1. No category

Network Access Control 4.0 Product Guide for use with ePO 4.5 and

Product Guide
McAfee Network Access Control 4.0.0
For use with ePolicy Orchestrator 4.5, 4.6 Software
COPYRIGHT
Copyright © 2012 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,
McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,
McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,
TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and
other countries. Other names and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Network Access Control 4.0.0
Product Guide
Contents
Preface
7
About this guide . . . . . . . . . . . . . . . .
Audience . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . .
Using this guide . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . .
1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Introduction
7
7
7
8
8
9
Controlling network access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
System detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
System health assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Enforcing access restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 11
How unhealthy systems are fixed . . . . . . . . . . . . . . . . . . . . . . . . 11
How systems are classified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Managed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Unmanaged systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Unmanageable systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Unenforceable systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Supported deployment configurations . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deployment with McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . 13
Deployment with Microsoft Network Access Protection . . . . . . . . . . . . . . . . 14
Deployment with McAfee Network Security Platform . . . . . . . . . . . . . . . . . 15
Deployment with McAfee and Microsoft products . . . . . . . . . . . . . . . . . . 16
Using ePolicy Orchestrator features . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Using Rogue System Detection . . . . . . . . . . . . . . . . . . . . . . . . . 18
How the McAfee Agent is used . . . . . . . . . . . . . . . . . . . . . . . . . 18
2
Installation
21
Pre-installation information . . . . . . . . . . . . . . . . . . . . .
Hardware and software requirements . . . . . . . . . . . . . .
Install McAfee NAC 4.0 . . . . . . . . . . . . . . . . . . . . . . .
Cluster installation . . . . . . . . . . . . . . . . . . . . . . . .
Manually install the McAfee NAC client . . . . . . . . . . . . . . . .
Install on Windows manually . . . . . . . . . . . . . . . . .
Install on Mac OS manually . . . . . . . . . . . . . . . . . .
Install on Linux manually . . . . . . . . . . . . . . . . . . .
Post-installation tasks . . . . . . . . . . . . . . . . . . . . . . .
Key differences in the non-Windows McAfee NAC client . . . . . . . . . .
FAQ for non-Windows McAfee NAC client . . . . . . . . . . . . . . .
3
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
22
24
. 24
. 25
. 25
26
26
. 27
27
. 28
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Functional architecture and components
McAfee NAC functional architecture . . . . .
McAfee NAC manager and how it works . . . .
How McAfee NAC distributed component works .
Detectors and how they work . . . . . . . .
McAfee Network Access Control 4.0.0
. .
. .
. .
. .
31
. .
. .
. .
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
32
33
35
36
Product Guide
3
Contents
Rogue System Detection as a detector . . . . . . . . . . . . . .
McAfee NAC client used as a detector . . . . . . . . . . . . . . .
McAfee NAC guest client used as a detector . . . . . . . . . . . .
Assessors and how they work . . . . . . . . . . . . . . . . . . . . .
Network Access Control client used as an assessor . . . . . . . . .
McAfee NAC guest client used as an assessor . . . . . . . . . . .
Enforcers and how they work . . . . . . . . . . . . . . . . . . . . .
McAfee NAC client used as an enforcer . . . . . . . . . . . . . .
Remediators and how they work . . . . . . . . . . . . . . . . . . . .
4
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Using exemptions
. 37
38
. 39
. 40
. 41
. 43
. 43
. 45
45
McAfee Network Access Control 4.0.0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
47
48
49
50
51
52
55
55
57
58
59
59
59
60
61
62
62
64
64
65
66
69
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Remediation of unhealthy systems
Types of remediation . . . . . . . . . . . . . . . . . . . . .
Automatic remediation . . . . . . . . . . . . . . . . . . . . .
Common remediation commands . . . . . . . . . . . . .
Manual remediation . . . . . . . . . . . . . . . . . . . . . .
Elements needed for manual remediation . . . . . . . . . .
Remediation resources users must access . . . . . . . . . .
4
.
.
.
.
.
.
.
.
.
47
Types of exemptions . . . . . . . . . . . . . . . . . . . . . . .
Enforcement exemptions . . . . . . . . . . . . . . . . . . . . . .
Scan exemptions . . . . . . . . . . . . . . . . . . . . . . . . .
How system classification affects exemptions . . . . . . . . . . . . . .
How exemption rules work . . . . . . . . . . . . . . . . . . . . .
Export exemption rules . . . . . . . . . . . . . . . . . . .
Import exemption rules . . . . . . . . . . . . . . . . . . .
Using an imported exemption list . . . . . . . . . . . . . . . . . .
Create an exempt systems list . . . . . . . . . . . . . . . .
Create exemption rules . . . . . . . . . . . . . . . . . . .
Import an exempt systems list . . . . . . . . . . . . . . . .
How manual exemptions work . . . . . . . . . . . . . . . . . . . .
6
.
.
.
.
.
.
.
.
.
McAfee NAC policies
Types of policies . . . . . . . . . . . . . . . . . . . . .
System health levels and their function . . . . . . . . . . . .
Benchmarks for McAfee NAC . . . . . . . . . . . . . . . .
Benchmark enforcement modes . . . . . . . . . . . .
Health policies of managed systems . . . . . . . . . . . . .
System health policy structure . . . . . . . . . . . .
Work with managed system health policies . . . . . . . . . .
Create a McAfee NAC benchmark . . . . . . . . . . .
Create a McAfee NAC benchmark from checks . . . . . .
Create and modify managed system health policies . . . .
Export managed system health policies . . . . . . . . .
Import managed system health policies . . . . . . . . .
Unmanaged system policy . . . . . . . . . . . . . . . . .
Edit the unmanaged system policy . . . . . . . . . . .
Network access policies . . . . . . . . . . . . . . . . . .
Create network access policies . . . . . . . . . . . .
Network access zones and compliance . . . . . . . . . . . .
Create network access zones . . . . . . . . . . . . .
Import and export network access zones . . . . . . . .
McAfee NAC client policies . . . . . . . . . . . . . . . . .
Create and modify McAfee NAC client policies . . . . . .
5
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 69
. 70
. 70
71
. 71
. 72
. 73
. 73
. 74
. 74
. 74
75
77
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 77
78
. 79
. 79
. 80
. 81
Product Guide
Contents
7
Dashboards, monitors, and queries
McAfee NAC dashboards and monitors . . . . . . . .
Queries for network access monitoring . . . . . . . .
Create McAfee NAC monitors . . . . . . . . . . . .
Create McAfee NAC monitors with ePolicy Orchestrator . .
Run McAfee NAC queries . . . . . . . . . . . . . .
8
83
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Network access administration and monitoring
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 83
. 84
. 87
88
. 88
91
McAfee NAC manager configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Deployment and configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Deploy the McAfee NAC client with ePolicy Orchestrator 4.6 . . . . . . . . . . . . . . 92
Edit McAfee NAC server settings . . . . . . . . . . . . . . . . . . . . . . . . . 93
Edit McAfee NAC permission sets . . . . . . . . . . . . . . . . . . . . . . . . 93
Create queries for McAfee NAC monitors . . . . . . . . . . . . . . . . . . . . . . . . 94
Create an Enforced Health Level query . . . . . . . . . . . . . . . . . . . . . . 94
Create a Manual Enforcement Request query . . . . . . . . . . . . . . . . . . . 95
Create a Malicious System query . . . . . . . . . . . . . . . . . . . . . . . . 95
Create a Network Access Control Client Started query . . . . . . . . . . . . . . . . 96
Create a Benchmark Enforcement Mode query . . . . . . . . . . . . . . . . . . . 97
Health compliance auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
System health assessment of managed systems . . . . . . . . . . . . . . . . . . . . . 98
Schedule managed system scans in ePolicy Orchestrator 4.5 . . . . . . . . . . . . . 98
Schedule managed system scans in ePolicy Orchestrator 4.6 . . . . . . . . . . . . . 99
Request an immediate scan . . . . . . . . . . . . . . . . . . . . . . . . . . 100
System health assessment of unmanaged systems . . . . . . . . . . . . . . . . . . . . 100
Guest portal and guest client . . . . . . . . . . . . . . . . . . . . . . . . . 101
Guest portal configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configure the guest portal . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Health level overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Modify a system's health level . . . . . . . . . . . . . . . . . . . . . . . . . 104
Reset a system's health level . . . . . . . . . . . . . . . . . . . . . . . . . 104
Events and responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Create automatic event responses . . . . . . . . . . . . . . . . . . . . . . . 105
Manual control of exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Set a system's exemption status . . . . . . . . . . . . . . . . . . . . . . . . 106
Unmanageable devices and what to do with them . . . . . . . . . . . . . . . . . . . . 107
How to handle unenforceable systems . . . . . . . . . . . . . . . . . . . . . . 107
Remove retired or invalid systems . . . . . . . . . . . . . . . . . . . . . . . 108
Post admission control for malicious systems . . . . . . . . . . . . . . . . . . . . . . 108
What are malicious systems . . . . . . . . . . . . . . . . . . . . . . . . . . 108
How post admission control works . . . . . . . . . . . . . . . . . . . . . . . 109
Post admission control enforcement . . . . . . . . . . . . . . . . . . . . . . . 110
Post admission policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Configure a post admission policy . . . . . . . . . . . . . . . . . . . . . . . 112
Malicious system event responses . . . . . . . . . . . . . . . . . . . . . . . 112
Configure a malicious system event response . . . . . . . . . . . . . . . . . . . 113
Set a system's malicious status . . . . . . . . . . . . . . . . . . . . . . . . 113
Remove a system's malicious status . . . . . . . . . . . . . . . . . . . . . . 114
Assessment and enforcement histories . . . . . . . . . . . . . . . . . . . . . . . . 114
Purge scan results automatically . . . . . . . . . . . . . . . . . . . . . . . . 114
Delete scan or enforcement results manually . . . . . . . . . . . . . . . . . . . 115
9
Integrating McAfee NAC with McAfee Network Security Platform
117
Configuration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Operations when combined with McAfee Network Security Platform . . . . . . . . . . . . . 119
Operations unaffected by the McAfee® Network Security Manager access control mode . . 119
McAfee Network Access Control 4.0.0
Product Guide
5
Contents
Client systems that use firewall software . . . . . . . . . . . . . . .
McAfee® Network Security Sensor as a detector . . . . . . . . . . . . . . .
McAfee® Network Security Sensor as an enforcer . . . . . . . . . . . . . .
Health-based access control . . . . . . . . . . . . . . . . . . . . . . .
Identity-based access control . . . . . . . . . . . . . . . . . . . . . .
McAfee NAC manager configuration . . . . . . . . . . . . . . . . . . . .
Configure a McAfee NAC client policy . . . . . . . . . . . . . . . .
Assessment of unmanaged systems . . . . . . . . . . . . . . . . . . . .
Guest portal and guest client . . . . . . . . . . . . . . . . . . .
Guest portal configuration . . . . . . . . . . . . . . . . . . . . .
10
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Integrating McAfee NAC with Microsoft Network Access Protection
Index
McAfee Network Access Control 4.0.0
120
120
121
121
123
124
125
125
126
127
129
How McAfee NAC communicates with Microsoft NAP . . . . . . . . . . . . . . . .
Setup requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ePolicy Orchestrator considerations . . . . . . . . . . . . . . . . . . . . . . .
Microsoft NAP as an enforcer . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee NAC client operations in Network Access Protection mode . . . . . . . .
Configure a McAfee NAC client policy for Network Access Protection mode . . . .
Configure automatic remediation for Network Access Protection mode . . . . . .
Support for non-native operating systems . . . . . . . . . . . . . . . . . . . .
Install the DHCP Agent . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee System Health Validator operations . . . . . . . . . . . . . . . . . . . .
Install the McAfee System Health Validator . . . . . . . . . . . . . . . . .
Configure the McAfee System Health Validator . . . . . . . . . . . . . . .
Failure categories of System Health Validator . . . . . . . . . . . . . . . . . . .
Error conditions of System Health Validator . . . . . . . . . . . . . . . . . . . .
6
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
129
130
130
131
132
132
133
134
135
135
136
137
138
139
141
Product Guide
Preface
This guide provides the information you need for all phases of product use, from installation to
configuration to troubleshooting.
Contents
About this guide
Find product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses the following typographical conventions and icons.
Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.
Bold
Text that is strongly emphasized.
User input or Path
Commands and other text that the user types; the path of a folder or program.
Code
A code sample.
User interface
Words in the user interface including options, menus, buttons, and dialog
boxes.
Hypertext blue
A live link to a topic or to a website.
Note: Additional information, like an alternate method of accessing an option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee Network Access Control 4.0.0
Product Guide
7
Preface
Find product documentation
Using this guide
This guide will take you through the installation process and help you understand various features of
McAfee NAC 4.0.
To do this...
Look here...
Learn how McAfee NAC works, and how the components interact. Chapter 1, Introduction
Plan and perform the installation and deployment of McAfee NAC
components.
Chapter 2, Installation
Plan an overall network access security strategy, learn the
Chapter 3, Functional architecture
architectural description of the McAfee NAC components based on and components
their functionality, operation and use of the Network Access
Control server and Network Access Control client, and their
interaction with product features.
Learn the function and use of system health policies for both
managed and unmanaged systems, network access policies for
controlling access based on health levels, and Network Access
Control client policies for scan and enforcement configuration.
Chapter 4, McAfee NAC policies
Find out ways of marking systems as exempt from enforcement
or exempt from scanning.
Chapter 5, Using exemptions
Automatically or manually remediate unhealthy systems on your
network.
Chapter 6, Remediation of
unhealthy systems
Get information about network security and system health
through dashboards, monitors, and queries.
Chapter 7, Dashboards, monitors,
and queries
Use McAfee NAC on a day-to-day basis.
Chapter 8, Network Access
Administration and monitoring
Set up McAfee NAC to operate cooperatively with Network
Security Platform.
Chapter 9, Integrating McAfee
NAC with McAfee Network
Security Platform
Set up McAfee NAC to operate cooperatively with Microsoft
Network Access Protection.
Chapter 10, Integrating McAfee
NAC with Microsoft Network
Access Protection
Find product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2
Under Self Service, access the type of information you need:
To access...
Do this...
User documentation
1 Click Product Documentation.
2 Select a product, then select a version.
3 Select a product document.
KnowledgeBase
• Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
8
McAfee Network Access Control 4.0.0
Product Guide
1
Introduction
McAfee® Network Access Control (McAfee NAC) 4.0 is an extension to McAfee® ePolicy Orchestrator®
4.5 and 4.6 that provides network access security.
McAfee NAC can:
•
Detect and assess managed systems on your network, and enforce access to network resources
based on a system's health level.
•
Detect and assess unmanaged systems on your network, and enforce network access based on a
system's health or user identity when combined with a supported product.
To support enforcement of network access security for unmanaged systems, you can combine McAfee
NAC with McAfee Network Security Platform.
To understand what McAfee NAC does and how to use it, you must be familiar with these basics:
•
Functional components you can use to control access to your network.
•
System classifications that determine which functional components can be used.
•
Supported deployment solutions based on the type(s) of systems you want to control.
In addition, it is important to understand how McAfee NAC fits into the framework provided by ePolicy
Orchestrator. See Use of ePolicy Orchestrator features, and the ePolicy Orchestrator documentation.
Contents
Controlling network access
How systems are classified
Supported deployment configurations
Using ePolicy Orchestrator features
Controlling network access
McAfee® Network Access Control allows and blocks access to your network.
•
Detects and identifies connected systems.
•
Assesses a system's health according to predefined rules in policies.
•
Enforces network access restrictions based on policies that map health level to network access zones.
•
Fixes (remediate) systems that are not healthy.
The functional components that support these principles are described in the following table. For
details, see McAfee NAC functional architecture.
McAfee Network Access Control 4.0.0
Product Guide
9
1
Introduction
Controlling network access
Table 1-1 McAfee NAC components
Component name
Description
Network Access
Control manager
The central management portion of McAfee NAC that provides policy
management, exemption management, system classification, action triggers,
component deployment, and data processing and storage.
Detectors
A component that identifies systems that connect to a network. A detector can
be software only, or a combination of hardware and software. Detectors can be
centralized or distributed as client-side agents.
Assessors
A component that evaluates the health of a system based on policies that
describe or identify required software, patches, services, registry keys, and
numerous other conditions that can be described by a rule.
Enforcers
A component that restricts a system's access to network resources according to
a mapping of network access zones to health levels. Enforcers are typically
health-based, but can use other criteria for restricting a system's network access.
Remediators
A component that automatically attempts to bring an unhealthy system back
into compliance with the policies you have defined for a healthy system.
If you need to exclude specific systems from assessment or enforcement, McAfee NAC supports this
through exemptions. An exemption allows you to exclude a system or device, such as a printer, from
being assessed or enforced.
System detection
The primary purpose of detection is to identify a system as unique. A secondary purpose is to provide
the Network Access Control manager with information that determines a system's classification.
McAfee NAC bases system detection on one or more of these factors:
•
Acquisition of a DHCP assigned address
•
Deployment of the McAfee Agent
•
Periodic network broadcasts
•
Deployment of the Network Access Control client
•
Establishment of a network connection
System health assessment
Assessment of a system's health is based on configurable policies that allow you to define various
types of security rules. Which assessor you can use depends on a system's classification.
Health assessments (scans) can be scheduled and performed automatically, or initiated manually by
an administrator through the NAC Summary Dashboard, or by a system user through the McAfee
system tray. Health assessment also occurs automatically based on certain system conditions.
The software predefines a set of health levels that administrators use to rank a system's health state
(or status) based on what is wrong. A system's health is evaluated automatically against the policies
you create, or it can be set manually.
In descending order, the health levels are:
•
Healthy
•
Serious
•
Fair
•
Critical
•
Poor
How the health levels are used depends entirely on your policy definitions. Only the relative order of
these levels is important, and only as it relates to the way each level is mapped to network access
zones. See System health levels and their function.
10
McAfee Network Access Control 4.0.0
Product Guide
Introduction
How systems are classified
1
Another health level, Unknown, is assigned to a system automatically under these conditions:
•
The first time a system is detected, including startup.
•
The assessed health of a system expires
•
A scan fails to finish successfully
•
A system is unmanageable (see How systems are classified)
•
A change occurs to the system's network connection and it is detected again
The Unknown health level is considered a special case, and typically is not considered part of the
health ranking.
Enforcing access restrictions
Enforcing network access restrictions is the responsibility of an enforcer. The enforcer you use is
configurable, and the method of restricting network access depends on the enforcer. The choice of an
enforcer depends on the products you are using for network access control.
In McAfee NAC, access enforcement is based on a system's current health status. In this regard,
McAfee NAC is exclusively a health-based enforcement mechanism.
The McAfee NAC enforcer bases enforcement on a configurable policy that maps network access zones
to health levels. Enforcement takes place locally on managed systems using a local firewall to block
new, outgoing connections. The resources that are blocked depends on how you define your network
access zones. Other supported enforcement products (enforcers) might use a different method, or
even base enforcement on criteria other than health. See Enforcers and how they work.
Administrators can also control system enforcement by setting a health level manually.
How unhealthy systems are fixed
Unhealthy systems can be brought back into compliance with your health policies manually or
automatically. In McAfee NAC, a remediator is a component that can automatically try to fix problems
or deficiencies with unhealthy systems.
McAfee NAC includes a built-in remediator, but it can be used only with managed systems because:
•
Use of the McAfee NAC remediator is specified in policies that are passed only to managed systems.
•
Remediation commands often require credentials, which are not typically available on unmanaged
systems.
How systems are classified
The way that McAfee NAC classifies each system on your network is important for setting up and using
the product, and for using its features.
There are four system classifications:
•
Managed systems
•
Unmanaged systems
•
Unmanageable systems
•
Unenforceable systems
McAfee Network Access Control 4.0.0
Product Guide
11
1
Introduction
How systems are classified
These classifications, and their characteristics and requirements, apply exclusively to McAfee NAC
functionality. Other products, including those that can be combined with McAfee NAC, might use the
same classifications, but with different characteristics or requirements.
A system's classification determines which assessor, enforcer, and remediator can be used, if at all.
Managed systems
In ePolicy Orchestrator, a managed system is one with the McAfee Agent installed and operating properly.
McAfee NAC extends this definition. A managed system is one with both the McAfee Agent and the
McAfee NAC client installed and operating properly. Being a managed system according to McAfee NAC
is the one prerequisite for using most of the software features.
A system that has the McAfee NAC guest client installed (as a detector and assessor) is not considered
a managed system. See Detectors and how they work and Assessors and how they work.
Managed systems have these characteristics and requirements:
•
Only ePolicy Orchestrator managed systems can host the McAfee NAC client.
•
System health is assessed by the McAfee NAC client.
•
System health is evaluated against your managed system health policies.
•
Enforcement can be controlled locally by the McAfee NAC client.
•
Enforcement can be controlled by the Microsoft Network Access Protection product.
Unmanaged systems
In ePolicy Orchestrator, a rogue is a system without the McAfee Agent installed, or a system with an
agent from another ePolicy Orchestrator server. McAfee NAC uses the concept of an unmanaged
system, which is a system without the McAfee NAC client installed and operating properly, or a system
without the McAfee Agent.
Unmanaged systems have these characteristics and requirements:
•
An unmanaged system can be assessed only by the downloadable guest client. It cannot use the
McAfee NAC client.
•
System health is evaluated against a single unmanaged system policy.
•
An unmanaged system cannot be enforced by the enforcer supplied by McAfee NAC.
•
Enforcers supplied by other supported products, such as McAfee Network Security Platform or
Microsoft Network Access Protection (Network Access Protection), might handle unmanaged
systems. See the chapters that discuss use of McAfee NAC with other access control products.
Unmanageable systems
An unmanageable system has the same characteristics as an unmanaged system, but does not meet
the requirements for using the McAfee NAC client or guest client.
Typically, an unmanageable system is one that is running an unsupported operating system.
Unmanageable systems always appear in McAfee NAC monitors, queries, summary reports, etc. with a
health level of Unknown because they cannot be assessed.
