconnection.

A computer (or the software that runs on it) that acts as a barrierbetween a network and the Internet by presenting only a single network

proxy

address to external sites. By representing all internal computers, theproxy protects network identities while still providing access to theInternet. See also proxy server.

A firewall component that manages Internet traffic to and from a localarea network (LAN). A proxy server can improve performance by

proxy server

supplying frequently requested data, such as a popular web page, andcan filter and discard requests that the owner does not considerappropriate, such as requests for unauthorized access to proprietaryfiles.

See potentially unwanted program.PUP

Enforced isolation of a file or folder suspected of containing a virus,spam, suspicious content, or potentially unwanted programs (PUPs), sothat the files or folders cannot be opened or executed.

quarantine

A process for extracting information from a database. The results ofqueries are reports, displayed in charts and tables. See also reports.

query

In Microsoft Windows, registry keys store configuration information.The value of a relevant key is changed every time a program is installed

registry key

or when its configuration settings are modified. Each key contains valuesand subkeys. Keys are referenced with a syntax similar to Windows’path names, using backslashes to indicate levels of hierarchy.

Entries associated with a registry key, consisting of name/type/data.To access this data, the registry key is entered in the formkey[\key_n…]\registry_value_name.

registry value

The process of updating noncompliant systems to make them compliant.remediation

The Uniform Resource Identifier for the remediation portal. Remediationredirect URI redirects the host under remediation to the remediation

remediationredirect URI

portal, to make it complaint with the security policies of your network.See also remediation portal IP address.

A task that is created based on the detection of a vulnerability or aviolation during an assessment.

remediation task

The results of a query, which can be displayed onscreen or exported toa file. Files formats can include CSV, XML, HTML, PDF. A process for

reports

Glossary


definitionterm

extracting information from a database. The results of queries arereports, displayed in charts and tables one of several formats: CSV touse the data in a spreadsheet application like Microsoft Excel; XML totransform the data for other purposes; HTML for exported results to beviewable as a webpage; PDF for a report in a printable format. See alsoquery.

A location that stores products to be managed by ePolicy Orchestrator,and the policies used to manage those products.

repository

How McAfee products, components, or services handle or take actionon an event, such as a detection or an alert. See also actions.

response

In Rogue System Detection, any system that accesses your network,but is not managed by an ePolicy Orchestrator server.

rogue system

A feature of ePolicy Orchestrator that detects rogue systems in real timeby means of sensors placed on systems and servers throughout thenetwork.

Rogue SystemDetection

A distributed component of the Rogue System Detection feature inePolicy Orchestrator software, installed on managed systems throughout

Rogue SystemSensor

the network. The sensor listens to network broadcast messages anddetects when a new system has connected to the network. See alsobroadcast detection, DHCP detection.

A component that evaluates the state of a system against a set criteria(for example, a compliance policy). Scanners search for vulnerabilities,threats, conditions, or states.

scanner

A computer or program that accepts connections from other computersor programs and returns appropriate responses. For example, your email

server

program connects to an email server each time you send or receiveemail messages.

Tasks that are initiated by and executed on only that server machine.Compare to client task.

server task

A named process listening on a given port number using a givenprotocol. Services are generally contained by host properties.

service

A string or key (usually a password) that has been shared between twocommunicating parties prior to initiating communication. It is used toprotect sensitive portions of RADIUS messages. See also RADIUS.

shared secret

The status or condition of a process, transaction, or setting.state

A scheme for IP addressing that associates a unique and unchangingIP address with every host on the network.

static IP

A device connected to and communicating on the network.system

The icon that appears in the system tray of computers running McAfeesoftware. Right-click the icon to display a menu of commands.

system tray icon

The left navigation pane of the ePO interface that lists domains andgroups of systems. The System Tree organizes managed systems in

System Tree

units for monitoring, assigning policies, scheduling tasks, and takingactions.

Glossary


definitionterm

An activity (both one-time such as on-demand scanning, and routinesuch as updating) that is scheduled to occur at a specific time, or atspecified intervals.

task

Transmission Control Protocol/Internet Protocol. A suite of protocolsthat are used to connect communicating devices over the Internet.