For a list of the supported operating systems, see Hardware and software requirements.
12
McAfee Network Access Control 4.0.0
Product Guide
1
Introduction
Supported deployment configurations
Unmanageable systems have the following characteristics and requirements:
•
The health of an unmanageable system cannot be assessed because the system cannot run the
McAfee NAC client or the guest client.
•
An unmanageable system cannot be enforced by the enforcer supplied by the McAfee NAC software.
•
Enforcers supplied by other supported products, such as McAfee Network Security Platform or
Microsoft Network Access Protection (Network Access Protection), might be able to handle
unmanageable systems. See the chapters that discuss use of McAfee NAC with other access control
products.
Unenforceable systems
An unenforceable system is one that could be classified as managed, unmanaged, or unmanageable.
In addition to that, it should have the following characteristics:
•
It cannot be enforced by the enforcer supplied with the McAfee NAC software.
•
Its enforcement status has not been or cannot be reported to the McAfee NAC Manager.
This classification refers exclusively to the McAfee NAC view of the system. It does not imply whether
another product can enforce the system. An unenforceable system typically occurs when a Rogue
System Sensor detects an unmanaged system that is on a part of the network not covered by a
McAfee® Network Security Sensor (a hardware component of the McAfee Network Security Platform).
To be notified about unenforceable systems, create an automatic response that is triggered by the
McAfee NAC System is not enforceable event. See How to handle unenforceable systems.
Supported deployment configurations
McAfee NAC 4.0 can be deployed in several configurations, depending on your network security
requirements and the types of systems you need to detect, assess, and enforce.
Supported deployment scenarios are:
•
McAfee NAC with McAfee ePolicy Orchestrator
•
McAfee NAC with Microsoft Network Access Protection
•
McAfee NAC with McAfee Network Security Platform
•
McAfee NAC with McAfee Network Security Platform and Microsoft Network Access Protection
Deployment with McAfee ePolicy Orchestrator
One of the supported deployment option to use McAfee NAC with McAfee ePolicy Orchestrator for your
network access security.
The following table outlines the basic aspects of this deployment.
McAfee Network Access Control 4.0.0
Product Guide
13
1
Introduction
Supported deployment configurations
Required level
of access
control
Products needed
Functional agents
Description
Managed
systems only (no
unmanaged
system support)
• ePolicy Orchestrator
4.5 or 4.6
• Detector: McAfee NAC
and Rogue System
Detection (no sensors
deployed)
McAfee NAC is used for
detection, assessment,
and enforcement of
managed systems only.
• Rogue System
Detection 2.0
• McAfee NAC 4.0
• Assessor: McAfee NAC
• Enforcer: McAfee NAC
Managed
systems plus
unmanaged
system detection
and assessment
• ePolicy Orchestrator
4.5 or 4.6
• Rogue System
Detection 2.0
• McAfee NAC 4.0
• Detector: McAfee NAC
and Rogue System
Detection (with sensors
deployed)
• Assessor: McAfee NAC
client or McAfee NAC
guest client
• Enforcer: McAfee NAC or
McAfee Network Security
Platform
McAfee NAC is used for
detection, assessment,
and enforcement of
managed systems only.
Unmanaged systems can
be detected and assessed,
but not enforced. The
McAfee NAC guest client is
used for unmanaged
system assessment.
Deployment with Microsoft Network Access Protection
One of the supported deployment option to use McAfee NAC with Microsoft Network Access Protection
(Network Access Protection) for your network access security.
The following table outlines the basic aspects of this deployment.
Required level
of access
control
Products needed
Managed
• ePolicy Orchestrator
systems only
4.5 or 4.6
(no unmanaged
system support) • Rogue System
Detection 2.0
• McAfee NAC 4.0
• Microsoft Network
Access Protocol
Managed
systems plus
unmanaged
system
detection and
assessment
• ePolicy Orchestrator
4.5 or 4.6
• Rogue System
Detection 2.0
• McAfee NAC 4.0
• Microsoft Network
Access Protection
14
McAfee Network Access Control 4.0.0
Functional agents
Description
• Detector: McAfee NAC
client and Rogue System
Detection (no sensors
deployed)
McAfee NAC is used for
detection and assessment.
Managed systems can be
enforced by McAfee NAC
and Microsoft Network
Access Protection in any
combination.
• Assessor: McAfee NAC
client
• Enforcer: McAfee NAC
client and Microsoft
Network Access Protection
• Detector: McAfee NAC
and Rogue System
Detection (with sensors
deployed)
• Assessor: McAfee NAC
client or McAfee NAC
guest client
McAfee NAC is used for
detection and assessment.
Managed systems can be
enforced by McAfee NAC
and Microsoft Network
Access Protection in any
combination. McAfee NAC
detects and assesses
unmanaged systems.
• Enforcer: McAfee NAC
client and Microsoft
Network Access Protection
Product Guide
Introduction
Supported deployment configurations
1
Deployment with McAfee Network Security Platform
One of the supported deployment option to use McAfee NAC with McAfee Network Security Platform,
configured for health-based access control, for your network access security.
The following table outlines the basic aspects of this deployment.
Required level Products needed
of access
control
Functional agents
Description
Managed
• ePolicy Orchestrator
systems only
4.5 or 4.6
(no unmanaged
system support) • Rogue System
Detection 2.0
• Detector: McAfee NAC
client and Rogue System
Detection (no sensors
deployed)
McAfee NAC is used for
detection, assessment, and
enforcement of managed
systems.
• McAfee NAC 4.0
• Assessor: McAfee NAC
client
• Enforcer: McAfee NAC
client and McAfee
Network Security Sensor
Managed
systems plus
unmanaged
system
detection and
assessment
• ePolicy Orchestrator
4.5 or 4.6
• Rogue System
Detection 2.0
• McAfee NAC 4.0
• McAfee Network
Security Platform
• Detector: McAfee NAC
client, Rogue System
Detection (with sensors
deployed), and McAfee
Network Security Sensor
• Assessor: McAfee NAC
client or McAfee NAC
guest client
McAfee NAC is used for
detection, assessment, and
enforcement of managed
systems. McAfee NAC can
detect and assess
unmanaged systems. McAfee
Network Security Platform
can be used to detect
unmanaged systems.
• Enforcer: McAfee NAC
client
Managed and
unmanaged
systems
• ePolicy Orchestrator
4.5 or 4.6
• Rogue System
Detection 2.0
• McAfee NAC 4.0
• McAfee Network
Security Platform
Pure McAfee
Network
Security
Platform
McAfee Network Access Control 4.0.0
• Detector: McAfee NAC
client, Rogue System
Detection with deployed
sensors, and McAfee
Network Security Sensor
• Assessor: McAfee NAC
client
McAfee NAC is used for
detection, assessment, and
enforcement of managed
systems. Detection and
enforcement of unmanaged
systems is handled by
McAfee Network Security
Platform.
• Enforcer: McAfee NAC
client, and McAfee
Network Security Sensor
McAfee NAC is not used with
McAfee Network Security
Platform when configured for
identity-based access
control. Enforcement is
controlled by a Network
Security Sensor for both
managed and unmanaged
systems.
Product Guide
15
1
Introduction
Supported deployment configurations
Deployment with McAfee and Microsoft products
One of the supported deployment option to use McAfee NAC with McAfee Network Security Platform
and Microsoft Network Access Protection (Network Access Protection) for your network access security.
McAfee Network Security Platform can be configured in either health-based or identity-based modes.
However, using McAfee Network Security Platform in identity-based mode is beyond the scope of this
document. See the McAfee Network Security Platform documentation.
The following table outlines the basic aspects of this deployment.
Required
level of
access
control
Products needed
Functional agents
Description
Managed
systems only
(no
unmanaged
system
support)
• ePolicy Orchestrator 4.5 or 4.6
• McAfee NAC 4.0
• Detector: McAfee NAC
client and Rogue
System Detection (no
sensors deployed)
McAfee NAC is used
for detection,
assessment, and
enforcement of
managed systems.
• Microsoft Network Access
Protection
• Assessor: McAfee NAC
client
• Rogue System Detection 2.0
• Enforcer: McAfee NAC
client and McAfee®
Network Security
Sensor
Managed
systems plus
unmanaged
system
detection and
assessment
• ePolicy
Orchestrator
4.5 or 4.6
• McAfee
Network
Security
Platform
• Rogue System
Detection 2.0
• Microsoft
Network
Access
Protection
• McAfee NAC 4.0
Managed and
unmanaged
systems
• ePolicy
Orchestrator
4.5 or 4.6
• McAfee
Network
Security
Platform
• Rogue System
Detection 2.0
• Microsoft
Network
Access
Protection
• McAfee NAC 4.0
16
McAfee Network Access Control 4.0.0
McAfee NAC is used
for detection,
assessment, and
enforcement of
managed systems.
McAfee NAC can
detect and assess
unmanaged systems.
• Assessor: McAfee NAC
McAfee Network
client or McAfee NAC
Security Platform can
guest client
be used to detect
unmanaged systems.
• Enforcer: McAfee NAC
client
• Detector: McAfee NAC
client, Rogue System
Detection (with
sensors deployed), and
McAfee® Network
Security Sensor
McAfee NAC is used
for detection,
assessment, and
enforcement of
managed systems.
Detection and
enforcement of
unmanaged systems
• Assessor: McAfee NAC
is handled by McAfee
client
Network Security
• Enforcer: McAfee NAC Platform.
client, and McAfee®
Network Security
Sensor
• Detector: McAfee NAC
client, Rogue System
Detection with
deployed sensors, and
McAfee® Network
Security Sensor
Product Guide
Introduction
Using ePolicy Orchestrator features
1
Using ePolicy Orchestrator features
McAfee NAC 4.0 is an extension to the McAfee ePolicy Orchestrator 4.5 or 4.6 software, which uses
and relies on many ePolicy Orchestrator features, including Rogue System Detection.
In the user interface, elements specific to McAfee NAC are located in the Systems section on the Network
Access Control tab.
The following table lists the applicable ePolicy Orchestrator features and describes how they are used
by McAfee NAC. We recommend that you become familiar with each of the listed features and their tasks.
ePolicy Orchestrator feature and
location
Use by McAfee NAC administrator
In ePolicy Orchestrator 4.5, Menu | Systems • Deploy the Network Access Control client to managed
| System Tree | Client Tasks.
systems.
In ePolicy Orchestrator 4.6, Menu | Systems
• To schedule the Network Access Control client to
| System Tree | Assigned Client Tasks.
perform a scan.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Automation | Server Tasks.
• Purge Network Access Control scan results.
• Run a query according to a schedule.
• Synchronize Benchmark Editor content.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Automation | Automatic Responses.
Specify an automatic action in response to a particular
type of Network Access Control event.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Systems | System Tree | Assigned Policies
Assign Network Access Control client and network access
policies to managed systems.
(for policy assignment).
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Policy | Policy Catalog.
• Manage network access policies (Create, Edit, Delete,
Duplicate, Import, Export, and Rename).
• Manage Network Access Control client policies (Create,
Edit, Delete, Duplicate, Import, Export, and Rename).
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Systems | Tag Catalog.
Create tags that can be used in a system health policy to
specify the systems that are to have that policy assigned.
In ePolicy Orchestrator 4.5 and 4.6,
Dashboards (for dashboards and
monitors) Menu | Reporting | Dashboards.
• View an active Network Access Control dashboard.
• Create a new dashboard containing Network Access
Control monitors.
• Manage the various dashboards you use for network
access monitoring, and other queries related to Network
Access Control.
• Access detailed information about systems or Network
Access Control components.
In ePolicy Orchestrator 4.5, Menu |
Reporting | Queries.
In ePolicy Orchestrator 4.6, Menu |
Reporting | Queries & Reports.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Software | Master Repository
McAfee Network Access Control 4.0.0
Create and manage the database queries you use to
obtain Network Access Control network security
information.
Check in and manage content required by the Network
Access Control software, such as the Audit Engine content
containing all the compliance and threat checks and
benchmarks.
Product Guide
17
1
Introduction
Using ePolicy Orchestrator features
ePolicy Orchestrator feature and
location
Use by McAfee NAC administrator
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Systems | Detected Systems
• Access detection information from the Rogue System
Detection service.
• Configure and deploy Rogue System Sensors.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Configuration | Registered Executables
Register an executable (see External Commands) that can
be run on the server as part of an automatic response to a
Network Access Control event. In the automatic response,
if the action is to run a registered executable, you specify
external commands as part of the action configuration.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Configuration | Server Settings
Specify parameter values affecting the operations of the
McAfee NAC server.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| User Management | Permission Sets
Establish user permissions for using the McAfee NAC
software.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| User Management | Users
Create or edit a specific person as a user of the Network
Access Control and their permission type.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| User Management | Contacts
Create user contact information for use in automatic
responses when you want to notify specific personnel by
email of an event.
In ePolicy Orchestrator 4.5 and 4.6, Menu
| Reporting | Threat Event Log
View a history of events that are reported to the ePolicy
Orchestrator server. However, McAfee NAC events are
reported in the Audit log. See McAfee Network Access
Control Events and responses.
Using Rogue System Detection
When using McAfee NAC by itself, it uses the Rogue System Detection service for the initial detection
of systems on a network.
The Rogue System Detection service can be used with or without the deployment of sensors. Without
deploying sensors, you only get information about ePolicy Orchestrator managed systems; that is,
those that have the McAfee Agent installed. Deployment of sensors provides information about
managed and unmanaged systems. See Detectors and how they operate.
Not all features of the Rogue System Detection service can be used in combination with McAfee NAC;
some are even detrimental. For details, see Rogue System Detection as a detector.
If you are using McAfee Network Security Platform, you would also get system detections from Network
Security Sensors.
How the McAfee Agent is used
The McAfee Agent is installed on systems you intend to manage with ePolicy Orchestrator. The
Network Access Control client requires the presence of the McAfee Agent for normal operations, server
communications, and use of ePolicy Orchestrator features such as client tasks and policy updates.
While running in the background, the McAfee Agent:
18
•
Installs products, product updates, and content on managed systems
•
Gathers information and events from the managed system and sends this information to the server
•
Records and reports events that occur on the managed system
•
Runs tasks on the managed system, such as deploying the Network Access Control client
•
Makes sure that McAfee NAC policies are up to date
McAfee Network Access Control 4.0.0
Product Guide
Introduction
Using ePolicy Orchestrator features
1
McAfee NAC events are communicated directly to the Network Access Control manager by the Network
Access Control client, and do not involve the McAfee Agent.
For information about deploying the McAfee Agent, see the ePolicy Orchestrator 4.5 or 4.6
documentation.
McAfee Network Access Control 4.0.0
Product Guide
19
1
Introduction
Using ePolicy Orchestrator features
20
McAfee Network Access Control 4.0.0
Product Guide
2
Installation
McAfee NAC 4.0 installs as an extension to ePolicy Orchestrator 4.5 or 4.6 to provide network access
security for your organization.
McAfee NAC uses a separate installer (does not use the ePolicy Orchestrator Extensions interface).
The major components and features of the product are:
•
Network Access Control manager
•
Network Access Control client
•
Network Access Control guest client
Contents
Pre-installation information
Install McAfee NAC 4.0
Cluster installation
Manually install the McAfee NAC client
Post-installation tasks
Key differences in the non-Windows McAfee NAC client
FAQ for non-Windows McAfee NAC client
Pre-installation information
Contains information you need to know before installing the software.
What is installed
The McAfee NAC 4.0 installer is run on an existing ePolicy Orchestrator 4.5 or 4.6 server. In addition to
installing the Network Access Control manager and all server-side components, the installer also:
•
Adds the Network Access Control client installation files for all supported platforms to the ePolicy
Orchestrator master repository
•
Adds these policies to the master repository and lists them in the Policy Catalog: a default Network
Access Control client policy, network access policy, and post admission policy
•
Adds McAfee NAC queries to the master repository
•
Installs the Benchmark Editor (if it has not been installed previously)
•
Installs the Guest Portal and guest client installer on the ePolicy Orchestrator server
McAfee Network Access Control 4.0.0
Product Guide
21
2
Installation
Pre-installation information
•
Adds the Check Builder and check content
•
Creates a client task that, by default, runs a daily scan at 12 A.M. for all Network Access Control
clients
Network Access Control Guest Portal
The McAfee NAC guest portal installs automatically as an ePolicy Orchestrator extension during
product installation. The guest portal resides on the ePolicy Orchestrator server. Portal configuration
options are located on the ePolicy Orchestrator Server Settings page, and the extension name is Network
Access Control Guest Portal.
McAfee NAC 4.0 does not support previous versions of the guest portal. If you have an earlier version
of the guest portal installed you should remove it, but save any information you might want to use
when configuring the McAfee NAC 4.0 guest portal.
You uninstall the guest portal by removing the extension from the ePolicy Orchestrator Extensions page.
Hardware and software requirements
Before installing McAfee NAC 4.0, make sure your environment meets these hardware and software
requirements for the product.
McAfee NAC server-side components
The hardware requirements for the Network Access Control manager and all server-side components
are the same as for the ePolicy Orchestrator 4.5 or 4.6 server. For best performance, use the
recommended hardware configuration for an ePolicy Orchestrator server, rather than the minimum
configuration.
Table 2-1 McAfee NAC software requirements
ePolicy Orchestrator 4.5
ePolicy Orchestrator 4.6
Patch 6 or greater installed
No additional requirements. Rogue System Detection
is installed as a fully integrated part of ePolicy
Orchestrator 4.6.
Rogue System Detection version 2.0.2 or later
McAfee NAC client components
Systems where you install the Network Access Control client or Network Access Control guest client
must meet these requirements.
22
McAfee Network Access Control 4.0.0
Product Guide
Installation
Pre-installation information
2
Table 2-2 Client system requirements
Category
Requirement
Operating system
• Windows 2000 Professional, Service Pack 4
• Windows 2000 Advanced Server, Service Pack 4
• Windows 2000 Server, Service Pack 4
• Windows 2000 Terminal Services, Service Pack 4
• Windows XP Professional, Service Pack 2 or later (32-bit and 64-bit)
• Windows Server 2003 Enterprise, Service Pack 1 or later
• Windows Server 2003 Standard, Service Pack 1 or later
• Windows Server 2003 Web, Service Pack 1 or later
• Windows Server 2008, Service Pack 1 or later (32-bit and 64-bit)
• Windows Vista (32-bit and 64-bit)
• Windows 7 (32-bit and 64-bit)
• Mac OS X 10.5 (Leopard)
• Mac OS X 10.5 (Snow Leopard)
• Mac OS X 10.6 (Lion)
• RedHat Enterprise Linux 4
• RedHat Enterprise Linux 5
Memory
512 MB or higher RAM
ePolicy Orchestrator
products
• McAfee Agent 4.5 patch 3 or later for non-Windows systems
• McAfee Agent 4.5 patch 5 for Windows systems
The Network Access Control guest client does not require the McAfee Agent.
McAfee NAC components for use with Microsoft Network Access Protection
The McAfee System Health Validator and DHCP Agent that are used when combining McAfee NAC with
Microsoft Network Access Protection can be installed only on 32-bit operating systems.
Firewall software
If managed or unmanaged systems use personal firewall software, you must open specific ports for
server and client communications. McAfee NAC uses ports that are configured in ePolicy Orchestrator.
Table 2-3 McAfee NAC communication port requirements
ePolicy Orchestrator 4.5 ports
ePolicy Orchestrator 4.6 ports
Console-to-application server communication
port (default is 8443)
Console-to-application server communication port
(default is 8443)
Sensor-to-server communication port (default is
8444)
Client-to-server authenticated communication port
(default is 8444)
Whatever the port numbers are for these ePolicy Orchestrator settings (defaults are 8443 and 8444),
the firewall must open them.
Additionally, ePolicy Orchestrator might require other open ports on managed systems. McAfee
recommends that you do not run firewall software on your ePolicy Orchestrator server. If you do, make
sure that all required ports are open.
McAfee Network Access Control 4.0.0
Product Guide
23
2
Installation
Install McAfee NAC 4.0
Install McAfee NAC 4.0
Install the McAfee NAC 4.0 on your ePolicy Orchestrator 4.5 or 4.6 server. At the end of the
installation, the McAfee NAC content is added automatically to the ePolicy Orchestrator Master
Repository.
The name of the package is Audit Engine Content. If you have modified your Update Master Repository
server task so that it only updates selected content, be sure to add Audit Engine Content, which is
listed under Other in the Available Source Site Packages dialog box.
Task
1
Download the product zip file from the McAfee product download site, and store it in a temporary
location on your ePolicy Orchestrator server.
2
Unzip the archive, then double-click the Setup program.
3
In the Setup Requirements window, check that each section displays the message All required
applications were found, then click Next. Any required applications that were not found are
listed, and you must exit and install these applications. See Pre-installation information.
4
Accept the license agreement, then click OK.
5
Accept the default installation path (recommended), or specify a different location on the ePolicy
Orchestrator server, then click Next.
6
Type your ePolicy Orchestrator global administrator user name and password, then click Next.
7
Accept the default port (8444) for Network Security Sensor communications with the Network
Access Control client, or specify a different port. This port cannot be changed unless you reinstall
the software, then click Next.
Changing from the default port number results in having to perform additional configuration. If you
use McAfee NAC in combination with McAfee Network Security Platform. It is important that you
read Configuration requirements in the Integrating McAfee NAC with McAfee Network Security
Platform chapter.
8
Verify that all information is correct, then click Next to start the installation.
9
When the installation is complete, click OK.
Cluster installation
Install McAfee NAC on a cluster if the ePolicy Orchestrator server is a member of a Microsoft Cluster
Server (MSCS) cluster.
Task
For option definitions, click ? in the interface.
24
1
Install McAfee NAC 4.0 on the same shared drive where ePolicy Orchestrator is installed. No
configuration changes are required.
2
Test the cluster:
•
Select the ePolicy Orchestrator group, then select Bring Online.
•
Right-click any of the resources for the ePolicy Orchestrator group, then select Initiate Failover. The
resources should fail and come back online.
McAfee Network Access Control 4.0.0
Product Guide
Installation
Manually install the McAfee NAC client
2
Manually install the McAfee NAC client
Manually install the McAfee NAC client on any of the supported operating systems.
To install the McAfee NAC client manually on a client system, the system must be running one of these
supported operating systems:
•
Windows
•
Mac
•
Linux
Normally, you install the McAfee NAC client to systems through an ePolicy Orchestrator client task (see
Deploying the McAfee NAC client). However, there might be situations where you need to install the
McAfee NAC client directly on a system before allowing a network connection.
The McAfee NAC client is multi-lingual, and all supported languages for the operating system platform
are installed. The McAfee NAC client automatically detects the language setting of the operating
system. If the language is not supported, the default is English.
The Mac OS and Linux versions of the McAfee NAC client support only English and German.
Install on Windows manually
Manually install the McAfee NAC client on a system running one of the supported Windows operating
systems.
Task
1
On the ePolicy Orchestrator server, go to Program Files\McAfee\ePolicy Orchestrator\DB
\Software\Current\MNACSCNR3000\Install\0409. You need the entire contents of this directory.
2
Use one of these methods to install on a client system:
•
Run the installer remotely from the ePolicy Orchestrator server.
•
Copy the installation files to a network share.
•
Copy the installation files to the local system or a CD.
3
Run the Setup program, and click Next at the Welcome screen.
4
Accept the default location to install the McAfee NAC client, then click Next. McAfee does not
recommend installing to a different location.
5
Click Install.
6
When the installation is complete, click Finish.
McAfee Network Access Control 4.0.0
Product Guide
25
2
Installation
Manually install the McAfee NAC client
Install on Mac OS manually
Manually install the McAfee NAC client on a system running one of the supported Mac operating systems.
Task
1
On the ePolicy Orchestrator server, go to Program Files\McAfee\ePolicy Orchestrator\DB
\Software\Current\MNACSCNR3000MACX\Install\0409. You need the entire contents of this
directory.
2
Use one of these methods to install on a client system:
•
Run the installer remotely from the ePolicy Orchestrator server.
•
Copy the installation files to a network share.
•
Copy the installation files to the local system or a CD.
3
Run the Setup script by double-clicking the .dmg or .pkg file, then click Next at the Welcome screen.
4
Accept the default location to install the McAfee NAC client, then click Next. McAfee does not
recommend installing to a different location.
5
Click Install.
6
When the installation is complete, click Finish.
To manually uninstall, navigate to /Library/McAfee/mnac/ and run the uninstall.sh script.
Install on Linux manually
Manually install the McAfee NAC client on a system running one of the supported Linux operating
systems.
Task
1
On the ePolicy Orchestrator server, go to Program Files\McAfee\ePolicy Orchestrator\DB
\Software\Current\MNACSCNR3000LNYX\Install\0409. You need the entire contents of this
directory.
2
Use one of these methods to install on a client system:
3
•
Run the installer remotely from the ePolicy Orchestrator server.
•
Copy the installation files to a network share.
•
Copy the installation files to the local system or a CD.
Run the Setup script using the command rpm -i MNAC. By default it is installed under /opt/McAfee
/mnac folder.
To uninstall, use the command rpm -e MNAC-4.0-0.
26
McAfee Network Access Control 4.0.0
Product Guide
Installation
Post-installation tasks
2
Post-installation tasks
After installing McAfee NAC, additional installation or configuration steps might be necessary to make
McAfee NAC work with another product.
Determine or verify whether:
•
You will integrate McAfee NAC with McAfee Network Security Platform as an access control solution.
If so, see Integrating McAfee NAC with McAfee Network Security Platform, and the McAfee Network
Security Platform documentation.
•
You will integrate McAfee NAC with Microsoft Network Access Protection as an access control
solution. If so, see Integrating McAfee NAC with Microsoft Network Access Protection, and the
Microsoft Network Access Protection documentation.
What happens when the license expires
When the license expires, the McAfee NAC client continues to scan systems using the current system
health policies, and continues to report compliance status to the server. The settings for the McAfee
NAC client in the deployment task are unchanged.
Key differences in the non-Windows McAfee NAC client
There are a number of differences for managed systems running non-Windows operating systems
(compared to Windows operating systems), and use of the McAfee NAC client on these systems.
Some general differences are:
•
The McAfee Agent installation must be done manually.
•
Firewall components are available, by default, with the Linux and Mac operating systems. The
McAfee NAC client communicates with those components for enforcement.
•
Mac OS X includes three user group levels: root or super user (su), administrators (admin
user), and normal users. Most Mac users are administrators and have more privileges than
Windows users. Only administrators have complete control over the system.
Other differences are categorized below.
User experience differences
The following are differences in the user experience on the client managed system.
•
Tray icon and menu on client system — On Mac OS X systems, there is a menulet. On
supported Linux platforms, the tray has been implemented using gtk+.
•
Firewall integration — On Mac OS X systems, the McAfee NAC client uses ipfw, a system tool
available by default with all Mac operating systems. On supported Linux platforms, the McAfee NAC
client uses iptables, a system tool available by default with most flavors of Linux.
McAfee Network Access Control 4.0.0
Product Guide
27
2
Installation
FAQ for non-Windows McAfee NAC client
Policy updates
Policy updates are performed in a different way on Mac OS X and Linux client systems. On Windows
systems, the McAfee NAC client can initiate a "pull-down" of new and updated policies, but the McAfee
NAC client for Mac OS X and Linux cannot do this. Instead, new and updated policies must be "pushed."
However, root users can update policies from ../McAfee/cma/bin folder and execute the command:
cmdagent -P -E -C
You could use any of the arguments listed:
•
P — To collect and send properties
•
F — To forward events
•
E — To enforce policies
•
? — To view help
•
C — To check for new polices or tasks
Administrators can do this by setting up a Wake-up McAfee Agent task, with the Get full product properties
option selected. Administrators can run this task whenever needed, or set it to run on a schedule.
Administrators should be familiar with the relationship between the agent wake-up task and the
agent-server communication interval (ASCI).
FAQ for non-Windows McAfee NAC client
Here are commonly asked questions about the McAfee NAC client for the supported non-Windows
operating systems.
To use these commands, the user must know how to enter system commands for the specified
operating system.
1
How do I know whether McAfee NAC 4.0 or the McAfee Agent is installed on Linux?
Type the command rpm -q MNAC. The return value should be: MNAC-4.0
2
How do I check whether the McAfee NAC or McAfee Agent service is running?
Linux:
•
Type service mnac status to see if a McAfee NAC process is running.
•
Type service cma status to see if a McAfee Agent process is running.
Mac OS X:
3
•
Type ps -ef | grep 'MNac' to see if a McAfee NAC process is running. The output does not
necessarily mean the process is healthy.
•
Type ps -ef | grep 'cma' to see if a McAfee Agent process is running. The output does not
necessarily mean the process is healthy. You can also use Activity Monitor to view these processes.
Where can I find the McAfee NAC or McAfee Agent log files?
Linux & Mac OS X:
28
•
To navigate to the folder where the McAfee NAC log files are stored, type: cd /opt/McAfee/mnac/
logs
•
To display the end of any log file, type: tail -f /<filename>.log
•
To display the end of the McAfee Agent log file, type: tail -f /Library/McAfee/cma/scratch/
etc/log. Using this command requires root permissions.
McAfee Network Access Control 4.0.0
Product Guide
Installation
FAQ for non-Windows McAfee NAC client
4
2
How do I view the logs in debug mode?
Linux & Mac OS X (for McAfee Agent):
•
Navigate to the folder /etc/cma.d, which contains policy folders like EPOAGENT3700LYNX,
MNACSCNR3000 and NACPolicy3000.
•
Open config.xml to modify McAfee Agent configurations or settings. You must restart McAfee
Agent for modifications to take effect.
Linux (for McAfee NAC):
•
Navigate to /opt/McAfee/mnac/config/McNacClientLog.cfg
•
Edit the first line to remove INFO, and replace it with DEBUG.
Mac OS X (for McAfee NAC):
5
•
Navigate to /Library/McAfee/mnac/config/McNacClientLog.cfg
•
Edit the first line to remove INFO, and replace it with DEBUG.
Where can I find the McAfee NAC or McAfee Agent policy objects?
Linux & Mac OS X (for McAfee Agent):
•
Navigate to the folder /etc/cma.d, which contains policy folders like EPOAGENT3700LYNX,
MNACSCNR3000 and NACPolicy3000.
•
Open config.xml to modify McAfee Agent configurations or settings. You must restart McAfee
Agent for modifications to take effect.
Linux (for McAfee NAC):
•
Use cd /opt/McAfee/mnac/data to go to the directory where all policy objects are available in
binary flat file format. Root permissions are required to access these files.
Mac OS X (for McAfee NAC):
•
6
Use cd /Library/McAfee/mnac/data to go to the directory where all policy objects are
available in binary flat file format. Root permissions are required to access these files.
How can I check the current state of the firewall?
Linux: service iptables status
Mac OS X: ipfw show
7
How do I reset the firewall?
Linux: iptables -F to flush all entries, and iptables -D <chain-name> to delete a specific chain.
Mac OS X: ipfw flush to flush all entries, and ipfw delete <entry_number> to delete a specific
entry.
McAfee Network Access Control 4.0.0
Product Guide
29
2
Installation
FAQ for non-Windows McAfee NAC client
30
McAfee Network Access Control 4.0.0
Product Guide
3
Functional architecture and components
The McAfee NAC software consists of a central manager and a system of distributed agents that
perform specific functions.
Contents
McAfee NAC functional architecture
McAfee NAC manager and how it works
How McAfee NAC distributed component works
Detectors and how they work
Assessors and how they work
Enforcers and how they work
Remediators and how they work
McAfee Network Access Control 4.0.0
Product Guide
31
3
Functional architecture and components
McAfee NAC functional architecture
McAfee NAC functional architecture
A high-level overview of how McAfee NAC components interact with McAfee or other third-party
components to provide network access security using ePolicy Orchestrator.
The following diagram illustrates this architecture.
32
McAfee Network Access Control 4.0.0
Product Guide
3
Functional architecture and components
McAfee NAC manager and how it works
McAfee NAC manager and how it works
The McAfee NAC manager is the central management portion of McAfee NAC. It provides core
management functionality for all operations performed by the software. The manager provides for all
policy configuration and management, and ensures that the policies are up to date.
It also provides reporting and monitoring services in the form of queries and monitors, which gather
and display system and network information related to network access control.
Figure 3-1 McAfee NAC manager — Architecture
Information reported from detectors, assessors, and enforcers is processed. If necessary, the McAfee
Network Access Control manager uses the information to make calculations or determinations of a
system's state and status.
Table 3-1 Functions of the McAfee NAC manager
Function
Description
Assess and enforce policy
configuration and
management
The policies that define health assessment and access enforcement
criteria for systems on your network. Provides all policy configuration
and management, and ensures that the policies are up to date.
Deploy distributed
components
Server tasks that initially deploy and periodically update detectors,
assessors, and enforcers and the policies used by each.
Process and store detection
data
System state and status calculations, message processing, and data
storage.
Process and store
assessment data
System health status, verification, checks for exemptions, comparisons
against administrator settings and event handling. Takes information
from any supported assessor (McAfee NAC client and guest client).
Process and store
enforcement data
Depending on the configured enforcer, get enforcement status, errors,
and network access zones.
Trigger enforcement actions
Sends a health level to the configured enforcer. When Microsoft
Network Access Protection is the enforcer, this is reduced to a
Statement of Health.
Evaluate and enforce
exemption rules
Processes rules and identifies matching systems. This happens when
the manager gets information from a detector, assessor, or enforcer.
Report stored data
Provides reporting and monitoring services in the form of queries and
monitors, which gather and display system and network information
related to access control.
McAfee Network Access Control 4.0.0
Product Guide
33
3
Functional architecture and components
McAfee NAC manager and how it works
For unmanaged systems, the McAfee NAC manager maintains setup configuration data, and sends
health information to supported products that handle unmanaged system enforcement.
How a system's classification is determined
Classifying each system connected to a network is one of the core duties of the McAfee NAC manager.
After receiving detector information, the McAfee NAC manager tries to determine which systems can
be managed and enforced, and which cannot.
How precise the McAfee NAC manager can be depends on how much information a detector provides.
For instance, if the McAfee NAC manager receives enough information for it to use OS fingerprinting, it
can determine manageability, and in some cases, whether the system can be enforced.
The McAfee NAC manager continually evaluates the information it receives, and reclassifies systems as
necessary. Situations that can trigger reclassification are:
34
•
More information from a detector. For example, a system's first detection was by the Rogue System
Detection service, but subsequent detections are from the McAfee NAC client.
•
Installation or uninstallation of the McAfee NAC client.
•
Change to a system's exemption status.
•
The OS fingerprinter runs against the system and identifies information the McAfee NAC manager
does not have.
McAfee Network Access Control 4.0.0
Product Guide
Functional architecture and components
How McAfee NAC distributed component works
3
How McAfee NAC distributed component works
The McAfee NAC distributed component architecture allows the detection, assessment, enforcement,
and remediation functionality to be combined in one unit, or separated and handled by different
components, even different products.
Figure 3-2 McAfee NAC distributed component architecture
McAfee NAC uses these distributable components:
•
McAfee NAC client — Functions as a detector, assessor, and enforcer on managed systems
•
McAfee NAC guest client — Functions as a detector and assessor on unmanaged systems
The McAfee NAC client is deployed to systems in your organization using ePolicy Orchestrator features
or manually (not recommended). The McAfee NAC guest client must be downloaded and installed by
unmanaged system users.
McAfee Network Access Control 4.0.0
Product Guide
35
3
Functional architecture and components
Detectors and how they work
Detectors and how they work
A detector identifies systems that are connected to your network, and reports these systems to the
McAfee NAC manager.
To qualify as a detector, the component must report at least one form of identifying information about
a system or device to the McAfee NAC manager (see the Detector input and output table).
All discussion of detectors in this guide relates to managed systems only, unless explicitly stated
otherwise.
The McAfee NAC software as a standalone product (without the use of additional products), provides
the following detectors:
Table 3-2 Detector operations
Detector
Operational description
Rogue System
Detection (RSD)
service
Provides the primary level of detection information for systems managed by
ePolicy Orchestrator. Once the McAfee NAC client is deployed to a system
(classification changes to a McAfee NAC-managed system), Rogue System
Detection moves to a secondary role, and the McAfee NAC client becomes the
primary detector. The Rogue System Detection service also provides detection
information about unmanaged and unmanageable systems, such as printers.
This information is important if you use exemptions. See Using exemptions.
McAfee NAC client
Provides the primary level of detection information for the McAfee
NAC-managed systems where it is deployed.
McAfee NAC guest
client
Provides the primary level of detection information for the unmanaged systems
where it is installed.
The following table lists the information that detectors use as input, and report as output. The McAfee
NAC manager uses the output.
Table 3-3 Detector input and output
Detector
Input
Output
Rogue System
McAfee Agent installation event and At least one of the following:
Detection (RSD) service network traffic, consisting of:
• IP address
• Subnet
• DHCP requests
• MAC address • McAfee Agent GUID
• ARP broadcasts
• Host name
McAfee NAC client
Local operating system queries
At least one of the following:
• IP address
• Subnet
• MAC address • McAfee Agent GUID
• Host name
The specific implementation determines whether a detector reports some or all of the identifying
information that is listed under Output. In addition, some detectors might provide operating system
information. McAfee NAC accommodates its own detectors as well as detectors from other McAfee or
third-party products.
Another supported detector is the Network Security Sensor, a hardware component of McAfee Network
Security Platform. See Integrating McAfee Network Access Control with McAfee Network Security
Platform.
36
McAfee Network Access Control 4.0.0
Product Guide
Functional architecture and components
Detectors and how they work
3
Rogue System Detection as a detector
The Rogue System Detection (RSD) service acts initially as the primary detector in an ePolicy
Orchestrator-managed system environment. Systems with the McAfee Agent installed are detected
and reported to the ePolicy Orchestrator server.
However, these systems are not yet managed, according to the McAfee NAC definition. See System
classifications.
Once you deploy the McAfee NAC client, its detection service takes over to provide information about
the system where it resides. These systems are now managed, according to the McAfee NAC definition.
If you deploy Rogue System Sensors, the Rogue System Detection service can also provide limited
information about unmanaged systems.
The Rogue System Detection service must be installed as an extension to ePolicy Orchestrator prior to
installing the McAfee NAC software. However, RSD is pre-installed on ePolicy Orchestrator 4.6 and later.
Rogue System Detection features incompatible with McAfee NAC
McAfee NAC is not compatible with certain Rogue System Detection features or capabilities. These
Rogue System Detection features cause no harm, and are even useful, in connection with ePolicy
Orchestrator. However, when you add network access control to your environment, certain practices
with Rogue System Detection can disable or nullify McAfee NAC functionality.
Prerequisites for using Rogue System Detection as a detector
You must set the user permissions for the Rogue System Detection service to View and Edit.
Rogue System Detection detector functionality
The Rogue System Detection service can function as a McAfee NAC detector with or without deploying
a Rogue System Sensor.
McAfee Network Access Control 4.0.0
Product Guide
37
3
Functional architecture and components
Detectors and how they work
Table 3-4 Rogue System Detection detector functionality
Rogue System
Detection
setup
Detection functionality
Without sensor
deployment
The Rogue System Detection service without sensor deployment provides:
• Information about managed systems only.
• Detections occur based on the McAfee Agent sending information to the ePolicy
Orchestrator server. The Rogue System Detection service listens for this
information from the McAfee Agent and records the system as ePolicy
Orchestrator-managed within ePolicy Orchestrator.
• Detection information about ePolicy Orchestrator-managed systems, consisting
of network data such as an IP address, MAC address, host name, and subnet.
The Rogue System Detection service also obtains the McAfee Agent GUID for
system identification.
With sensor
deployment
The Rogue System Detection service with sensor deployment provides all the
functionality listed above, as well as:
• Detections occur based on the Rogue System Sensor sending information to the
ePolicy Orchestrator server. Sensors listen to DHCP requests and ARP broadcasts.
• Unmanaged system information, consisting of network data such as an IP
address, MAC address, host name, and subnet.
• Systems detected by a sensor are reported on the Menu | Systems | Detected Systems
page in the Overall System Status pane.
Detection information provided by the Rogue System Detection service is reported to the ePolicy
Orchestrator server and is accessed on the Menu | Systems | Detected Systems page. The status of these
systems can be Rogue or Managed. If the system is listed as Managed it might or might not mean the
system is managed according to the McAfee NAC definition. You will need to use the McAfee NAC
reports or queries to determine whether a system is managed by McAfee NAC.
Use of Rogue System Detection with deployed sensors
If you use the Rogue System Detection service with deployed sensors, consider these implications:
•
Any exemption rules you create might not report correctly until the systems affected by the rule
have been detected. When you first create an exemption rule, it can be listed with zero systems,
even though you know the network has systems that match the rule. This happens when a delay
occurs between the creation of the rule and the next detection event.
•
Rogue System Sensors detect when a system has an “alien” McAfee Agent. This happens when a
system that reports to one ePolicy Orchestrator server is connected to a network controlled by a
different ePolicy Orchestrator server. Most often this happens with laptops used during travel. If
this occurs, the system health policies that are normally active for that system cannot be used as
the basis of a health assessment. Systems with alien agents can use the guest client for health
assessment.
McAfee NAC client used as a detector
The McAfee NAC client automatically functions as a detector once it is deployed.
To deploy the McAfee NAC client to a system, the system must have the McAfee Agent installed. Once
the McAfee NAC client is deployed, the system becomes managed, according to the McAfee NAC
definition.
38
McAfee Network Access Control 4.0.0
Product Guide
Functional architecture and components
Detectors and how they work
3
Once deployed, the McAfee NAC client functions as the primary detector, and automatically reports its
detection information to the McAfee NAC manager. For a McAfee NAC-managed system, the Rogue
System Detection service moves to a secondary role. The Rogue System Detection service still reports
unmanaged and unmanageable systems, and also takes over as primary detector if the McAfee NAC
client is removed from a system or stops functioning properly.
To operate as a detector, the McAfee NAC client does not require any specific configuration. For each
managed system, the detection information the McAfee NAC client reports consists of:
•
IP addresses
•
Subnets
•
MAC addresses
•
McAfee Agent GUID
•
Host name
To uniquely identify a system, the McAfee NAC manager needs at least one of the listed types of
identifying information.
The McAfee NAC client cannot provide any detection information for unmanaged systems.
To use the McAfee NAC client as a detector, you must deploy the McAfee NAC client to ePolicy
Orchestrator-managed systems.
McAfee NAC guest client used as a detector
The McAfee NAC guest client automatically functions as a detector once it is installed on an
unmanaged system. To install the guest client on a system, users must download and run the installer.
The system does not require the McAfee Agent installed.
Installing the guest client on a system does not classify it as managed, according to the McAfee NAC
definition. The guest client also functions as an assessor, but does not function as an enforcer.
Once installed, the McAfee NAC guest client functions as the primary detector, and provides the same
detection functionality as the McAfee NAC client. The Rogue System Detection service moves to a
secondary role. The Rogue System Detection service still reports unmanaged and unmanageable
systems, and also takes over as primary detector if the guest client is removed from a system or stops
functioning properly.
To operate as a detector, the guest client does not require any specific configuration. The guest client
reports the following detection information:
•
IP addresses
•
MAC addresses
•
Host name
•
Subnets
To uniquely identify a system, the McAfee NAC manager needs at least one of these types of
identifying information.
To use the guest client as a detector, the user must download the guest client from an accessible
network location and install it.
McAfee Network Access Control 4.0.0
Product Guide
39
3
Functional architecture and components
Assessors and how they work
Assessors and how they work
An assessor determines the health of systems that are connected to your network, and reports the
assessment results to the McAfee NAC manager.
The McAfee NAC software supports two assessors. The assessor that is used depends on whether a
system is managed or unmanaged, according to the McAfee NAC system classifications.