TCP/IP

System without a McAfee Agent.unmanagedsystems

Uniform Resource Locator. The standard format for Internet addresses.URL

Installing the client software locally on a client computer by clicking alink to a unique website, sent via email from an administrator. The URL

URL installation

determines the protection services installed, the language for theservices, and the group where the computer is placed. Compare to pushinstallation, silent installation.

Coordinated Universal Time. Time on the zero or Greenwich meridian.UTC time

See agent wake-up call.wake-up call

Extensible Configuration Checklist Description Format. An XML formatdesigned to specify security checklists, configuration documents, and

XCCDF

other information. XCCDF was designed specifically to implement OVAL,but is also capable of supporting other security languages. See alsoOVAL, XML.

Extensible Markup Language. A general-purpose markup language thatallows users to define their own tags. Markup languages combine text

XML

and extra information about the text, including the text’s structure andpresentation. XML facilitates the sharing of structured data acrossdifferent applications and platforms.

A compressed archive that can contain multiple files.ZIP file

Glossary


Index

Aaccess restrictions 10actions

Modify health level 90Remove malicious status 100Remove NAC exempt 93Request scan 87Reset health level 91Set malicious status 100Set NAC exempt 93

administration, of McAfee NAC 79assessed health level

overriding 90assessing system health 9, 86

scheduling NAC scans 86assessment

by administrator request 87making systems exempt 64of system health 36, 37, 86policies for 49

assessment history, McAfee NAC 101assessors 36, 37, 39

NAC client 37NAC guest client 39

assigning a system health policy 49audience

for McAfee NAC 18auditing

system health compliance 85automatic remediation

command reference 71using with Microsoft NAP 118with McAfee Network Security Platform enforcement 106with Microsoft NAP enforcement 115

Bbenchmark enforcement modes

Audit Only 85benchmarks

automatic remediation 45creating for use with McAfee NAC 52, 53enabling automatic remediation 70enforcement mode 46enforcement modes 45for non-Windows operating systems 45using for network access compliance 45

Ccannot apply policy event 91certificate provisioning

for McAfee System Health Validator 119certificates

used by McAfee System Health Validator 119

client tasks 16configuration

guest portal 90, 113NAC server settings 81

configuring the guest portal 89, 113configuring the NAC manager 79contacts 16controlling exemptions manually 68, 92creating

exemption rules 66exemptions based on an imported list 68NAC client deployment task 80NAC client policies 62network access policies 58network access zones 60

creating, in McAfee NACbenchmarks 52benchmarks from checks 53managed system health policies 54

Ddashboards 16, 74deleting

McAfee NAC enforcement results 101McAfee NAC scan results 101

deployment configurations 13deployment task

creating for NAC client 80detected systems 16detecting systems 9detectors 32, 33, 35, 106

NAC client 35NAC guest client 35Rogue System Detection service 33

DHCP Agentfor Microsoft NAP enforcement 118installing, repairing, and removing 119

Eenforced health level

administrator overrides 90removing a manual override 91setting manually 90

enforcementmaking systems exempt 63of access restrictions 10

enforcement history, McAfee NAC 101enforcement modes

for benchmarks 46enforcement results

deleting for a single system 101enforcers 39, 41, 106, 115

McAfee Network Security Platform 106Microsoft Network Access Protection 115NAC client 41


enforcing systems manually 90ePolicy Orchestrator

considerations when using Microsoft NAP 115features used by McAfee NAC 16

error conditionsfor McAfee System Health Validator 122

event log 16events, see NAC events 91, 99exempt systems list

creating 68exemption rules 65exemptions 63, 64, 66, 67, 68, 92, 93, 106, 107, 108, 115

by imported list 67controlling manually 68, 92creating by imported list 68creating with rules 66effect on McAfee Network Security Platform enforcement 106effect on Microsoft NAP enforcement 115exporting rules 67from assessment 64from enforcement 63importing a list of systems 68importing rules 67setting and removing 93when using health-based access control 107when using identity-based access control 108

exemptions and system classification 64exporting

exemption rules 67network access zones 60systems health policies 55

Ffailure categories

for the McAfee System Health Validator 122fixing unhealthy systems 10Frequently Asked Questions