Table 3-5 Assessor operations
Assessor
Operational description
McAfee NAC
client
Provides a health level assessment for managed systems, according to one or more
assigned system health policies. The McAfee NAC client assessor reports the
following information to the McAfee NAC manager:
• Assessed health level
• Details about benchmarks and rules
• Status of the assessment (scan) — whether it failed, or was successful
• Version of content and policy that was used
• Report the network access zone that the host is enforced to
• Post remediation results if enabled
McAfee NAC
guest client
Provides a health level assessment for unmanaged systems, according to a single
unmanaged system policy. The guest client assessor reports the following
information to the McAfee NAC manager:
• Assessed health level
• Details about benchmarks and rules
• Status of the assessment (scan) — whether it failed, or was successful
• Version of content and policy that was used
An assessor must have input to tell it what to assess on a system, and what to report about the
assessment. An assessor also provides output.
Table 3-6 Assessor input and output
Assessor
Input
Output
Output used by
McAfee NAC
client
• Managed system
health policies
• A health level
descriptor
• A McAfee NAC client
policy
The reporting service of the McAfee
NAC manager, and any supported
enforcer for a managed system.
• Network access Remediators use the command
zone
associated with rule or benchmark,
when a specific rule fails and the host
becomes non-compliant.
• Benchmark content
(checks and rules)
• Network access policy
McAfee NAC
guest client
• A single unmanaged
system policy
• Benchmark content
(checks and rules)
A health level
descriptor
The reporting service of the McAfee
NAC manager, and any supported
enforcer for an unmanaged system.
Currently, a McAfee® Network Security
Sensor is the only supported enforcer
for an unmanaged system.
There is no automated remediator at
this time for unmanaged systems.
40
McAfee Network Access Control 4.0.0
Product Guide
Functional architecture and components
Assessors and how they work
3
When systems are assessed
An assessor runs a scan to determine the health of a system. The health assessment is based on the
system health policies that are applicable to each managed system, or the unmanaged system policy
for unmanaged systems.
An assessor initiates a scan:
•
At system startup
•
When the McAfee NAC client service is restarted
•
When a system is reconnected to the network or its network adapter changes
•
When a system is assigned a new IP address
•
When the McAfee NAC manager requests a scan or rescan (automatic) or from an administrator
request
•
When a McAfee NAC client receives a new or updated system health policy
Network Access Control client used as an assessor
The Network Access Control client is the only assessor you can use with McAfee NAC to determine the
health of managed systems.
Before you can use the Network Access Control client as an assessor, you must deploy it to ePolicy
Orchestrator managed systems. Once the Network Access Control client is deployed, the system
becomes managed, according to the McAfee NAC definition, and it automatically functions as an assessor.
The Network Access Control client does not require any specific configuration to function as a
assessor, . However, the Network Access Control client policy contains configuration options that affect
assessment operations. See McAfee NAC policies.
As an assessor, the Network Access Control client is responsible for:
•
Assessing a system's health
•
Setting a system's health level
•
Reporting assessment results to the Network Access Control manager
•
Sending notifications to the system tray on the managed system
How system health is assessed
The Network Access Control client assesses system health by running a scan. The scan is based on the
system health policies that are applicable to each managed system.
An assessor initiates a scan:
•
At system startup
•
When the Network Access Control client service is restarted
•
When a system reconnects to the network or its network adapter changes
•
When a system is assigned a new IP address
•
When the Network Access Control manager prompts for a scan or rescan
•
When a Network Access Control client receives a new or updated system health policy
McAfee Network Access Control 4.0.0
Product Guide
41
3
Functional architecture and components
Assessors and how they work
How health levels are set
A system's health status is the result of several factors. A system has both an assessed health level
and enforced health level, and it has an overall system health status. The overall system health status
is derived from the assessed health level, and takes into account other factors such as exemptions.
The assessed health level is the result of evaluating all benchmarks in the system health policies
whose Enforcement Mode is Enforce or Audit Only. After completing a scan, the Network Access Control
client sets the assessed health level at the most unhealthy value.
The enforced health level is the result of evaluating only those benchmarks in the system health
policies whose Enforcement Mode is Enforce. After completing a scan, the Network Access Control client
sets the enforced health level at the most unhealthy value.
The Network Access Control client changes the health level of managed systems based on scan results
or explicit administrator instructions. If the health level is changed due to a scan, it is based on your
benchmark rule properties. In each rule, you can specify the health level you want it to assign if the
rule fails.
Administrators can manually change the enforced health level of a system when they view system
summary and system detail pages. These pages are accessed through NAC Summary dashboard or as
the result of a query.
Reporting of assessment results
After a scan is completed, the Network Access Control client reports the results to the Network Access
Control manager and checks whether the Network Access Control manager has newer policies. If so,
the newer policies are downloaded, and the system is rescanned. The Network Access Control client
policy allows you to configure the scan result's level of detail that is sent to the Network Access
Control manager.
For each managed system, the assessment information the Network Access Control client reports
consists of:
•
Benchmark names that were assessed and which, if any, failed
•
Benchmark rule names that were assessed and which, if any, failed
•
Assessed health level of the system
•
Assessment status (success or failure)
•
Content and policy versions used in the assessment
How notifications are sent
The Network Access Control client notifies users of important events or situations using a popup
notification accessed from the McAfee system tray. If the system tray is not enabled, users cannot
receive these notifications.
Notifications occur when:
42
•
The system's health level changes. The user is informed of the new health level, and the status of
the benchmarks that were assessed. The new health level might be Healthy or one of the unhealthy
states.
•
The system is restricted to any network access zone other than the one assigned to the Healthy
state. This occurs automatically based on the applicable network access policy, or based on a
manual action by the administrator.
•
A scan is in progress.
McAfee Network Access Control 4.0.0
Product Guide
Functional architecture and components
Enforcers and how they work
•
The Network Access Control client fails to run a scan successfully.
•
The Network Access Control client is not running.
•
Automatic remediation is in progress, completed or failed.
•
Client enforcement status changes, when the client is moved to a different zone.
3
McAfee NAC guest client used as an assessor
The McAfee NAC guest client automatically functions as an assessor once it is installed on an
unmanaged system.
To install the guest client on a system, users must download and run the installer. The system is not
required to have the McAfee Agent installed.
Once installed, the McAfee NAC guest client provides the same assessment functionality as the McAfee
NAC client, with the exception that it assesses a system's health based on a single unmanaged system
policy, rather than a set of managed system health policies.
Installing the guest client on a system does not classify it as managed, according to the McAfee NAC
definition. The guest client also functions as a detector, but does not function as an enforcer.
Enforcers and how they work
An enforcer is responsible for restricting the network access of systems based on their current health
level.
A system's health level can be set by several methods. Typically the restriction of network access is
based on the definition of one or more network access zones, which are mapped to each possible
health level.
Different enforcers can use different methods to restrict a system's access to a network. See How
health levels are set.
The McAfee NAC software supports three enforcers. The enforcer that is used depends on whether a
system is managed or unmanaged, and the method you use to restrict network access.
McAfee Network Access Control 4.0.0
Product Guide
43
3
Functional architecture and components
Enforcers and how they work
Table 3-7 Enforcer operations
Enforcer
Operational description
McAfee NAC
client
Provides local enforcement of network access restrictions for managed systems
based on:
• Enforced health level
• Administrator-specified health level
• Post-admission policy health level
The McAfee NAC client enforcer reports the following information to the McAfee NAC
manager:
• Network access zone being enforced
• Success or failure of the enforcement
Microsoft
Provides enforcement of network access restrictions for managed systems from a
Network Access central Network Policy Server (NPS) server based on:
Protection
• Assessed health level
(NAP)
• Administrator-specified health level
• Post-admission policy health level
Regardless of the health level's origin, it is validated by the McAfee System Health
Validator.
McAfee®
Provides enforcement of network access restrictions for unmanaged systems when
Network
configured for health-based access control based on:
Security Sensor
• Assessed health level
• Administrator-specified health level
• Post-admission policy health level
Provides enforcement of network access restrictions for managed systems when
configured for identity-based access control (IBAC) based on:
• System properties
• User identity credentials
The McAfee NAC architecture is not involved when using McAfee Network Security
Platform in IBAC mode.
The following table lists the information that enforcers use as input, report as output, and which
components use the output.
44
McAfee Network Access Control 4.0.0
Product Guide
Functional architecture and components
Remediators and how they work
3
Table 3-8 Enforcer input and output
Enforcer
Input
Output
Output used by
McAfee NAC
client
• A health level from an assessor,
post admission policy, or an
administrator action
• The network access zone
being enforced
The reporting
service of the
McAfee NAC
manager
• A managed network access policy
• The success or failure of
the enforcement
• A McAfee NAC client policy
Microsoft
Network
Access
Protection
• A health level from an assessor,
post admission policy, or an
administrator action
• A McAfee System Health
Validator configuration
The reporting
• The Network Access
Protection network access service of the
McAfee NAC
zone being enforced
manager, and the
• The success or failure of
Microsoft Network
the enforcement
Access Protection
Status application
McAfee®
Network
Security
Sensor
• A health level from an assessor,
post admission policy, or an
administrator action
• The Network Security
Manager network access
zone being enforced
• The system classification
(managed, unmanaged, or
unmanageable)
• The success or failure of
the enforcement
The reporting
service of the
McAfee NAC
manager
McAfee NAC client used as an enforcer
Use McAfee NAC client to restrict network access, based on the network access policy assigned to the
system.
To have the McAfee NAC client operate as an enforcer, you must properly configure a McAfee NAC
client policy. The default McAfee NAC client policy uses the McAfee NAC client as the enforcer. Before
you can use the McAfee NAC client as an enforcer, however, you must deploy it to ePolicy
Orchestrator-managed systems, and it must obtain a McAfee NAC client policy.
When the McAfee NAC client is the enforcer, a local firewall blocks new outgoing connections, based on
the system's current enforced health level, or the health level manually set by an administrator using
Modify health level. The network access zone associated with each health level determines which network
resources the system can or cannot access.
The McAfee NAC client enforcement method option can be set so that enforcement actions are
controlled by another product. This version of McAfee NAC supports Microsoft Network Access Protection
(Network Access Protection) and McAfee Network Security Platform as enforcers. Information about
configuring the McAfee NAC client to use one of these enforcers is discussed in the chapters about
integrating with these products.
For each managed system, the McAfee NAC client reports consist of this enforcement information:
•
Enforcement status (success or failure)
•
Network access zone being enforced
Remediators and how they work
A remediator automatically tries to fix systems that are not in compliance with your health policies.
McAfee NAC 4.0 supports one remediator. Users of unhealthy systems also can make fixes to their
systems manually.
McAfee Network Access Control 4.0.0
Product Guide
45
3
Functional architecture and components
Remediators and how they work
See Remediation of unhealthy systems. If a system is unhealthy, it is typically restricted from
accessing particular network resources, based on the current health level. A system's health level can
be set by several methods. See How health levels are set.
Table 3-9 Remediator operations
Remediator
Operational description
McAfee NAC client Runs remediation commands specified in the benchmarks that comprise each
system health policy. Commands can be:
• Single executables
• A script
• A batch file
The McAfee NAC client remediator reports the following information to the McAfee
NAC manager:
• Success or failure of the remediation
This table describes the input (required information) and output for the supported remediators, and
what the output is used for.
Table 3-10 Remediator input and output
Remediator
Input
McAfee NAC client • Managed system
health policies
46
McAfee Network Access Control 4.0.0
Output
Output used by
• The success or failure of
the remediation
The reporting service of
the McAfee NAC manager
Product Guide
4
McAfee NAC policies
You use various policy types to define and configure much of the McAfee NAC functionality for network
security. The assessors and enforcers use these policies to determine what data to report and which
actions to take.
Contents
Types of policies
System health levels and their function
Benchmarks for McAfee NAC
Health policies of managed systems
Work with managed system health policies
Unmanaged system policy
Network access policies
Network access zones and compliance
McAfee NAC client policies
Types of policies
McAfee NAC distinguishes between system health policies for managed systems and the single policy
used for all unmanaged systems.
This topic discusses the structure and use of all policy types except the post admission policy, which is
discussed in Network access administration and monitoring.
Table 4-1 Policy types
Policy name
Description
Managed system
health policy
Defines your network security criteria for health assessment of managed
systems, specifies which systems must adhere to these criteria, and specifies
when to use the policy. This policy type uses benchmarks (based on the XCCDF
and OVAL standards) to define compliance rules. Rules are built from predefined
checks supplied by McAfee or custom checks you can construct.
Unmanaged
system policy
Defines your network security criteria for health assessment of unmanaged
systems, specifies how often to run scans, how much information is reported to
the McAfee NAC manager, and whether you want identification messages sent
onto the network. This policy type uses benchmarks (based on the XCCDF and
OVAL standards) to define compliance rules. Rules are built from predefined
checks supplied by McAfee or custom checks you can construct.
Network access
policy
Specifies the network access restrictions that you want to apply to each system
health level. This policy is a mapping between each health level and a network
access zone. How many network access zones you create determines your
choices in the drop-down list.
McAfee Network Access Control 4.0.0
Product Guide
47
4
McAfee NAC policies
System health levels and their function
Table 4-1 Policy types (continued)
Policy name
Description
McAfee NAC client
policy
Configures the features of the McAfee NAC client component, which is deployed
to managed systems. The McAfee NAC client always functions as a detector and
an assessor. By default, the policy configures the McAfee NAC client as the
enforcer. If you integrate with other network access solutions such as McAfee
Network Security Platform, you can configure the use of a different enforcer.
Post admission
policy
Specifies a health level to assign systems that are reported as exhibiting
malicious behavior.
System health levels and their function
System health levels represent the state of a system (managed or unmanaged) based on your
network security rules, as defined by your managed system health policies or your unmanaged system
policy.
McAfee NAC defines the following health levels:
•
Healthy
•
Serious
•
Fair
•
Critical
•
Poor
•
Unknown
The names of the health levels are arbitrary, and have no intrinsic meaning. What is meaningful is the
order, which represents a hierarchy of best (Healthy) to worst (Critical) states. The Unknown health
level is a special case. It is only assigned to systems by the client during scanner startup. Assignment
of the Unknown health level most often occurs when a system on the network starts up.
System health levels are used in:
•
Reports, monitors, and informational tables shown in the product interface.
•
Benchmark rules, to associate a particular health level with the rule’s failure. Benchmarks are used
in managed system health policies and the unmanaged system policy.
•
The definition of a Network access policy, where each health level is mapped to a specific network
access zone.
Health levels in benchmarks
The first five health levels indicate a system’s state relating to its compliance with the rules defined in
your benchmarks. For each rule in a benchmark, you can set which health level to assign if the rule
fails. If a system fails multiple rules, it is assigned the most severe health level.
Typically, you rank each rule according to the level of risk a violation poses to your network. However,
associating a health level with each benchmark rule is not required. If a health level is not specified,
the default value, which is specified in the McAfee NAC server settings, is used.
The Enforcement mode setting for each benchmark determines how the health level that results from
rule evaluation is applied to systems and used by enforcers. See Benchmark enforcement modes.
Health levels in network access policies
In a network access policy, each health level is mapped to a network access zone. Generally, you
create multiple network access zones, each defining a different level of access to network resources.
48
McAfee Network Access Control 4.0.0
Product Guide
4
McAfee NAC policies
Benchmarks for McAfee NAC
The health level hierarchy is designed such that you can progressively restrict network access as a
system's health status worsens. The level of restriction depends on how serious a threat is to your
network security when a benchmark rule fails.
How the Unknown health level is used
Administrators cannot assign the Unknown health level to systems. This health level is reserved for
specific circumstances, and can be assigned only by the McAfee NAC manager. This health level is
assigned when:
•
A system starts up, and therefore, has not yet been assessed.
•
The health grace period has expired. The grace period is an option in the McAfee NAC server
settings, and is applied to managed and unmanaged systems.
Benchmarks for McAfee NAC
Each managed system health policy and the unmanaged system policy requires at least one
benchmark, but can contain multiple benchmarks. Benchmarks are created and edited using the
Benchmark Editor. Before you can create health policies, you must have benchmarks that are
configured for McAfee NAC to use.
On the Add Benchmarks pages of the policy builders, only benchmarks with these characteristics are
displayed:
•
The Status must be set to “active” using Activate from the Benchmark Editor interface.
•
The McAfee NAC property must be enabled. This property is located in the Properties section when
you create or edit a benchmark, and is enabled by default when McAfee NAC is installed.
For a benchmark to perform any compliance checking, it must contain at least one rule. Each rule
contains one or more compliance checks for assessing system health. If multiple checks are used, you
can specify logic conditions.
For benchmarks you want to use with McAfee NAC, do the following within each rule:
•
Set the McAfee NAC Health Level property to a health level value that is appropriate for the
designated compliance checks.
•
Make sure the Status property of each rule is set to Enabled.
•
(Optional) To run a remediation action automatically when a rule is failed, type the remediation
command and any parameters in the McAfee NAC Remediation Command and McAfee NAC
Remediation Command Parameters properties. See How to use remediation.
Benchmarks contain many other properties and attributes that are beyond the scope of this document.
For more information about creating and editing benchmarks and creating custom checks, see the
Benchmark Editor documentation.
For each benchmark you add to a health policy, you can set these attributes:
•
Enforcement mode — You can specify whether to enforce, audit, or disable the benchmark’s rules
(use Set Mode on the Select Benchmarks page). The default is Audit Only.
•
Automatic remediation — You can enable or disable this feature. The default is Disabled (use
Auto-remediation on the Select Benchmarks page).
Automatic remediation can be used when systems fail a benchmark rule. Enabling this option means
that it is enabled for every rule in the benchmark. However, no remediation action occurs unless a
remediation command is explicitly specified for a benchmark rule, and the benchmark's enforcement
mode is Enforce. See How to use remediation.
McAfee Network Access Control 4.0.0
Product Guide
49
4
McAfee NAC policies
Benchmarks for McAfee NAC
Recommendations
McAfee recommends the following when creating or editing benchmarks for use with McAfee NAC:
•
Use the benchmark Tag feature to make groups to use as filters when adding benchmarks to your
policies.
•
Limit the number and scope of the rules you add to each benchmark. Building and debugging your
policies is easier when the benchmarks are targeted toward particular security concerns, such as
operating system patches or anti-virus issues.
•
If you have a mixed operating system environment (client systems using Windows and
non-Windows operating systems), create separate benchmarks for non-Windows systems, and
consider building separate managed system health policies for your Linux and Mac OS systems.
•
Limit benchmark rules to only one check, or to one condition specified by multiple checks (for
example, that at least one anti-virus program from an approved set is installed). Focusing each rule
on a specific aspect of compliance works better than complex rules with numerous checks that
address multiple security risks.
•
Give each benchmark rule a name that describes the type of check, and provide a description that
informs users what the rule looks for. The rule description is displayed to users through the system
tray in the system status dialog box, and in the remediation window.
Benchmark enforcement modes
A benchmark's enforcement mode determines how an assessor uses the benchmark rules and reports
the health of a system.
You can set an enforcement mode on every benchmark in a managed system health policy or in the
unmanaged system policy. The enforcement mode affects all rules within a benchmark.
Table 4-2 Enforcement modes
Mode
Description
Enforce
All benchmark rules are enforceable, and determine the value of the system's Enforced
Health Level. The actual enforcement applied to the systems is based on the configured
enforcer, the mapping in the network access policy, and whether the system has an
enforcement exemption. The assessor reports the assessed health level and assessment
results to the McAfee NAC manager. The level of assessment detail is configurable:
McAfee NAC client policy for managed systems and unmanaged system policy for
unmanaged systems.
Audit Only All benchmark rules are not enforceable, and do not affect the value of the system's
Enforced Health Level. The assessor reports the assessed health level and assessment
results to the McAfee NAC manager. The level of assessment detail is configurable:
McAfee NAC client policy for managed systems and unmanaged system policy for
unmanaged systems.
Disabled
All benchmark rules are disabled. Rules are not evaluated, and results are not reported to
the McAfee NAC manager.
Recommendations
McAfee recommends that you first test your policies with all benchmarks set to Audit Only mode. We
also recommend this mode any time you add new benchmarks to your policies. See Enforcement
mode monitoring.
50
McAfee Network Access Control 4.0.0
Product Guide
4
McAfee NAC policies
Health policies of managed systems
Health policies of managed systems
Managed system health policies define the security compliance criteria used to assess the health of
managed systems. There is no limit to the number of managed system health policies you can have.
Managed system health policies have two qualities that differ from other McAfee NAC policy types:
•
Assignment method
•
Whether the policy is active or inactive, based on network connection conditions
You assign managed system health policies to systems from the Select Systems page of the policy
builder. Policy assignment is based on criteria you specify. The policy is assigned and downloaded only
to systems that match the criteria. As a result, each policy can use unique assignment criteria, and
each managed system can be subject to multiple system health policies.
Policy activation is unique to managed system health policies, and is specified from the Policy
Activation page of the policy builder. Whether a policy is active is determined by a system's network
connection (see How policies are activated). Policy activation does not determine whether a policy is
downloaded to the McAfee NAC client, but does determine whether the McAfee NAC client, in its role
as an assessor, uses the policy.
All other McAfee NAC policy types, except the unmanaged system policy, are assigned to systems
through the System Tree. Managed system health policies are the only type that are activated by
network connection conditions.
For an assessor to use a policy to determine system health on a specific managed system, the policy
must be assigned to that system and the policy must be active for the system's network connection.
Once you create or edit a system health policy, it is downloaded to the McAfee NAC client:
•
The next time the McAfee NAC performs an agent-to-server communication
•
When a manual or scheduled agent wake-up call occurs
•
When a system is scanned with an older policy
The primary tasks to perform with a managed system health policy are:
1
Add or configure the benchmarks you want to use.
2
Set each benchmark's enforcement mode.
3
Enable or disable automatic remediation for each benchmark.
4
Specify which systems need to use the policy.
5
Specify the network conditions that activate the policy (for example, assess the policy when the
system is on any network, or only on a specific network).
McAfee NAC includes a default managed system health policy you can use as the basis for constructing
your own.
McAfee Network Access Control 4.0.0
Product Guide
51
4
McAfee NAC policies
Health policies of managed systems
Recommendations
McAfee recommends the following for working with managed system health policies:
•
Use only a few benchmarks in each managed system health policy. It is better to have many
policies, each focused on a specific security requirement, than to have a few policies containing
many different and potentially disparate security requirements.
•
If possible, test your policies first in a controlled or non-production environment with all
benchmarks set to Audit Only mode, then switch to Enforce mode. See Benchmark enforcement
modes.
•
If you plan to use automatic remediation, test your remediation commands in a controlled or
non-production environment to verify they work correctly.
•
If you want to gather information from certain security tests (for example, potentially unwanted
programs) but not enforce them, create separate policies for those tests with all benchmarks set to
Audit Only mode, rather than mixing them with benchmarks you need to enforce.
System health policy structure
A managed system health policy defines the security compliance criteria that are used to assess the
health of managed systems.
A managed system health policy consists of:
•
Unique identifiers (a name and description)
•
Noncompliance message that is displayed on a client system when that system is out of compliance
with any benchmark rules
•
One or more active benchmarks designated for use with McAfee NAC
•
One or more managed system assignments
•
Policy activation mode that specifies the condition that makes the policy active
Identifiers
Each managed system health policy must have a name. This name should uniquely identify the policy.
A description is optional but helpful, because a system health policy contains several distinct elements.
For example, you might create similar policies with slight differences in option settings. The system
health policy naming convention is:
•
A combination of alphanumeric characters, whitespace, underscores, and hyphens
•
A minimum of one character and a maximum of 64 characters
•
Must begin with a letter or number
Noncompliance message
A noncompliance message, though optional, is an important element of a managed system health
policy. This message appears on managed systems that fail any of the policy’s benchmark rules.
Administrators can use this message to inform users about compliance issues on their systems that
are specific to each managed system health policy, and how to fix them. With the noncompliance
message, you can customize information that cannot be generated automatically.
To display the noncompliance message on managed systems, you must enable the option for the
system tray icon in the McAfee NAC client policy (it is enabled by default). The system tray also
provides information about the system’s health level, the assessed benchmarks and rules, and
remediation status. The level of benchmark and rule information displayed is determined by the Scan
results option in the McAfee NAC client policy.
52
McAfee Network Access Control 4.0.0
Product Guide
4
McAfee NAC policies
Health policies of managed systems
McAfee recommends that you provide users with as much information as possible. A typical message
might include:
•
Information about the benchmark rule or check that failed during the most recent scan.
•
The path, active links to file servers, shared network resources that store updates or other content
needed to make the system compliant. This is especially helpful for users needing to update their
systems manually.
Once a system is noncompliant, its access to network resources is controlled by the mapping of
network access zones to health levels in your network access policies. If automatic remediation
commands have been specified, these are run by the McAfee NAC client after all managed system
health policies have been assessed. Users can access a remediation status window through the system
tray menu. Some policy violations might require manual remediation. If so, make sure systems can
access the necessary network resources. See Manual remediation.
Health policies and system assessment
Each managed system health policy and the single unmanaged system policy must have at least one
benchmark to be able to determine a system's health.
Benchmarks are created with the Benchmark Editor, a common component that can be used by
products other than McAfee NAC. A benchmark specifies your compliance requirements for network
access through rule definitions, which are used to assess system health.
Each rule is constructed from security checks that target specific system configurations, security
threats, the presence or absence of certain software, and more. If you use multiple checks, you can
specify logic conditions. McAfee supplies a set of checks for building your network security rules (see
Installing content). You can also create custom checks.
Use these tools to create and edit system health policies:
•
Managed systems — Managed System Health Policy builder
•
Unmanaged systems — Unmanaged System Policy builder
To add, modify, or remove benchmarks, use the appropriate policy builder from the console. Creating
and editing policies requires the proper permissions (see Editing McAfee NAC permission sets).
The Select Benchmarks page of each policy builder lists the benchmarks that have been added to the
policy. If no benchmarks have been added, a warning appears. Use Add Benchmark to search for and
select benchmarks for the policy.
Benchmarks contain many properties and attributes that are beyond the scope of this document. For
more information about creating and editing benchmarks and creating custom checks, see
Benchmarks for McAfee NAC and the Benchmark Editor documentation.
How system health policies are assigned
Managed system health policies must be assigned to systems on your network before your security
rules can be assessed and enforced.
The managed systems you want to assess must have:
•
McAfee Agent
•
McAfee NAC client
McAfee Network Access Control 4.0.0
Product Guide
53
4
McAfee NAC policies
Health policies of managed systems
Most policy types in the ePolicy Orchestrator environment are assigned to systems through the System
Tree. Managed system health policies, however, are an exception; they are assigned on the Select
Systems page of the Managed System Health Policy builder.
The unmanaged system policy does not need to be assigned to systems specifically because it is part of
the McAfee NAC guest client installation.
You can assign a managed system health policy to systems by specifying:
•
One or more individual systems
•
One or more groups of systems
•
One or more tags
Assign policy Criteria
to
Individual
systems
Select individual systems to assign the policy using any of these criteria:
• System name
• User name
• IP address (in IPv4 dotted decimal format)
• MAC address (specified without dashes between the hex digit pairs; for example,
00123F3871C0 rather than 00-12-3F-38-71-C0)
System groups Select systems based on their assignment to groups in the ePolicy Orchestrator
System Tree. The policy is assigned to all systems in the group, and in any
subgroups on that branch of the hierarchy.
Tag
Select systems based on any tag in the ePolicy Orchestrator Tag Catalog. For
information about using tags, see the documentation for your version of ePolicy
Orchestrator.
How policies are activated
Policy activation specifies the conditions under which a managed system health policy is active. This
setting designates whether a policy is assessed and enforced, based on the managed system’s
network connection.
A managed system health policy can be made active:
•
Always, regardless of whether or not the system is connected to a network
•
When the system is connected to a specific network; for example, one of your corporate networks
•
When the system is not connected to a specific network
When deciding how to activate your system health policies, remember that a managed system gets
every managed system health policy that has been assigned to it using Select Systems. For example,
you define ten managed system health policies and you want five active for corporate network
connections, three active for non-corporate network connections, and two always active. If you assign
all ten policies to every managed system, the only policies that are assessed and enforced are those
that match the activation criteria for the system’s network connection.
If you are going to use policy activation based on connection to, or not to, a specific network, it is
recommended you always use one mode or the other. Systems that have more than one network
interface card might experience conflicts if some policies activate based on a specific network
connection, and others activate based on not being connected to a specific network.
54
McAfee Network Access Control 4.0.0
Product Guide
4
McAfee NAC policies
Work with managed system health policies
Table 4-3 Policy activation
Policy activation
status
Use this setting
Always active
For managed system health policies you always want applied to your corporate
systems, regardless of which network a system is connected to or whether it is
connected at all.
Active when
connected to a
specific network
When you want a managed system health policy assessed and enforced
whenever a system is connected to a specific network. Because you must
identify a network for this mode, the most common use is for activating
policies that you always want assessed and enforced when systems are
connected to one of your corporate networks.
See Network identification criteria for information about specifying a network.
Active when not
connected to a
specific network
When you want a managed system health policy assessed and enforced
whenever a system is not connected to a specific network. Because you must
identify a network for this mode, the most common use is for activating
policies that you always want assessed and enforced when systems are not
connected to one of your corporate networks.
See Network identification criteria for information about specifying a network.
Network identification criteria
A connection to a specific network can be determined by specifying one or more network identification
criteria:
•
The system can successfully connect to a domain controller for the Windows domain it belongs to.
•
The system’s IP address is within a range you specify.
•
The system is connected to a network with a DNS suffix you specify.
If both network identification types are selected (domain controller and network property), a logical
AND is performed. For example, the managed system health policy is active only if a system
successfully connects to any domain controller “and” it matches a specific IP address range or DNS suffix.
If you specify both types of network identification property (IP address range and DNS suffix), or more
than one of each, the evaluation rules are:
•
A logical OR is used for multiple entries of an IP address range or a DNS suffix.
•
A logical OR is used when both an IP address range and DNS suffix are specified.
Using the network identification properties (IP address ranges and DNS suffixes) allows you to be
specific. For instance, you might have several network domains, and want some system health policies
active on one but not on others.
Work with managed system health policies
You can perform a number of tasks with managed system health policies.
Create a McAfee NAC benchmark
Create a benchmark that can be used within your managed system health policies or unmanaged
system policy. This task prepares and sets the benchmark options necessary for using a benchmark in
McAfee NAC policies.
Make sure to activate your benchmarks after you create or edit them.
McAfee Network Access Control 4.0.0
Product Guide
55
4
McAfee NAC policies
Work with managed system health policies
Creating benchmarks and using the McAfee Benchmark Editor is beyond the scope of this guide. For a
complete description of creating benchmarks and compliance rules, see the McAfee Benchmark Editor
documentation.
Task
For option definitions, click ? in the interface.
1
In ePolicy Orchestrator, go to Menu | Risk & Compliance | Benchmarks, then select Actions | New Benchmark.
2
In the Add Benchmark dialog box:
a
In the New Benchmark Title field, type a name for the benchmark.
b
Click in the New Benchmark Id field. The name you entered in the Title field is copied, but with
spaces removed. Edit this identifier, as needed, then click OK.
The next page is titled with the name you specified, and includes three areas:
•
Edit panel at the top
•
Benchmark Tree pane at the left
•
Benchmark Content pane at the right
3
In the Edit panel, select a benchmark option, then select the language you want for content.
4
(Optional) Add groups for organizing your rules: in the Benchmark Tree pane, click New Group. Type
a descriptive name for the Group Title, such as VirusScan (when you click in the Group Id field, the
title is copied). Edit this information as needed, then click OK.
5
In the Benchmark Tree pane, select the benchmark name, then in the Benchmark Content pane,
select the Properties page. The Benchmark ID and Title fields are automatically populated.
6
Enter a valid text in the Description field.
7
For the McAfee NAC property, make sure Make benchmark available to NAC is selected.
In ePolicy Orchestrator 4.5, in the Benchmark Tree pane, select the benchmark name. In the
Benchmark Content pane, select the Properties page, and select Enabled or Disabled for Status.
8
Click Apply Properties, then click Close.
9
Add rules to the benchmark: In the Benchmarks page, click Actions | New Benchmark from Checks. See
the McAfee Benchmark Editor documentation for details about creating and structuring rules.
a
For the McAfee NAC Health Level option, select the health level to assign to a system that fails
the rule. The value, Use default, means that the value specified by the Default rule health level option in
the McAfee NAC server settings is assigned to systems that fail the rule.
b
To use automatic remediation, type the remediation command and any command parameters.
For information on using automatic remediation, see Automatic remediation of unhealthy
systems.
10 From the Rules list, verify that each rule you added has the desired Status (Enabled or Disabled), and
the desired McAfee NAC Health Level, then click Close to return to the main Benchmarks page.
11 Select the benchmark you created from the list and click Actions | Activate.
You can now use this benchmark when you create managed system health policies or edit the
unmanaged system policy.
56
McAfee Network Access Control 4.0.0
Product Guide
4
McAfee NAC policies
Work with managed system health policies
Create a McAfee NAC benchmark from checks
Create a new benchmark quickly by selecting one or more existing checks. A separate rule is created
for each check you select.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Benchmarks, then select Actions | New Benchmark from Checks.
2
On the New Benchmark from Checks page, type a name for the benchmark in the New Benchmark Title
field, then click in the New Benchmark Id field.
The name you entered in the Title field is copied, but with spaces removed. You can edit this
identifier if you want.
3
In the Check Filter area, limit the displayed list of checks by operating system platform and by
keywords, then click Apply.
4
For more control when filtering the list of checks:
5
a
Click Advanced Filter to open the Check Filter Criteria Builder.
b
Select properties and comparison operators, and apply boolean logic as needed, then click OK.
Select the checkbox for the check you want to use. If the Actions column for a check contains a Set
Parameters option, click it to open a dialog box where you specify values for the check, such as a
minimum DAT age. After setting any required check parameters, click Add Check(s).
You can continue to add checks by using the Next/Previous page buttons, or by clearing the
existing filter and entering new filter options.
6
Click Next when you have finished adding checks, then click Save on the summary page.
The main Benchmarks page is displayed. The benchmark you created is listed with its status set to
Edit.
7
Select the benchmark with the status set to Edit, then click Actions | Edit.
Benchmarks with McAfee as the source are not editable. Only user-created benchmarks are editable.
If you select a user-created benchmark with the status Received or Active and click Actions | Edit, a
warning message appears: Editing/Tailoring this benchmark will create another
version. Do you want to continue? Click OK or Cancel.
8
9
Click the Properties tab and verify that the McAfee NAC property is enabled. If not, select the
checkbox, then click Apply Properties if you made changes to any benchmark properties.
Click the Rules tab. For each rule, select it and click Edit Rule.
a
For the McAfee NAC Health Level option, select the health level to assign a system that fails the
rule. The Use default value means that the value specified by the Default rule health level option in
the McAfee NAC server settings is assigned to systems that fail the rule.
b
To use automatic remediation, type the remediation command and any command parameters.
For information on using automatic remediation, see Automatic remediation of unhealthy
systems.
10 After editing all the rules, click Close to return to the main Benchmarks page.
11 Select the benchmark you created from the list and click Activate.
You can now use this benchmark when you create managed system health policies, or when you edit
the unmanaged system policy.
McAfee Network Access Control 4.0.0
Product Guide
57
4
McAfee NAC policies
Work with managed system health policies
Create and modify managed system health policies
Create or edit a managed system health policy to add, edit or remove a benchmark setting.
You can also add or remove systems from the managed system health policy.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Network Access Control, then select Managed System Health Policies from the
left column.
2
Click New to open the Managed System Health Policy Builder, or click Edit in the Action column of an
existing policy.
3
On the Description page:
a
Type a name and description to label and identify the policy.
b
In the Noncompliance message for client field, add details about why the system is not in compliance,
and what to do to correct the situation. You can include links to systems that contain the
appropriate remediation resources.
c
Click Next.
4
On the Select Benchmarks page, click Actions | Add Benchmark to create a new policy, or to add more
benchmarks to an existing policy.
5
On the Add Benchmarks page, use the filters to display a list of available benchmarks, then click
Add.
You can filter using a label, a name or part of a name, or a value of the Source field. From the list,
select one or more benchmarks to include in the policy.
6
On the Select Benchmarks page, use the Actions menu to set each benchmark’s enforcement mode,
enable or disable automatic remediation, or remove a benchmark, then click Next.
7
On the Select Systems page, specify the systems you want the policy assigned to by using Add
System, Add Group, and Add Tag. You can use any combination of these options.
a
Click Add System, then specify individual systems by system name, user name, IP address, or
MAC address. Do not use dashes in a MAC address.
b
Click Add Group, then add one group at a time by selecting from the displayed System Tree.
c
Click Add Tag, then add one system tag at a time by selecting from the drop-down list.
To view details about the systems you selected, or the groups and tags you used, click Summary
in the Actions column.
d
8
9
58
Click Next.
On the Policy Activation page:
a
Select an Activation mode to specify the network connection condition that makes the policy
active. Selecting a mode that activates the policy only when connected to or not connected to a
specific network makes the Network Identification option available.
b
If activating the policy based on connecting to (or not connecting to) a specific network, select
how you want to verify the connection, then click Next. If you select Network Identification
properties, you can add, edit, or delete one or more IP address ranges and DNS suffixes.
On the Summary page, review the policy information, then click Save.
McAfee Network Access Control 4.0.0
Product Guide
McAfee NAC policies
Unmanaged system policy
4
Export managed system health policies
Save managed system health policies by exporting them to disk.
The default file name is NAC_Managed_System_Health_Policies.zip.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Network Access Control, select Managed System Health Policies from the left
column, then click Export.
2
From the list, select the managed system health policies to export, then click OK.
3
On the Download File page, right-click the file name link and select Save Target As from the menu.
4
Browse to the location where you want to save the file, rename the file as needed, then click Save.
5
Click Close.
Import managed system health policies
Import system health policies that you have stored on disk.
Import the Managed_System_Health_Policies.zip file in which you have the backed up policies.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Network Access Control, then select Managed System Health Policies from the
left column.
2
Click Import.
3
In the Import System Health Policy dialog box, click Browse, navigate to and select the .zip file that
contains managed system health policies, then click Open.
4
Click OK to load the file or Cancel.
Unmanaged system policy
The unmanaged system policy defines the security compliance criteria used to assess the health of
unmanaged systems. Only the McAfee NAC guest client uses this policy, which is automatically
included as part of the guest client installation package.
Though similar, the unmanaged system policy differs from managed system health policies in these
ways:
•
A single policy applies to all unmanaged systems on your network.
•
The unmanaged system policy is assessed by the McAfee NAC guest client, which can assess a
system's health but cannot enforce the system.
•
The McAfee NAC guest client does not support automatic remediation.
•
You do not select the systems that are assigned the policy. Any unmanaged systems that install the
McAfee NAC guest client are assessed using this single policy.
•
You do not specify network conditions for activating the policy.
McAfee Network Access Control 4.0.0
Product Guide
59
4
McAfee NAC policies
Unmanaged system policy
•
You specify a time interval for how long an unmanaged system’s health level is valid before a new
scan is required.
•
You specify whether you want a periodic identification message sent out to the network to identify
the system to a McAfee® Network Security Sensor when using McAfee Network Security Platform.
The primary task to perform with the unmanaged system policy is to add the benchmarks you want to
use, and set their configuration options as needed. Once you add benchmarks, McAfee recommends
that you first test this policy with the benchmarks set to Audit Only, then set all benchmarks to Enforce.
McAfee NAC includes a default unmanaged system policy to which you add benchmarks. This policy
cannot be renamed or have its description modified.
Benchmarks for the unmanaged system policy
McAfee recommends that you use separate benchmarks for the unmanaged system policy; that is, not
the same ones you use in your managed system health policies. The guest client does not support
automatic remediation, and you must use a different method for giving users remediation instructions.
Remediation instructions in the unmanaged system policy
All unmanaged systems are assessed using a single policy. In most circumstances you would configure
your unmanaged system policy with multiple benchmarks. Each benchmark can contain any number of
rules and checks, but benchmarks are easier to manage when they are configured to check for specific
network access rules, such as having an anti-virus product installed.
The unmanaged system policy includes an option where you can specify a non-compliance message,
but this one message is not sufficient for providing users with specific remediation instructions when
their systems are unhealthy. Rather, you can use the non-compliance message to provide general
information about compliance with your network security policy, and where to get help fixing an
unhealthy system.
McAfee recommends that you provide remediation instructions in each benchmark by using the Rule
Description field. By using this field, you can write benchmarks with multiple rules, with each rule
description providing the appropriate remediation information.
For example, if you write a benchmark to check for an anti-virus product, you can have separate rules
for specific products. In each rule description, you can provide information about where to find that
product's installer.
Edit the unmanaged system policy
Use this task to edit the unmanaged system policy. The default policy for unmanaged systems
contains no benchmarks. You must add at least one benchmark for any health assessment to occur.
Task
For option definitions, click ? in the interface.
60
1
Go to Menu | Risk & Compliance | Network Access Control, then select Unmanaged System Policy from the left
column.
2
Click Edit in the Action column of the existing policy.
3
On the Description page in the field Noncompliance message for client, enter the noncompliance message
that will be displayed, then click Next.
4
If you are editing the policy for the first time, you must add at least one benchmark. If the policy
already has benchmarks specified, you can set their enforcement mode, or delete them.
McAfee Network Access Control 4.0.0
Product Guide
4
McAfee NAC policies
Network access policies
5
On the Select Benchmarks page, click Actions | Add Benchmark.
6
Select one or more benchmarks to include in the policy, then click Add.
You can filter the list using a label, a name or part of a name, or a value of the Source field.
7
To change the enforcement mode, click Actions | Set Mode, select an option from the drop-down list,
then click OK. When finished adding benchmarks, click Next.
8
On the Configuration page, set these options, then click Next:
9
•
For Scan interval, specify how often (in minutes) you want a scan to occur on detected unmanaged
systems. The McAfee NAC guest client performs the scan.
•
For Periodic identification, determine whether you want this enabled. If so, an identification message
is sent at an interval you specify, between 1 and 10 minutes.
•
For Scan results, set the level of detail you want reported to the McAfee NAC manager for each
unmanaged system assessment.
On the Summary page, review the policy information, then click Save.
Network access policies
A network access policy specifies which network resources a managed system can access for each
health state.
The policy maps each system health level to a network access zone. The mapping is one-to-one;
however, you can map the same network access zone to more than one health level.
Network access policies are created and edited using the Policy Catalog (Menu | Policy | Policy Catalog).
Unlike system health policies, a managed system can be assigned only one network access policy. You
can create multiple network access policies, then assign a specific policy to specific systems.
The primary task you perform with network access policies is mapping a network access zone to each
system health level.
If you modify a network access policy (including modification to network access zones), the updated
policy is downloaded to the McAfee NAC client the next time:
•
The next time the McAfee Agent performs an agent-to-server communication
•
When a manual or scheduled agent wake-up call occurs
•
When a system is scanned with an older policy
Use the System Tree (Menu | Systems | System Tree) to assign and set the inheritance rules for a network
access policy.
When the software is installed, two default network access policies are added to the Policy Catalog:
•
Network Access Policy Default, which cannot be edited but can be duplicated to create your own policies
•
My Default, which can be edited, duplicated, and renamed
Both policies assign the default Allow Full Access network access zone to all health levels except Critical,
which is assigned the default Deny All Access zone.
McAfee Network Access Control 4.0.0
Product Guide
61
4
McAfee NAC policies
Network access zones and compliance
Create network access policies
McAfee NAC 4.0 includes two default Network Access Control client policies, Network Access Policy
Default and My Default. The default policy cannot be edited, but it can be duplicated and used as the
basis for creating a new policy.