non-Windows NAC client 26

Gguest client 35, 39, 55, 73, 87, 88, 111, 112

as assessor 39as detector 35

guest portal 88, 89, 112, 113configuration 89, 113

Hhealth assessment

of a managed system 86of an unmanaged system 87, 111

health complianceauditing 85

health of NAC-managed systems 86health-based access control

effect on exemptions 107in McAfee Network Security Platform 107

historical NAC information 101

Iidentity-based access control

effect on exemptions 108in McAfee Network Security Platform 108

imported scan exemptions 92

importingan exempt systems list 67exemption rules 67network access zones 60systems health policies 55

installation, for McAfee NAC 20, 21requirements 21

installingMcAfee Network Access Control 23NAC guest portal 20the McAfee DHCP Agent 119the NAC client manually 24the NAC client manually on Linux 25the NAC client manually on Mac 25the NAC client manually on Windows 24

integrationePO considerations for Microsoft NAP 115with McAfee Network Security Platform 103with Microsoft NAP 114

Mmalicious behavior, definition 95malicious status

removing 100setting 100

malicious system event 91, 99configuring a response 99

malicious systems 95, 99, 100configuring an event response 99resetting the status 100setting the status 100

managed system health policies, see system health policies 54managed systems

description 11health level override 90health policies 47scheduling NAC scans 86

manual controlof exemptions 68, 92

manual enforcement of managed systems 90manual remediation 72, 73

required elements 73McAfee Agent

update using automatic remediation 70use by McAfee NAC 17

McAfee DHCP Agentfor Microsoft NAP enforcement 118installing, repairing, and removing 119

McAfee NACadministration 79assessment history 101assessors 36audience 18combining with McAfee Network Security Platform 103combining with Microsoft NAP 114configuration requirements for using with McAfee Network SecurityPlatform 103creating benchmarks 52creating benchmarks from checks 53detectors 32, 106distributed components 32editing permission sets 81enforcement history 101enforcers 39events and responses 91

Index


McAfee NAC (continued)finding product information 19functional architecture 29functional description 8hardware and software requirements 21installation 20installing 23installing the guest portal 20NAC manager architecture 30operations when combined with McAfee Network Security Platform104policies 43pre-installation guidelines 20queries 75remediation commands 71remediators 41running queries 78system requirements 20use of ePolicy Orchestrator features 16use of McAfee Agent 17use of Rogue System Detection 17

McAfee NAC assessorsNAC client 37NAC guest client 39

McAfee NAC deploymentstandalone 13supported configurations 13with McAfee Network Security Platform 14with McAfee Network Security Platform and Microsoft NAP 15with Microsoft NAP 13

McAfee NAC detectorsNAC client 35NAC guest client 35Rogue System Detection service 33

McAfee NAC enforcersMcAfee Network Security Platform 103Microsoft NAP 114NAC client 41

McAfee Network Security Platformas a NAC enforcer 106combining with McAfee NAC 103configuration requirements in McAfee NAC 103configuring the NAC client 110configuring the NAC manager 110effect of firewall on client systems 106

McAfee System Health Validatorcertificate provisioning 119configuring 121error conditions 122failure categories 122operations 119

McAfee system traynotifications 37

Mcfee system tray iconnon-Windows systems 26

Microsoft Network Access Protectionand NAC automatic remediation 115and NAC exemptions 115as a NAC enforcer 115combining with McAfee NAC 114configuring the NAC client 117ePolicy Orchestrator considerations 115installing, repairing, and removing the McAfee DHCP Agent 119setup requirements 115trusted communications setup 121using NAC automatic remediation 118

Microsoft Network Access Protection (continued)using the McAfee DHCP Agent 118

Modify health level action 90monitoring

system health compliance 85monitoring network access 79monitoring network security 74monitors 16, 74, 78

creating 78monitors, for McAfee NAC 74

NNAC administrator actions

purging scan results 101Remove malicious status 100Remove NAC exempt 65, 68, 92, 93removing enforcement results 101removing scan results 101Request scan 87scheduling scans 86Set malicious status 100Set NAC exempt 65, 68, 92, 93

NAC Benchmark Enforcement Mode query 85NAC client

as a detector 35as an assessor 37as an enforcer 41deploying 80installing manually 24installing manually on Linux 25installing manually on Mac 25installing manually on Windows 24operations in Microsoft NAP mode 116system health assessment 36, 37

NAC client policiesconfiguring for Microsoft NAP enforcement 117configuring for use with McAfee Network Security Platform 110creating 62description 61enabling automatic remediation 70