Task
1 Go to Menu | Policy | Policy Catalog.
2
For the Product field, select Network Access Control 4.0.0.
3
For the Category field, select Network Access Policy.
4
Click New Policy to display the New Policy window.
5
•
New policy — Select an existing policy from the drop-down list, and type a name.
•
Existing policy — Type a new name in the dialog box, then click OK.
For Health level to network access zone mapping, select a network access zone from the associated
drop-down list for each health level, then click Save.
To create one or more new network access zones while creating or editing a policy, click New Network
Access Zone. If you do this, you must return manually to the Policy Catalog and begin the policy
editing again.
Network access zones and compliance
Network access zones designate which network resources a managed system can or cannot access
when it is not compliant with one or more rules in the applicable system health policies. The network
access zones you define in McAfee NAC apply only to managed systems when the McAfee NAC client is
the enforcer.
You can create as many network access zones as you need to ensure network security. Once these
zones are created, you use them when defining a network access policy by associating a specific zone
with each system health level.
The primary tasks to perform with network access zones are to set the access type and add network
resources to the resource list.
Types of network access zones
Two default zones are supplied with the software: Allow Full Access zone and Deny All Access zone.
These zones are meant to provide a starting point for defining your own zones, and to allow you to
conduct some immediate testing.
A network access zone consists of:
•
Name (required) and description (optional)
•
Access type setting (Allow or Deny)
•
Domain controller setting, automatically enabled when the access type is Allow
•
Network resource list
Network access zones should be defined so that noncompliant systems are isolated from network
resources, such as critical servers and sensitive data, depending on the severity of the threat posed by
each benchmark rule violation. However, you can always modify your zone definitions, so adding or
removing a resource can be done at any time. When a network access zone definition is modified, it
triggers an update to any network access policies that use the zone in the health level mapping.
62
McAfee Network Access Control 4.0.0
Product Guide
McAfee NAC policies
Network access zones and compliance
4
Network access zone names
The naming conventions for network access zones are:
•
A combination of alphanumeric characters, whitespace, underscores, and hyphens
•
A minimum of one character and a maximum of 64 characters
•
Must begin with a letter or number
When is the policy downloaded to the client
The updated network access zone and network access policies are downloaded to the McAfee NAC client:
•
The next time the McAfee Agent performs an agent-to-server communication
•
When a manual or scheduled agent wake-up call occurs
•
When a system is scanned with an older policy
Once a managed system receives the updated network access policy, changes to zone definitions are
applied immediately and enforced accordingly.
Network access resources
A network access zone's resource list can specify an internal or external network resource. Internal
resources are ones that are not accessible from the Internet, and must be specified by an IP address.
External addresses can be either a fully-qualified domain name (FQDN) or an IP address.
No matter how you define a network access zone, systems always have access to a core whitelist of
network resources that consists of:
•
DNS servers
•
DHCP servers
•
The ePolicy Orchestrator server
•
The local system
A zone's Resource List does not list or identify the core whitelist resources. For information about why
these resources cannot be blocked, see How host enforcement works. If you define a zone with an
access type of Allow, systems must be able to authenticate themselves to your domain controllers.
The Allow access type automatically enables the Domain controller option, which adds these resources to
the core whitelist. If your zone's access type is Deny, the Domain controller option is not applicable, and is
automatically disabled.
When the McAfee NAC client is the enforcer, it uses a local firewall to block a system’s outbound
connections, and enforce the access restrictions defined by your network access zones. If you use a
zone that allows all connections and this is the active zone for a system, the firewall is effectively
disabled. If you use an enforcer other than the McAfee NAC client, the behavior might be different.
Recommendations
For network access zones, McAfee recommends that you:
•
Test your network access zones in a non-production environment or a small subset of your
production network, if possible, so you can determine whether users can access remediation
resources.
•
Carefully consider which health level to assign for each benchmark rule failure, and which network
access zone you want to associate with each health level.
McAfee Network Access Control 4.0.0
Product Guide
63
4
McAfee NAC policies
Network access zones and compliance
•
Be careful using a zone that allows access to every resource. In a production environment, you
might want to deny access to specific network resources or Internet sites even for healthy systems.
•
Do not disable the Domain controller option for zones that have an access type of Allow, unless you are
fully aware of the ramifications.
•
If you create a zone that denies access, be sure you have made remediation resources available
from one of the servers that systems cannot be denied access. The ePolicy Orchestrator server is
recommended.
•
Evaluate your organization’s network security policies before creating your network access zones.
This can save time later.
Create network access zones
McAfee NAC includes two default zones. You can use these zones as is, or as a basis for creating new
zones.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Network Access Control, then select Managed Network Access Zones from the
left column.
2
Click New Access Zone, or to edit an existing zone, click Edit in the Actions column. The Network Access
Zone Builder opens.
3
Type a name and description.
4
Specify the zone’s access type (Allow or Deny).
5
Select Automatically Add To List in Domain Controllers, if you want a domain controller to be listed.
6
Click New Resource to add a network resource to the definition of the zone.
7
In the Add Network Resource dialog box, specify the resource’s destination address, a protocol
type, and destination port, then click OK.
8
To add additional network resources, continue using New Resource. To edit or delete a resource from
the zone’s resource list, click Edit or Delete in the Action column.
9
Click OK, then click Save.
Import and export network access zones
Import or export your network access zones to restore or save your existing policies. When you
export, all of your defined network access zones are saved in a .zip file.
McAfee NAC sets a default file name, which you can change when you save the file. You cannot export
only a subset of your zones. You can only import network access zones that you previously saved by
exporting them.
If you import a zone that has the same name as an existing network access zone, the existing zone is
overwritten.
64
McAfee Network Access Control 4.0.0
Product Guide
4
McAfee NAC policies
McAfee NAC client policies
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Network Access Control, then select Managed Network Access Zones from the
left column.
2
Click Export to save your defined network access zones.
3
a
On the Download File page, click NAC Network Access Zone Policies.
b
Click Save in the File Download dialog box, select a location and optionally change the file name,
click Save, then click Close.
Click Import to load network access zones from a saved .zip file.
a
In the Import Network Access Zone page, type a file name or click Browse to locate a previously
exported network access zone file.
b
Click OK in the File Download dialog box.
McAfee NAC client policies
The McAfee NAC client policy configures how the McAfee NAC client operates. This policy type is
managed from the ePolicy Orchestrator Policy Catalog, and is assigned to managed systems using
assignment mechanisms such as the System Tree.
Depending on your network structure or organizational needs, you can use more than one McAfee NAC
client policy.
You can create a new policy, or edit, view, duplicate, export, rename, and delete an existing policy.
You cannot edit, rename, export, or delete the supplied McAfee Default policy.
Configuration options
The primary task to perform with a McAfee NAC client policy is to set the configuration options you
require. The configuration options are:
•
Enforcement method — Sets the type of enforcement to use. The Microsoft Network Access
Protection option is valid only for client systems running Windows operating systems, and does not
work for systems running a supported MAC OS or Linux operating system.
•
Delay Remediation And Enforcement Settings — Delays the remediation and enforcement
process based on the configured interval, to perform any other important activity that might
otherwise affect network access.
•
Scan results — Sets how much detail is reported to the McAfee NAC manager for each managed
system assessment.
•
Automatic remediation — Sets whether automatic remediation is enabled and, if so, the
credentials to use for running the remediation commands.
•
System tray icon — Sets whether to display the McAfee system tray icon on managed systems.
•
Unhealthy host scan setting — Invokes a scan when the host is assessed as unhealthy.
McAfee Network Access Control 4.0.0
Product Guide
65
4
McAfee NAC policies
McAfee NAC client policies
•
Periodic identification — Specifies whether you want the McAfee NAC client to send an
identification message out on the network. If enabled, the message is sent every 60 seconds. This
option is useful only if you are also using McAfee Network Security Platform, and you have
managed systems on your network that use firewall software that blocks the communication port
(8443 by default) used by a McAfee® Network Security Sensor for client identification requests.
•
Sensor settings — Specifies whether to receive sensor details dynamically or statically.
This setting will be effective when scalability is enabled in NACServer.properties file of McAfee
NAC server, with the parameters:
•
enable.client.sensor.channel=true
•
periodic.message.version=3
When is the policy downloaded to the client
Once you create or edit a McAfee NAC client policy, it is downloaded to the McAfee NAC client:
•
The next time the McAfee Agent performs an agent-to-server communication
•
When a manual or scheduled agent wake-up call occurs
•
When a system is scanned with an older policy
Default client policies
When the software is installed, two default network access policies are added to the Policy Catalog:
•
Network Access Client Policy Default — Cannot be edited but can be duplicated to create your
own policies
•
My Default — Can be edited, duplicated, and renamed
The default configuration is to use the McAfee NAC client as the enforcer, report all benchmark and
rule information, disable automatic remediation, show the system tray icon on managed systems, and
disable the periodic identification message.
Create and modify McAfee NAC client policies
When installed, McAfee NAC includes default McAfee NAC client policies named Network Access Client
Policy Default and My Default. You can create a new policy or modify the default policies.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Policy | Policy Catalog.
2
For the Product field, select Network Access Control Client 4.0.0, and in the Category field, select General.
3
Click New Policy, or click Duplicate in the Actions column of an existing policy.
4
Type a name for the new policy, then click OK.
a
Select an enforcement method and the level of detail you want for scan results.
b
Select whether to enable automatic remediation and the type of credentials to use.
For automatic remediation to work, you must also specify a remediation command in a
benchmark rule and enable automatic remediation for the benchmark.
66
McAfee Network Access Control 4.0.0
Product Guide
McAfee NAC policies
McAfee NAC client policies
5
4
c
Specify whether to display the McAfee system tray icon on managed systems.
d
Specify whether you want to send a periodic identification message. If enabled, the message is
sent every 60 seconds.
Click Save.
McAfee Network Access Control 4.0.0
Product Guide
67
4
McAfee NAC policies
McAfee NAC client policies
68
McAfee Network Access Control 4.0.0
Product Guide
5
Using exemptions
Exemptions allow you to exclude specific systems and devices, such as printers, from your overall
network security policy. They prevent specified systems and devices from being assessed (scanned) or
enforced.
Contents
Types of exemptions
Enforcement exemptions
Scan exemptions
How system classification affects exemptions
How exemption rules work
Using an imported exemption list
How manual exemptions work
Types of exemptions
Specifies the types of exemptions and how you can designate an exemption by various methods.
There are two types of exemptions:
•
Enforcement exemptions
•
Scan (assessment) exemptions
You can designate an exemption by:
•
Creating an exemption rule
•
Creating a text file of system MAC addresses and importing it (this method can be used only for
creating scan exemptions)
•
Marking one or more systems, using Set NAC exempt, from a summary report or system detail page
Exempt systems are always placed in a special Exempt network access zone, which imposes no access
restrictions.
The McAfee NAC manager stores information about all exempt systems and their status. You can view
this information using several predefined McAfee NAC dashboard monitors, or by creating your own
custom monitors. From summary reports and system detail pages, you can initiate actions and affect
the status of systems manually.
For information about which monitors display information about exempt systems, and the manual
actions that administrators can use, see Dashboards, monitors, and queries.
McAfee Network Access Control 4.0.0
Product Guide
69
5
Using exemptions
Enforcement exemptions
Enforcement exemptions
An enforcement exemption designates that a system is never enforced, no matter what its assessed
health level or how many benchmark rules it fails. Systems that have enforcement exemptions are
assessed (scanned) and their system health determined according to the applicable system health
policies.
The scan results for exempt systems are reported to the McAfee NAC manager, and if a system is
unhealthy, no enforcement is applied and the system is not subject to any access restrictions
designated by your network access policies.
Enforcement exemptions are typically used on systems or devices that can host the McAfee NAC client
or guest client, but it can be used for any device on your network.
You can view all exempt systems using the NAC: Exemption Status monitor. Exempt systems also
appear in other NAC monitors, and you can initiate actions on systems manually from various report
pages. See Dashboards, monitors, and queries.
Although you can use the Modify health level action to change the health status of an enforcement exempt
system, we do not recommend this action because it overrides the system's enforced health level, but
does not affect the system's network access status or its applied network access zone.
If automatic remediation commands are specified for failed benchmark rules and the feature is
enabled (both in the benchmark and the McAfee NAC client policy), the McAfee NAC client, acting as
the remediator, tries to run any designated commands to fix the system.
If you are using an enforcer other than the McAfee NAC client, see Using McAfee NAC with Microsoft
NAP or Using McAfee NAC with McAfee Network Security Platform.
Scan exemptions
A scan exemption designates that a system is never assessed and never enforced (the system is
exempt from enforcement).
As a result, the only information the McAfee NAC manager knows about these systems is what a
detector provides. See Detectors and how they operate.
You can view all exempt systems using the McAfee NAC Exemption Status monitor. Lists of exempt
systems also appear in other NAC monitors, and you can initiate actions on systems manually from
various report pages. See Dashboards, monitors, and queries.
A scan exemption can be assigned to any system or device, regardless of whether it can host the
McAfee NAC client or guest client. Typically, you use scan exemptions for printers, scanners, and other
network devices that:
•
Cannot host an assessor
•
Do not store data
•
Pose little or no security risk
The McAfee NAC manager always considers a scan-exempt system or device as healthy. As a result,
manual attempts by an administrator to change the health level of such systems are ignored. Also,
access restrictions cannot be imposed on scan-exempt systems. For instance, the network access zone
mapped to the Healthy health level in your network access policies is never used on these systems.
70
McAfee Network Access Control 4.0.0
Product Guide
Using exemptions
How system classification affects exemptions
5
How system classification affects exemptions
Depending on the method used to designate exemptions, you can make any of the system
classifications (managed, unmanaged, unmanageable, and unenforceable) scan- or
enforcement-exempt. The usefulness of applying an exemption to various systems often depends on
your knowledge of a specific system, device, or system user.
System
classification
Enforcement exemption
Scan exemption
Managed
Can be used to prevent network
access restrictions from being applied
to critical systems, such as servers.
Only recommended for critical systems that
might be affected by the extra processor
load of running a scan.
Unmanaged
Only recommended for trusted guests
or visitors whose systems you do not
want to impact by your network
security policy.
Not recommended. Unmanaged systems
typically present a security risk to your
network. Unmanaged systems can be
assessed using the As a result, the only
information the McAfee NAC manager
knows about these systems is what a
detector provides. guest client.
Unmanageable
Not recommended. There is no
method for assessing the health of an
unmanageable system (it cannot host
an assessor). Assigning an
enforcement exemption to these
systems is possible, but not useful.
Recommended. Unmanageable systems
cannot be assessed. As a result, the only
information the McAfee NAC manager
knows about these systems is what a
detector provides. Printers, FAX machines,
and similar devices fall into this category.
Unenforceable
Not recommended. Typically,
unenforceable systems are ones that
cannot be enforced by the McAfee
NAC client or guest client, or for which
McAfee NAC manager has not received
an enforcement status. As a result,
the only information the McAfee NAC
manager knows about these systems
is what a detector provides.
Only recommended for systems or devices
that:
• Can be guaranteed to pose no security risk
• Cannot host the McAfee NAC client (the
McAfee NAC client cannot be the enforcer)
• You do not want enforced by one of the
other supported enforcers
Typically, the classification of a system as unenforceable is rare. You can best deal with such a system
using methods other than exemptions. The most common use of exemptions is for devices like
printers that are unmanageable, and for critical managed systems that you cannot afford to have
affected by network access restrictions.
If you have unmanageable systems on your network, you might want to make these exempt from
assessment; otherwise, the assessed health level of these systems is reported as Unknown.
How exemption rules work
An exemption rule allows you to specify properties that identify systems on your network, and
designate whether those systems are exempt from scans or from enforcement. The properties allow
identification of single systems or groups of systems with similar attributes, such as printers or servers.
Depending on the properties used to specify an exemption rule, it is possible to make any of the four
system classifications exempt (managed, unmanaged, unmanageable, and unenforceable). You can
create as many exemption rules as needed for your environment.
Systems that are marked as exemptions by a rule cannot have their exemption status removed
manually using the Remove NAC exempt action. To remove such a system's exemption status, you must
delete or modify the rule so that the system is no longer identified by the rule's properties.
McAfee Network Access Control 4.0.0
Product Guide
71
5
Using exemptions
How exemption rules work
If a system is exempt from scans or enforcement by application of a rule, you can change the
exemption type using Set NAC exempt. This changes the System Status from "exempt by rule" to "exempt
by administrator." To return the system to its "exempt by rule" status, use Remove NAC exempt.
Once an exemption rule is created, it is applied to systems only after they are detected. If you create
a rule and it reports zero systems, it might mean that the systems have not yet been detected.
When are systems detected
Systems are detected when:
•
The McAfee NAC client reports a managed system to the McAfee NAC manager.
•
A Rogue System Sensor identifies a system.
•
A McAfee® Network Security Sensor identifies a system.
Scan exemption rules are intended for any system on your network you do not need or want assessed
for compliance with your health policies. Typically, these would be printers, fax machines, and other
similar devices, but might also include unmanageable systems with unsupported operating systems. A
scan exemption implies that the system is also exempt from enforcement.
Enforcement exemption rules are intended only for managed systems. However, it is possible to create
a rule that includes systems that are unmanaged or unmanageable. If this occurs, these systems
might be difficult to identify. It is also important to consider the implications of enforcement
exemptions if you are using McAfee Network Access Control with McAfee Network Security Platform or
Microsoft Network Access Protection. See the appropriate deployment option chapter.
When to create enforcement exception rules
McAfee recommends that you create enforcement exemption rules only after you:
•
Allow systems to be detected and known to the McAfee NAC manager
•
Test your system health policies in Audit Only mode
Exemption rules can be imported and exported as XML files. When importing exemption rules, you
have the option of overwriting any existing exemption rules in the process. If you overwrite, all the
existing rules are deleted and replaced with the rules you import.
Exemption rule structure
An exemption rule consists of:
•
Identifying information (a name and description of the rule)
•
An exemption type (scan or enforcement)
•
System selection criteria, written as a set of logic rules
The naming convention for an exemption rule is:
•
A combination of alpha-numeric characters, whitespace, underscores, and hyphens
•
A minimum of one character and a maximum of 64 characters
•
Must begin with a letter or number
Export exemption rules
You can export (save to disk) all your McAfee NAC exemption rules in an XML file. The default file
name is NAC_Exemption_Rules.xml.
72
McAfee Network Access Control 4.0.0
Product Guide
Using exemptions
Using an imported exemption list
5
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Network Access Control, and select Exemption Rules from the left column.
2
Click Export Rules.
3
At the Download File page, right-click the link and select Save Target As.
4
Navigate to the location where you want to save the file, rename the file if desired, then click Save.
5
Click Close.
Import exemption rules
You can load McAfee NAC exemption rules that were previously saved to disk.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Network Access Control, and select Exemption Rules from the left column.
2
Click Import Rules.
3
In the Import Exemption Rules dialog box, click Browse, navigate to and select the XML file
containing exemption rules, then click Open.
4
To overwrite the exemption rules stored by the Network Access Control manager, select Overwrite the
exemption rules that already exist.
If you are adding more rules to the existing set, do not select the Overwrite option.
5
Click OK to load the file.
Using an imported exemption list
An exemption list allows you to specify systems by MAC address in a text file, then import the file to
create scan exemptions for those systems or devices. With an exemption list, you can make any of the
system classifications exempt from scans (managed, unmanaged, unmanageable, and unenforceable).
All systems you import have their System Status set to Scan exemption by administrator. For information
about administrator interaction with these systems, see Manual control of exemptions.
This feature provides a quick way to create scan exemptions for devices like printers and FAX
machines that cannot host the McAfee Agent or McAfee NAC client. Such a device would be
unmanageable, and if you are only using McAfee NAC, would also be unenforceable. If you use this
method and a device is unmanageable, manually removing or changing the exemption on one of these
systems might not produce the desired result.
The imported list must be an ANSI encoded text file containing a comma-separated list of MAC
addresses. The MAC addresses must be:
•
Listed on one line (no carriage returns or line feeds allowed)
•
Separated by a comma or a comma then a space
McAfee Network Access Control 4.0.0
Product Guide
73
5
Using exemptions
Using an imported exemption list
•
Entered using any of these formats:
•
No separator (001122334455)
•
Hyphen separator (00-11-22-33-44-55)
•
Colon separator (00:11:22:33:44:55)
If your text file contains more than one line, only the MAC addresses listed before the first carriage
return and/or line feed are imported.
Create an exempt systems list
You can create a text file that contains a list of systems that you want to exempt from scanning.
Task
For option definitions, click ? in the interface.
1
Open a text editor and create a new file.
2
Type the MAC address of a system, using one of these formats:
3
•
No separator (001122334455)
•
Hyphen separator (00-11-22-33-44-55)
•
Colon separator (00:11:22:33:44:55)
Type additional MAC addresses, separating each with a comma. For example:
001122334455, 002244668899, 113355774488
4
Save the file, making sure the extension is .txt and the encoding is ANSI.
5
Import the exempt systems list (see Importing an exempt systems list for instructions).
Create exemption rules
Create and edit an exemption rule, to exclude critical servers from scan or enforcement.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Network Access Control, then select Exemption Rules from the left column.
2
Click New, or to edit an existing rule, click Edit in the Actions column.
3
On the Description page of the Exemption Rules Builder, type a name and description.
4
For Type, specify whether the rule is a scan exemption (the system is never scanned) or an
enforcement exemption (the system is scanned and the results reported, but no enforcement
occurs if it is not compliant), then click Next.
5
On the Select Systems page, select properties from the left column as criteria for selecting systems
to apply the rule, then click Next. You must use at least one, but you can specify as many criteria as
needed.
6
Review the rule definition on the Summary page, then click Save.
Import an exempt systems list
You can import a text file containing a comma-separated list of MAC addresses to systems on your
network. A scan exemption is created for each system. This import list is only for scan exemptions.
74
McAfee Network Access Control 4.0.0
Product Guide
Using exemptions
How manual exemptions work
5
Task
For option definitions, click ? in the interface.
1
Go to Menu | Risk & Compliance | Network Access Control, then select Exemption Rules from the left column.
2
Click Import Exempt Systems.
3
In the Import Exempt Systems dialog box, click Browse, navigate to and select the text file
containing the list of system MAC addresses, then click Open.
4
Click OK to load the file.
How manual exemptions work
McAfee NAC has two commands that you can use to change the exemption status of systems manually.
Command
Description
Set NAC exempt
Sets the exemption status of selected systems. You can specify a scan
exemption or enforcement exemption. This action changes the value of these
fields: Exemption Status, Network Access Status, Network Access Zone, and
System Status.
Remove NAC
exempt
Removes the exemption designation from the selected systems. This command
is ignored for systems that are exempt by rule.
These commands are available when viewing information about one or more systems on summary and
system detail pages. Typically, you access these pages through McAfee NAC dashboard monitors, or by
running queries. The command options are listed in a dialog box. Verify that the requested action was
successful by checking the ePolicy Orchestrator message window. Also check the data values on the
summary or system detail pages, specifically the System Status and Exemption Status fields.
If you change a system's status from exempt to non-exempt, McAfee recommends that you run a scan
of the system as soon as possible. You can do this by using Request scan, which is also available on most
summary and system detail pages.
McAfee Network Access Control 4.0.0
Product Guide
75
5
Using exemptions
How manual exemptions work
76
McAfee Network Access Control 4.0.0
Product Guide
6
Remediation of unhealthy systems
Remediation is the process of updating a system to make it compliant with your system health
policies. A system is assigned a health level depending on whether it passes all applicable system
health policies. If a system fails any policy rules, it is assigned the health level associated with the
failed rule.
The network access policy assigned to the system determines which network access zone the system
is restricted to, based on which health level was assigned, until it is brought back into compliance.
Once a user has taken the appropriate steps to remediate a noncompliant system, a rescan can be
requested. This can be done through the McAfee system tray. If the rescan assesses the system as
compliant, the system is moved back to the network access zone that is appropriate for healthy systems.
Contents
Types of remediation
Automatic remediation
Manual remediation
Types of remediation
McAfee NAC provides automatic remediation, and a guest portal that you can use for manual
remediation.
Automatic remediation is part of your policy configurations, and allows you to specify commands,
batch files, or scripts that run automatically after a system is scanned. and after one or more
benchmark rules have failed.
Manual remediation means that you provide information to users about how to fix their systems,
either by setting up your own remediation web page or by modifying the guest portal. The guest portal
provides a location where users of unmanaged systems can download the McAfee NAC guest client.
McAfee does not support it as a remediation portal. See Manual remediation.
McAfee Network Access Control 4.0.0
Product Guide
77
6
Remediation of unhealthy systems
Automatic remediation
Automatic remediation
For managed systems, you can set automatic remediation options as part of the definition of your
benchmark rules. When a managed system fails a rule, McAfee NAC attempts to remediate the system
automatically.
To use automatic remediation, you must:
•
Enable automatic remediation and specify the credentials to use in your McAfee NAC client policies.
•
Enable automatic remediation for each benchmark that contains remediation commands, scripts, or
batch files you want to run.
•
Specify your command, script, or batch file information for each benchmark rule in the NAC
Remediation Command and NAC Remediation Command Parameters fields. Note that a rule can run only a single
command, script, or batch file.
Because remediation commands are specified at the benchmark rule level, you can tailor the
remediation action to each rule. Also, enabling the automatic remediation option at the benchmark
level does not mean you must specify remediation commands for any particular benchmark rule. You
can have commands for some rules and not others.
A remediation command is specified on the Properties page of the Benchmark Editor’s Rule Builder.
Only one remediation command is allowed. If you need to run more than one executable as a
remediation response, you can specify a script or a batch file. Type a remediation command as if you
were typing it at a Windows command prompt. A separate field is used to specify command
parameters, also typed as if on a command line.
For example, to run a batch file, you specify the Windows Command executable (cmd.exe) in the NAC
Remediation Command field, and the full path to the batch file in the NAC Remediation Command
Parameters field. The path used for the location of the batch file might be dependent on the
credentials specified for the Automatic remediation option in the McAfee NAC client policy.
Field Name on Properties page of the Rule Builder What to type
NAC Remediation Command
%windir%\system32\cmd.exe or %comspec%
NAC Remediation Command Parameters
<full_pathname>\<name>.bat
If you use these automatic remediation options, you can include information in the noncompliance
message of the system health policy. This way, you can inform users about the actions that have been
taken, and whether they should attempt a rescan immediately or take further manual remediation steps.
Automatic McAfee Agent update task
One option for automatic remediation is to run a McAfee Agent update task. You do this by specifying
$MAUPDATENOW in the NAC Remediation Command field for a benchmark rule. This task updates all products
for the McAfee Agent, not just McAfee NAC.
Running the agent update task is useful when your benchmark rules have checks that require regular
content updates for McAfee point-products, such as the detection definition (DAT) files for VirusScan
Enterprise.
78
McAfee Network Access Control 4.0.0
Product Guide
6
Remediation of unhealthy systems
Manual remediation
Common remediation commands
Here are examples of some common remediation commands, which are entered on a per rule basis in
your benchmarks. You must enable automatic remediation for the benchmark, and you must enable
the Auto-remediation option in your McAfee NAC client policies.
To do this...
Use this
command...
Use these parameters...
Run a McAfee Agent Update
Now command for DAT updates
and other product content
updates
$MAUPDATENOW
<leave blank>
Execute a file from a remote
share
%ComSpec%
/C "<server>\<share>\<file>"
For example: /C "\
\172.16.1.50\sharedfolder\bginfo.exe"
Copy a file from a remote share %ComSpec%
/C copy "<server>\<share>
\<file>" "<Local folder>"
For example: /C copy “\
\172.16.1.50\sharedfolder
\bginfo.exe” “C:\utils\”
Execute group policy type
commands, such as enabling
the Vista firewall
%ComSpec%
/C GPUpdate.exe /force
Set a value, such as disabling
the Administrator account
%ComSpec%
/C net user Administrator /active:no
%ComSpec%
Add a registry value, such as
Restrict Anonymous to named
pipes and shares
/C Reg.exe ADD HKLM\SYSTEM
\CurrentControlSet\Services\LanmanServer
\Parameters /v restrictnullsessaccess /t
REG_DWORD /d 1 /f
Launch a browser to a specific
page, such as Windows update
/C "C:\Program Files\Internet Explorer\
iexplore.exe" http://
update.microsoft.com
%ComSpec%
Manual remediation
For manual remediation, you can establish a remediation portal and provide one or more pages
containing information for users who need to remedy problems with their systems.
Remediation portal
Typically, your managed systems can be remediated using automatic remediation. However, your
circumstances might require manual remediation for managed systems. Any unmanaged systems on
your network must be remediated manually.
An important aspect of manual remediation is making sure you inform users of the remediation
portal's location. Both managed system health policies and the unmanaged system policy have a
Noncompliance message option that is displayed through the system tray icon on client systems. This
message is the preferred and most reliable method of providing users with your remediation portal's
location.
McAfee Network Access Control 4.0.0
Product Guide
79
6
Remediation of unhealthy systems
Manual remediation
A remediation portal should always provide users with this information:
•
A description of the corporate network security policy
•
Remediation instructions that specify how the user’s system is noncompliant, and the steps
necessary to correct the problem
•
A list of what must be installed for the system to be compliant (for example, resources, patches,
and applications)
•
Instructions for rescanning the noncompliant system once the user has corrected the problems
•
A link to the guest client installer (for unmanaged systems)
Recommendations
McAfee recommends providing information or training to users about the remediation process prior to
switching your system health policies to full enforcement mode.
After users perform the necessary remediation steps, we recommend that they start a scan to
determine whether their system is now healthy. Users can start a scan using the McAfee system tray.
McAfee NAC includes a guest portal that you can install. However, the guest portal, as designed, is
intended only for downloading the guest client to unmanaged systems. You can include manual
remediation instructions, but you might find it is easier to use your existing internal web server.
Using guest portal for manual remediation
If you decide to use the McAfee guest portal for manual remediation, you must:
•
Install the guest portal
•
Customize the portal file, and optionally add additional pages as needed for remediation
instructions and links to remediation resources
For information about installing and uninstalling the guest portal, see Installation.
Elements needed for manual remediation
To allow users to fix their systems through use of a remediation portal, you need to set up and make
available certain elements.
Remediation element
Description
Remediation portal
A web server that hosts one or more pages, which provide users with
the resources they need to fix an unhealthy system.
Remediation web pages
One or more web pages that provide users with information about your
corporate security policies, the steps they must take to correct the
situation, and links to resources they must install to correct problems.
Noncompliance message in
system health policies
(optional, but
recommended)
A message that displays on a user’s system after a scan determines
that a rule has failed. A specific message can be written for every
system health policy.
Access to the McAfee NAC
One of the pages on your remediation portal should provide a link for
guest client (for unmanaged downloading the guest client. This is only important for unmanaged
systems)
systems. Managed systems use their installed McAfee NAC client for
scanning.
80
McAfee Network Access Control 4.0.0
Product Guide
Remediation of unhealthy systems
Manual remediation
6
Remediation resources users must access
Your network access zones must provide access to the remediation resources needed by noncompliant
systems.
In the resource list of each "Allow Access" type zone, be sure to include:
•
Your default IP gateway
•
The web server hosting your remediation portal pages
•
All file servers and other systems that have links from your portal
To avoid issues with the availability of remediation resources, McAfee recommends locating the
remediation portal on the ePolicy Orchestrator server. Access to the ePolicy Orchestrator server is
always available from any network access zone.
McAfee Network Access Control 4.0.0
Product Guide
81
6
Remediation of unhealthy systems
Manual remediation
82
McAfee Network Access Control 4.0.0
Product Guide
7
Dashboards, monitors, and queries
To monitor network access and security, you use the ePolicy Orchestrator dashboard, monitor, and
query features. Dashboards consist of monitors, and monitors are based on queries. Dashboards have
many options for the display layout.
Dashboards have many options for the display layout. Most default dashboards contain six monitors.
For details about these features, see the documentation for your version of ePolicy Orchestrator.
Contents
McAfee NAC dashboards and monitors
Queries for network access monitoring
Create McAfee NAC monitors
Create McAfee NAC monitors with ePolicy Orchestrator
Run McAfee NAC queries
McAfee NAC dashboards and monitors
Administrators use dashboards to monitor network access control information. Dashboards contain
informational monitors that show the state or status of systems, and other data stored by the McAfee
NAC manager.
McAfee NAC 4.0 provides:
•
A default NAC Summary dashboard
•
Predefined queries you can use as monitors for system health, enforcement, benchmark
assessment, exemptions, and more
You can modify the NAC Summary dashboard to suit your needs, or create additional custom
dashboards. Similarly, custom queries can be created to form monitors for displaying other
information stored by the Network Access Control manager (see Useful queries for McAfee NAC
monitors).
Monitors are updated based on the refresh interval setting, or manually using the Refresh button.
The predefined NAC Summary dashboard contains six monitors, explained in the following table.
McAfee Network Access Control 4.0.0
Product Guide
83
7
Dashboards, monitors, and queries
Queries for network access monitoring
Table 7-1 Monitors in the NAC Summary dashboard
Monitor name
Description
NAC: System Health Presents a pie chart that shows the current health status of every detected
Status
system on your network. Systems are identified by their Host ID value. The
System Health Status represents the overall assessed health level of the
system from benchmarks that are set to either Enforce or Audit Only mode. It
reports the system health level of each system on your network, and the
number of systems in each health level.
NAC: Network
Access Status
Presents a pie chart that shows the current network access status of every
detected system on your network. Systems are identified by their Host ID
value. The Network Access Status represents the current state of access
restrictions applied to all systems on your network. The values are either a
network access zone name, or one of the following: None, Exempt,
Disconnected, Full Access, NAP Full Access, NAP Limited Access, NAP-Not
capable.
NAC: Exemption
Status
Presents a pie chart that shows the current exemption status of every detected
system on your network. It reports the type of exemption (scan or
enforcement) and how many systems are marked with each exemption type.
NAC: Client
Presents a pie chart that shows the enforcement method used for every
Enforcement Method detected system on your network. It reports the enforcement types being used
(host-based, network-based, or NAP-based), and the number of systems using
each enforcement type.
NAC: Top 5 Failed
Benchmarks
Presents a summary table that shows benchmark IDs. It reports the five
benchmarks in Enforce mode that have failed most often, and the number of
systems that have failed each benchmark.
NAC: Client Version
Summary
Presents a summary table that shows the version number of all the NAC
client’s that have been deployed to systems, and the number of systems with
each version of the client.
For details about the queries used by these monitors, see Queries for network access monitoring.
Queries for network access monitoring
Queries allow you to construct a report from information stored by the McAfee NAC manager, such as
system health status and network access status.
McAfee NAC combines its database tables with the ePolicy Orchestrator database tables, therefore, the
data you can query consists of the combined ePolicy Orchestrator, Rogue System Detection, and
McAfee NAC data.
Typically, the data specific to McAfee NAC and Rogue System Detection is of the most interest to
administrators.
Queries are accessed by clicking Menu | Reporting | Queries & Reports. All predefined McAfee NAC queries
begin with NAC: followed by a descriptive name.
Queries can be run on their own, or used as dashboard monitors. You can use the default queries
supplied with the product, and create your own.
Default McAfee NAC queries
McAfee NAC supplies several default queries you can use as monitors.
84
McAfee Network Access Control 4.0.0
Product Guide
Dashboards, monitors, and queries
Queries for network access monitoring
7
Query name
Result type
Chart label
Chart
values
Description
Client
Enforcement
Method
NAC
Detected
System
Status
Enforcement
Method
Host ID
Displays a pie chart that shows the different
enforcement methods (host-based,
network-based, or NAP-based) currently
being used for all detected managed
systems, and the number of systems using
each method.
Filter: Detected System field "Ignored" is
false.
Exemption
Status
NAC
Detected
System
Status
Exemption
Status
Host ID
Displays a pie chart that shows the systems
that currently have exemptions, and which
exemption type. Only shows systems that
have been detected.
Filter: Detected System field "Ignored" is
false.
NAC client
version
summary
NAC
Detected
System
Status
Client version
Host ID
Displays a table that shows the version
number of the NAC client installed on all
detected managed systems. Reports the
version numbers of the NAC clients that
have been deployed to systems, and the
number of systems with each version
number.
Filter: Detected System field "Ignored" is
false.
Network
Access Status
NAC
Detected
System
Status
Network
Host ID
Access Status
Displays a pie chart that shows the access
status of all detected managed systems.
The values are either a network access zone
name, or one of the following: None,
Exempt, Disconnected, Full Access, NAP Full
Access, NAP Limited Access, NAP-Not
capable.
Filter: Detected System field "Ignored" is
false.
System Health NAC
Status
Detected
System
Status
McAfee Network Access Control 4.0.0
System
Health Status
Host ID
Displays a pie chart that shows the system
health of all detected managed systems and
the number of systems in each health level.
Filter: Detected System field "Ignored" is
false.
Product Guide
85
7
Dashboards, monitors, and queries
Queries for network access monitoring
Query name
Result type
Chart label
Chart
values
Top 5 Failed
Benchmarks
NAC Current
Benchmark
Results
Benchmark ID Host ID
Description
Displays a table that shows the IDs of the
five benchmarks that had a rule failure most
often. This includes benchmarks that are set
to either Enforce or Audit mode. The query
applies to all known systems. Reports the
five benchmarks in Enforce mode that have
failed most often, and the number of
systems that have failed each benchmark.
Filter: Current Benchmark Results field
"Benchmark Error Code" equals 0; AND
Current Benchmark Results field "Health
Level" not equal to Healthy; AND Detected
System field "Ignored" is false.
Top 5 Failed
NAC Current
Benchmarks in Benchmark
Audit Mode
Results
Benchmark ID Host ID
Displays a table that shows the IDs of the
five benchmarks that had a rule failure most
often. This query reports only the
benchmarks that are set to Audit mode, and
the number of systems that have failed
each benchmark.
Filter: Current Benchmark Results field
"Benchmark Error Code" equals 0; AND
Current Benchmark Results field "Health
Level" not equal to Healthy; AND Current
Benchmark Results field "Enforcement
Mode" equals false; AND Detected System
field "Ignored" is false.
Building your own queries
McAfee NAC exposes nine database tables you can use for constructing your own custom queries.
Each table represents what is called a Result Type in the ePolicy Orchestrator Query Builder.
Most of the data you can access through queries fall into two categories: current and historical.
Result type
Description
NAC Detected
System Status
A collection of data that describes a single system that has been detected, and
its current status. The detected status includes identifying information about the
system and status details about its health, enforcement, network access,
exemptions, applied health policies; that is, its status as a known system to
McAfee NAC.
NAC Current
Enforcement (the
most recent
enforcement status
event applied to a
system)
A collection of data that describes the current (most recent) enforcement status
of a system. Enforcement status indicates whether a system is being enforced,
which enforcement method (enforcer) is being used, and whether enforcement
was triggered manually (by an administrator). Other information related to
enforcement status are the system's health level and the network access zone
to which the system is restricted.
NAC Historical
A collection of data that describes any change in the enforcement status of a
Enforcement (all
system. This includes events such as changes to a system's health level,
enforcement status network access zone, and enforcement method or status (is it being enforced).
events for a
system)
NAC Current Scan
Results
86
A collection of data that describes the most recent scan (assessment) results for
a system. Assessment results include information such as the scan status, the
assessed health level, which system health policies were assessed and which
ones failed, and which benchmarks failed. It also includes information about the
scan, such as when it occurred and when the next scan will occur.
McAfee Network Access Control 4.0.0
Product Guide
Dashboards, monitors, and queries
Create McAfee NAC monitors
7
Result type
Description
NAC Historical
Scan Results
A collection of data that describes all assessment results for a system, from an
established start point up to and including the most recent scan. The original
start point for this result type is the date and time of product installation.
Purging scan results or deleting scan result entries sets a new start point for the
scan history.
NAC Current
A collection of data that describes the most recent assessment results for each
Benchmark Results benchmark used to assess any system. Benchmark results include information
such as the benchmark ID and profile, which rules failed, the benchmark's
enforcement mode, and the health level resulting from assessing the
benchmark. It also includes information about the system that was assessed.
NAC Historical
A collection of data that describes all benchmark assessment results for all
Benchmark Results systems, from an established start point up to and including the most recent
scan. The original start point for this result type is the date and time of product
installation. Purging scan results or deleting scan result entries sets a new start
point for the benchmark history.
NAC Current Rule
Results
A collection of data that describes the most recent assessment results for each
benchmark rule used to assess any system. Rule results include information
such as the rule title, the result of assessing the rule, the health level assigned
when the rule fails, and the message explaining why the rule failed. Rule results
are collected only when the McAfee NAC client policy is configured to gather rule
information.
NAC Historical Rule A collection of data that describes all benchmark rule assessment results for all
Results
systems, from an established start point up to and including the most recent
scan. The original start point for this result type is the date and time of product
installation. Purging scan results or deleting scan result entries sets a new start
point for the rule history. Rule results are collected only when the McAfee NAC
client policy is configured to gather rule information.
Create McAfee NAC monitors
You can create a monitor that provides network access information.
Task
For option definitions, click ? in the interface.
1
Go to the Dashboards page or click Menu | Reporting | Dashboards.
2
Click Dashboard Actions, then select New.
3
In the New Dashboard window:
a
Type a descriptive name in the Dashboard Name field.
b
In Dashboard Visibility, select Private or Public, then (optionally) select Shared, with as many of the
following permission sets, then click OK.
•
Executive Reviewer
•
Global Reviewer
•
Group Admin
•
Group Reviewer
McAfee Network Access Control 4.0.0
Product Guide
87
7
Dashboards, monitors, and queries
Create McAfee NAC monitors with ePolicy Orchestrator
4
Click Add Monitor. In the Monitor Gallery panel, select Queries in the View drop-down.
a
In the View drop-down list on Monitor Gallery panel, select Queries.
b
Drag the Queries monitor from the Monitor Gallery panel to the dashboard below.
c
In the New Monitor window, select a NAC query from the drop-down list against Monitor Content.
All McAfee NAC queries begin with NAC:.
d
In Refresh Interval, define the refresh time period for this dashboard, or select Do not refresh, then
click OK. The monitor created appears.
The newly created monitor appears.
5
To add additional monitors, repeat step 4, click Save, then click Close.
Create McAfee NAC monitors with ePolicy Orchestrator
You can use ePolicy Orchestrator to create an McAfee NAC monitor.
Task
For option definitions, click ? in the interface.
1
Go to the Dashboards page or click Menu | Reporting | Dashboards.
2
Select Options | New Dashboard.
3
In the Name field, type a descriptive name.
4
From the drop-down list, select a dashboard size.
5
Choose a dashboard panel, then click New Monitor.
6
For Category, select Queries.
7
For Monitor, scroll to Shared Groups - Network Access Control, select a NAC query from the list, then click
OK.
8
To add additional monitors, repeat steps 5-7, then click Save.
9
Click Yes when prompted to Make Active.
You can add only active dashboards to the Dashboards page.
10 On the Manage Dashboards page, click Close.
Run McAfee NAC queries
McAfee NAC includes several predefined queries. You also can construct your own queries using the
Query Builder.
88
McAfee Network Access Control 4.0.0
Product Guide
Dashboards, monitors, and queries
Run McAfee NAC queries
7
Task
For option definitions, click ? in the interface.
1
Go to Menu | Reporting | Queries.
2
From the Groups list, expand Shared Groups, then select Network Access Control.
3
Select a query from the list, then click Run in the Actions column.
The query results page displays the details.
4
When you are finished viewing the query results, click Close.
McAfee Network Access Control 4.0.0
Product Guide
89
7
Dashboards, monitors, and queries
Run McAfee NAC queries
90
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and
monitoring
Using McAfee Network Access Control can be viewed as two distinct sets of tasks: setup and
day-to-day configuration tasks.