NAC Client Started query 84NAC client, non-windows

key differences 26policy updates

non-Windows NAC client 26NAC Enforced Health Level query 82NAC enforcement

using McAfee Network Security Platform 106using Microsoft NAP 115with McAfee Network Security Platform 103with Microsoft NAP 114

NAC eventscannot apply policy 91creating responses 92malicious system 91Malicious System Detected 99system not enforceable 91system not healthy 91

NAC guest clientas a detector 35as an assessor 39

NAC guest portalinstalling 20

NAC Malicious Systems query 84


Index

NAC manager 30, 79, 110configuration 79configuring for use with McAfee Network Security Platform 110

NAC Manual Enforcement Request query 83NAC monitors 82NAC Remediation Command option 70NAC Remediation Command Parameters option 70NAC server

editing configuration settings 81NAC server settings

guest portal configuration 90, 113network access

enforcing 41monitoring 79

network access control 8network access enforcement 10network access policies 57, 58

creating 58network access zones 58, 60

creating 60importing and exporting 60

network securitymonitoring 74

Network Security Sensorand NAC automatic remediation 106and NAC exemptions 106as a detector 106as a NAC enforcer 106

non-Windows clientFAQ and useful commands 26NAC client, non-Windows

FAQ and useful commands 26non-Windows operating systems

benchmark recommendations 45noncompliance message 48notification log 16notification rules 16notifications 37

Ooverriding the assessed health level 90overriding the enforced health level 90

Pperiodic identification message 106permission sets 16permission sets, McAfee NAC

editing 81policies

for system assessment 49NAC client 61network access 57overview 43system health 47

policy activation 50policy assignment 16policy catalog 16post admission control 95, 96, 97, 99

creating an event response 99enforcement 97operational description 96

post admission policy 95, 98configuring 98

purging scan results 101

Qqueries 16, 75, 78, 82

for use as NAC monitors 82running 78

queries, for McAfee NAC 74, 82, 83, 84, 85NAC Benchmark Enforcement Mode 85NAC Client Started 84NAC Enforced Health Level 82NAC Malicious System 84NAC Manual Enforcement Request 83

Rremediation 10, 70, 72, 73

and network access zones 73automatic 70elements for manual remediation 73manual 72required network resources 73types of 70

remediation commands 71remediators 41Remove NAC exempt 65, 68, 92removing

the McAfee DHCP Agent 119removing a system's malicious status 100removing an exemption, McAfee NAC 93removing systems 94repairing

the McAfee DHCP Agent 119reporting 37reports, see queries 75repositories 16request immediate scan 87Reset health level action 91responses 16, 91, 92, 99

configuring for malicious system event 99creating for NAC events 92malicious system detected events 99to events 91

Rogue System Detectionas a McAfee NAC detector 33use in McAfee NAC 17

rulesfor exemptions 65in benchmarks 49, 52, 53

Sscan exemptions 64, 92

from an import list 92scan results 37, 101

deleting for a single system 101purging 101

scansfor NAC system health 87scheduling 86

server tasks 16Set NAC exempt 65, 68, 92setting a system's malicious status 100setting an exemption, McAfee NAC 93setup requirements

for Microsoft Network Access Protection 115system classifications 11, 12, 64

effect on exemptions 64managed 11unenforceable 12

Index


system classifications (continued)unmanageable 12unmanaged 11

system detection 9system health

assessment 9, 86assessment by NAC client 36, 37auditing 85setting 37

system health levelsin benchmarks and policies 44

system health policies 47, 48, 49, 50, 54, 55, 73assigning to systems 49compliance assessment 49creating and modifying 54exporting 55identifiers 48importing 55noncompliance message 48, 73policy activation 50structure 48

System Health Validatorfor McAfee NAC 119

system requirements 20system tray, see McAfee system tray 37

systemsmarking as exempt 63removing from the database 94

Ttag catalog 16

Uunenforceable system event 91unenforceable systems

description 12unenforceable systems and devices 94unhealthy system event 91unhealthy systems

remediating 10, 70unmanageable systems and devices 12, 94

description 12unmanaged system policy 55, 56

editing 56unmanaged systems

checking health of 87description 11using the guest client 111

users 16using this guide 18


Index

network access control 3.2 product and installation guide ...€¦ · • enforcer:nacclientand...

Documents