First there is setup and configuration, where you deploy McAfee NAC clients, define how to assess
systems, create and assign policies, and optionally, configure McAfee NAC to work with other
supported products. There are also the infrequent configuration tasks, and the day-to-day tasks of
monitoring your network security, system maintenance, and responding to access control events or
unusual occurrences that a McAfee NAC administrator performs.
Contents
McAfee NAC manager configuration
Deployment and configuration tasks
Create queries for McAfee NAC monitors
Health compliance auditing
System health assessment of managed systems
System health assessment of unmanaged systems
Health level overrides
Events and responses
Manual control of exemptions
Unmanageable devices and what to do with them
Post admission control for malicious systems
Assessment and enforcement histories
McAfee NAC manager configuration
The McAfee NAC manager's configuration settings have default values that work well in most
circumstances where McAfee NAC is used by itself for network access security.
Of the available configuration settings, three apply only when you integrate McAfee NAC with another
product, such as McAfee Network Security Platform or Microsoft Network Access Protection.
These are:
•
Network Security Manager location
•
Client identification request setup
•
Trusted communication setup
These configuration settings are discussed in the chapters Integrating McAfee NAC with McAfee
Network Security Platform and Integrating McAfee NAC with Microsoft Network Access Protection.
McAfee Network Access Control 4.0.0
Product Guide
91
8
Network access administration and monitoring
Deployment and configuration tasks
The other two configuration settings apply to general McAfee NAC manager operations. The health
grace period setting allows you to specify how long a system's assessed health level stays valid if the
next scheduled scan does not occur. This option defaults to the maximum value of three days (72 hours).
The default rule health level specifies the health level to assign a system if it fails a benchmark rule
that does not have a value for its NAC Health Level property. The default setting is Critical.
Deployment and configuration tasks
You can deploy the client, configure McAfee NAC manager settings, and edit permission sets. These
tasks are usually performed infrequently, or only as necessary.
Deploy the McAfee NAC client with ePolicy Orchestrator 4.6
Deploy the McAfee NAC client to managed systems, which is required for a system to be classified as
managed by McAfee NAC.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Systems | System Tree, then click Assigned Client Tasks on the menu bar.
2
Select My Organization in the System Tree.
3
Click one:
4
•
ePolicy Orchestrator 4.6 — Actions | New Client Task Assignment
•
ePolicy Orchestrator 4.5 — Actions | New Task
On the Client Task Assignment Builder page:
a
Select McAfee Agent in the Product pane. For target platforms, select the operating system options
you want (Windows, Mac, Linux) for deploying the client.
b
Select Product Deployment in the Task Type pane.
c
Click the link Create New Task to open the Client Task Catalog:New Task window.
5
Enter a descriptive name in the Task Name field, and a description if required.
6
Select the target operating system where you want to deploy McAfee® Network Access Control
Client 4.0.
7
Define the required parameters for Products and components.
8
(Windows only) In Options, select Run at every policy enforcement if you want this task to run at every
policy enforcement.
9
Select Allow end users to postpone this deployment if required, define the required parameters, then click
Save. The Client Task Assignment Builder page appears with the newly created task.
10 Select the new task you created, then click Next.
11 On the Schedule page:
92
a
For Schedule status, select Enabled. You can later disable the task if you are not yet ready.
b
For Schedule type, select when you want the task to run. The remaining configuration options
depend on your selection.
McAfee Network Access Control 4.0.0
Product Guide
Network access administration and monitoring
Deployment and configuration tasks
8
c
Set the choices in Options.
d
If available for your selected Schedule type, set a start date and an end date for the task. If you
set the Run at every policy enforcement option on the Configuration page, we recommend that you use
the No end date option.
e
If available, specify whether to use the local system time or Coordinated Universal Time (UTC)
for running the task.
f
If available, select a Schedule option from the drop-down list for how to run the task, and the
desired time. You can run the task once at a specific time, repeatedly between two times, or
repeatedly starting at a specific time.
g
If available, set Daily to how often (number of days) you want the task to run.
12 Click Next to view the task summary, then click Save.
Edit McAfee NAC server settings
Occasionally you might need to change the values of McAfee NAC server configuration options.
Several options are used only when you are integrating McAfee NAC with another product, such as
McAfee Network Security Platform.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Configuration | Server Settings, and in the Setting Categories column, select Network Access
Control.
2
Click Edit.
3
On the Edit page, enter values for the options you want to change.
4
Click Save.
Edit McAfee NAC permission sets
Set product permissions for any defined permission set. Any administrator account you want used for
McAfee NAC must have View and change settings permission for these products.
You need to set appropriate options for each permission set for these products:
•
Network Access Control
•
Network Access Control Client
•
Benchmark Editor
•
Rogue System Detection
You can also grant reviewers permission to view these settings.
Depending on your security administration structure for ePolicy Orchestrator and McAfee NAC, and the
number of different permission sets you use, consider also setting permissions for different types
McAfee NAC users (administrators and reviewers) for these ePolicy Orchestrator features:
•
Audit log
•
Queries
•
Automatic Responses
•
Server tasks
•
Dashboards
•
Systems
McAfee Network Access Control 4.0.0
Product Guide
93
8
Network access administration and monitoring
Create queries for McAfee NAC monitors
•
Event notifications
•
McAfee Agent
•
System Tree access
Task
For option definitions, click ? in the interface.
1
Go to Menu | User Management | Permission Sets, then in the Permission Sets column, select the
permission set you want to edit (for example, Group Admin).
2
In the right column, scroll to the product or feature (for example, Network Access Control), then click
Edit.
3
On the Edit page, select the type of permissions to grant for the selected product or feature.
4
Click Save.
Create queries for McAfee NAC monitors
McAfee NAC includes predefined queries you can use for dashboard monitors. However, the predefined
queries might not cover all the information you want to monitor as an administrator. This topic
discusses creating additional McAfee NAC queries you might find useful.
Use these tasks to create your own custom queries.
Create an Enforced Health Level query
All systems have a System Health Status, an Assessed Health Level, and an Enforced Health Level.
The predefined System Health Status monitor is useful when the majority of systems are assessed
with enforced benchmarks, and you have few exemptions or systems enforced manually.
However, the System Health Status monitor becomes increasingly unclear when more systems are
subject to exemptions, manual enforcement requests, and audited benchmarks.
You can create a monitor that shows the Enforced Health Level of systems, to show which systems are
enforced differently than their system health status indicates.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Reporting | Queries & Reports and click New, or click Actions | New.
If you are using ePolicy Orchestrator 4.5, go to Menu | Reporting | Queries and click New Query, or click
Actions | New Query.
94
2
On the Result Type page, highlight Network Access Control in the Feature Group list, select NAC: Detected
System Status in the Result Types list, then click Next.
3
On the Chart page, complete the following, then click Next:
a
From the Display Results As list, select Grouped Bar Chart.
b
From the Group labels are drop-down menu, select Enforced Health Level.
c
From the Bar labels are drop-down menu, select System Health Status.
d
For Bar values, select Number of from the first drop-down menu, then select Host Id from the second
drop-down menu.
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and monitoring
Create queries for McAfee NAC monitors
4
On the Columns page, accept the default database fields to display on a summary or details page,
or modify the data, then click Next.
5
On the Filter page, you can specify criteria for filtering the query results, but this is not
recommended for this query.
6
Click Run, then click Save.
7
On the Save Query page, type a descriptive name and add notes about the query, as needed.
All predefined McAfee NAC queries begin with NAC:, so naming your queries this way groups all NAC
queries in the query selection list.
Create a Manual Enforcement Request query
The only way to reset the system and have it enforced based on assessed health is to use Reset health
level.
If you enforce a system manually using Modify health level, it can be difficult to identify that system from
the standard predefined monitors.
Create a monitor for quick access to systems that have been enforced manually.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Reporting | Queries & Reports, then click New.
2
On the Result Type page, highlight Network Access Control in the Feature Group list, select NAC: Detected
System Status in the Result Types list, then click Next.
3
On the Chart page, complete the following, then click Next:
a
From the Display Results As list, select Pie Chart.
b
From the Pie slice labels are drop-down menu, select Manual Enforcement Request.
c
For Bar values, select Number of from the first drop-down menu, then select Host Id from the second
drop-down menu.
4
On the Columns page, accept the default database fields to display on a summary or details page,
or modify the data, then click Next.
5
On the Filter page, you can filter the query results if you know there are specific systems you
would never enforce manually.
6
Click Run, then click Save.
7
On the Save Query page, type a descriptive name, and add notes about the query, as needed.
All predefined McAfee NAC queries begin with NAC: so naming your queries this way groups all NAC
queries in the query selection list.
Create a Malicious System query
If a system is marked as "malicious," it can be enforced differently than it would otherwise. Use this
task to create a monitor that gives you a quick way to identify malicious systems.
McAfee Network Access Control 4.0.0
Product Guide
95
8
Network access administration and monitoring
Create queries for McAfee NAC monitors
Task
For option definitions, click ? in the interface.
1
Go to Menu | Reporting | Queries & Reports, then click New.
If you are using ePolicy Orchestrator 4.5, go to Menu | Reporting | Queries and click New Query, or click
Actions | New Query.
2
On the Result Type page, highlight Network Access Control in the Feature Group list, select NAC: Detected
System Status in the Result Types list, then click Next.
3
On the Chart page, complete the following, then click Next:
a
From the Display Results As list, select Pie Chart.
b
From the Pie slice labels are drop-down menu, select Is Malicious.
c
For Pie slice values, select Number of different values of, then select Host Id from the drop-down menu.
d
For Bar values, select Number of from the first drop-down menu, then select Host Id from the second
drop-down menu.
4
On the Columns page, accept the default database fields to display on a summary or details page,
or modify the data, then click Next.
5
On the Filter page, you can specify criteria for filtering the query results, but this is not
recommended for this query.
6
Click Run, then click Save.
7
On the Save Query page, type a descriptive name and add notes about the query, as needed.
All predefined McAfee NAC queries begin with NAC: so naming your queries this way groups all NAC
queries in the query selection list.
Create a Network Access Control Client Started query
For network security, it is useful to monitor whether the NAC client is running. Such a query can tell
you whether a deployed client has stopped working, and can provide quick access to systems that are
unmanageable.
Create a query that shows whether the NAC client is running.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Reporting | Queries & Reports, then click New.
If you are using ePolicy Orchestrator 4.5, go to Menu | Reporting | Queries and click New Query, or click
Actions | New Query.
96
2
On the Result Type page, highlight Network Access Control in the Feature Group list, select NAC: Detected
System Status in the Result Types list, then click Next.
3
On the Chart page, complete the following, then click Next:
a
From the Display Results As list, select Pie Chart.
b
From the Pie slice labels are drop-down menu, select Client Started.
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and monitoring
Create queries for McAfee NAC monitors
c
For Pie slice values, select Number of different values of, then select Host Id from the drop-down menu.
d
For Bar values, select Number of from the first drop-down menu, then select Host Id from the second
drop-down menu.
4
On the Columns page, accept the default database fields to display on a summary or details page,
or modify the data, then click Next.
5
On the Filter page, you can specify criteria for filtering the query results, but this is not
recommended for this query.
6
Click Run, then click Save.
7
On the Save Query page, type a descriptive name and add notes about the query, as needed.
All predefined McAfee NAC queries begin with NAC:, so naming your queries this way groups all NAC
queries in the query selection list.
Create a Benchmark Enforcement Mode query
Monitor whether systems are being assessed against audited benchmarks or enforced benchmarks (or
if the enforcement mode is disabled). To do this, create a monitor based on querying the NAC Current
Benchmark Results.
This type of query is useful because you can compare the enforcement mode against the health level
of systems that are assessed against specific benchmarks.
Use this task to create a monitor that shows the enforcement mode setting of your benchmarks.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Reporting | Queries & Reports, then click New.
If you are using ePolicy Orchestrator 4.5, go to Menu | Reporting | Queries and click New Query, or click
Actions | New Query.
2
On the Result Type page, highlight Network Access Control in the Feature Group list, select NAC: Detected
System Status in the Result Types list, then click Next.
3
On the Chart page, complete the following, then click Next:
a
From the Display Results As list, select Grouped Bar Chart.
b
From the Group labels are drop-down menu, select Enforcement Mode.
c
From the Bar labels are drop-down menu, select Health Level.
d
For Bar values, select Number of from the first drop-down menu, then select Host Id from the second
drop-down menu.
4
On the Columns page, accept the default database fields to display on a summary or details page,
or modify the data, then click Next.
5
On the Filter page, you can specify criteria for filtering the query results, but this is not
recommended for this query.
McAfee Network Access Control 4.0.0
Product Guide
97
8
Network access administration and monitoring
Health compliance auditing
6
Click Run, then click Save.
7
On the Save Query page, type a descriptive name and add notes about the query, as needed.
All predefined McAfee NAC queries begin with NAC: so naming your queries this way groups all NAC
queries in the query selection list.
Health compliance auditing
Benchmarks have three enforcement modes: Enforce, Audit Only, and Disable.
We recommend that you test benchmarks in Audit Only mode before actively enforcing the benchmark
in your production environment. If you have follow this recommendation, you might also want a
monitor that allows you to see how many systems are subject to the different enforcement modes,
and what their health levels are.
McAfee NAC does not have a predefined query for this, so you must create your own. See Useful
queries for McAfee NAC monitors.
System health assessment of managed systems
Regularly assessing a system's health is an important part of maintaining your network security. These
assessments can be configured according to your needs.
System health assessments for managed systems can be:
•
Scheduled and run automatically, using an ePolicy Orchestrator client task
•
Initiated manually for one or more systems by an ePolicy Orchestrator or McAfee NAC administrator
•
Initiated manually from the system tray icon by users of Windows systems that have the McAfee
NAC client installed
The McAfee system tray is not supported on RedHat Enterprise Linux 4 systems. Users can enter the
following commands at the system command line:
To...
Type at the command line...
Run a system health scan
MNacClient -rhs
View the system health status
MNacClient -shs
View the remediation status
MNacClient -shs
View the client's About dialog box
MNacClient -v
The level of detail reported about a system assessment is controlled by the McAfee NAC client policy.
Assessment results are reported for any benchmarks with the enforcement mode set to Enforce or Audit
Only. If the enforcement mode is Disable, no results are reported.
Any time a system is assessed, the McAfee NAC client uses its current policies. When results are
reported to the McAfee NAC manager, it verifies whether the policies used in the assessment are up to
date. If they are not, updated policies are sent to the McAfee NAC client, and the assessment is
automatically repeated.
Schedule managed system scans in ePolicy Orchestrator 4.5
Create a schedule for running scans on managed systems using ePolicy Orchestrator 4.5.
98
McAfee Network Access Control 4.0.0
Product Guide
Network access administration and monitoring
System health assessment of managed systems
8
Task
For option definitions, click ? in the interface.
1
Go to Menu | Systems | System Tree, then click New Task, or click Actions | New Task.
2
Type a name for the task, then add other information about the task in the Notes option.
3
For Type, select Network Access Control Client Scan Task.
4
Click Next twice to go to the Schedule page of the wizard.
5
Set the scheduling options to specify when and how often to run a scan.
6
a
For Schedule status, set Enabled or Disabled. You can enable the task later if you are not yet ready.
b
For Schedule type, select when you want the task to run. The remaining configuration options
depend on your selection.
c
Set Options choices. If you need help, click ?.
d
If available for your selected Schedule type, set a start date and, if available, an end date for the
task. The No end date option is often used for scan tasks.
e
If available, set whether to use the local system time or Coordinated Universal Time (UTC) for
running the task.
f
If available, select a Schedule option from the drop-down list for how often to run the task, and
the desired time value or values. You can run the task once at a specific time, repeatedly
between two times, or repeatedly starting at a specific time.
g
If available, set Daily to define how often (number of days) you want the task to run.
h
Click Next.
Click Next to view the task summary, then click Save.
Schedule managed system scans in ePolicy Orchestrator 4.6
Create a schedule to run scans on managed systems.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Systems | System Tree, then click Assigned Client Tasks.
2
Click Menu | New Client Task Assignment.
3
Type a name for the task, and add other information about the task in the Notes option.
4
On the Client Task Assignment Builder page:
a
In Product, select Network Access Control Client 4.0.
b
In Task Type, select Network Access Control Client Scan Task.
c
Click Next to go to the Schedule page of the wizard.
McAfee Network Access Control 4.0.0
Product Guide
99
8
Network access administration and monitoring
System health assessment of unmanaged systems
5
6
Set the scheduling options to specify when and how often to run a scan.
a
For Schedule status, set Enabled or Disabled. You can enable the task later if you are not yet ready.
b
For Schedule type, select when you want the task to run. The remaining configuration options
depend on your selection.
c
Set Options choices. If you need help, click ?.
d
If available for your selected Schedule type, set a start date and, if available, an end date for the
task. The No end date option is often used for scan tasks.
e
If available, set whether to use the local system time or Coordinated Universal Time (UTC) for
running the task.
f
If available, select a Schedule option from the drop-down list for how often to run the task, and
the desired time value or values. You can run the task once at a specific time, repeatedly
between two times, or repeatedly starting at a specific time.
g
If available, set Daily to define how often (number of days) you want the task to run.
h
Click Next.
Click Next to view the task summary, then click Save.
Request an immediate scan
Use the ePolicy Orchestrator console to request an immediate scan (health assessment) for one or
more systems.
Task
1
Go to Menu | Reporting | Dashboards, and select NAC Summary, or go to any dashboard containing a
monitor that reports McAfee NAC managed systems.
2
Click in the monitor to display a summary page or system details page. For information about using
McAfee NAC monitors, see Dashboards, monitors, and queries.
3
If you are viewing a system details page, click Actions | Request scan. If you are viewing a summary
page, you must select the systems to assess from the list before Request scan is active.
System health assessment of unmanaged systems
McAfee NAC is designed to detect, assess, and enforce managed systems on your network. McAfee
NAC, by itself, cannot enforce unmanaged systems, but can detect unmanaged systems through the
Rogue System Detection service.
It can also assess the health of an unmanaged system using the McAfee NAC guest client, which can
be installed from the Guest Portal.
The McAfee NAC guest client is not the same as the McAfee NAC client, and will not install on a system
that has the McAfee NAC client. The guest client differs from the McAfee NAC client in these ways:
100
•
The guest client does not require the McAfee Agent.
•
The guest client is not configured by a McAfee NAC client policy.
•
The guest client is intended to be a temporary executable that is automatically removed after a
specified time, which is set from the Guest Portal.
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and monitoring
System health assessment of unmanaged systems
•
The guest client can assess a system only with the unmanaged system policy.
•
The guest client cannot use automatic remediation. Unmanaged systems must be remediated
manually.
A system with the guest client installed is not a managed system according to the McAfee NAC or
ePolicy Orchestrator definitions.
The guest client's role is to evaluate system health and report the results to the McAfee NAC manager.
The guest client evaluates only the unmanaged system policy, and scans the system according to the
policy’s scan interval. The McAfee NAC manager reports the system's health level to the McAfee®
Network Security Sensor. All enforcement decisions are under McAfee® Network Security Manager
control. McAfee NAC does not play a role in unmanaged system enforcement.
The guest client's configuration is set as shown in this table. Most of this configuration is fixed, except
where noted.
Scan interval
= Periodic interval during which scan is invoked on guest clients.
Scan results
= All benchmark and rule information.
Unhealthy host scan setting = Invokes a scan when the host is assessed as unhealthy.
System tray icon
= Enabled.
Periodic identification
= Enabled by default. This option is configurable in the unmanaged
system policy.
Sensor Settings
= Enabled by default. Receives sensor details from McAfee NAC
server.
For details about setting the health policy for unmanaged systems, see Unmanaged system policy.
Run a scan
How users run a scan manually on an unmanaged system depends on the operating system. For
Windows users, scans can be run, and health status and remediation status checked using the McAfee
system tray.
The McAfee system tray is not supported on RedHat Enterprise Linux 4 systems. Users can enter the
following commands at a system command line:
To...
Type at the command line...
Run a system health scan
MNacClient -rhs
View the system health status
MNacClient -shs
View the remediation status
MNacClient -shs
View the client's About dialog box
MNacClient -v
Guest portal and guest client
The Guest Portal provides an access point where you can direct unmanaged systems, so users can
download and install the McAfee NAC guest client. The portal is a preconfigured web page, but you can
customize it with your company's logo and statement of network security policy.
The Guest Portal is installed as an extension when you install McAfee NAC. All files and executables
are located on the ePolicy Orchestrator server. To verify this, check the ePolicy Orchestrator Extensions
page.
McAfee Network Access Control 4.0.0
Product Guide
101
8
Network access administration and monitoring
System health assessment of unmanaged systems
To configure the Guest Portal, you should:
•
Have a written network security policy statement to display on the portal page
•
Set portal configuration options on the McAfee NAC Guest Portal server settings page
For details, see Guest portal configuration and the associated task.
Redirecting unmanaged systems that are detected by a Network Security Sensor to the Guest Portal is
configured using the McAfee® Network Security Manager. For information, see the McAfee® Network
Security Manager documentation.
How users install the guest client
The guest client can be installed only through the Guest Portal. The guest client installer is part of the
Guest Portal extension. If you uninstall the Guest Portal extension, the guest client installer is also
removed.
When users are redirected to the Guest Portal, they must select values for two options:
•
Network access period, which sets how many days the guest client remains installed on their system
before it is automatically uninstalled.
•
Their computer's Operating system. The system tries to automatically detect the operating system and
defaults to that value, but users can choose the correct operating system (Windows, Linux, Mac OS, or
Other). If a user selects Other, the operating system is not supported by the guest client.
With these options set, users can install the guest client and have their systems scanned.
Behavior for no guest client installed
The Guest Portal does not force a user to install the guest client. If users click Cancel on the guest
portal, they receive a warning that their network access might be restricted or denied. Administrators
should set the Health level for no guest client option on the McAfee NAC Guest Portal server settings page to
an appropriate value for their company security policy. This option defaults to Critical.
Alternately, a user might be running an operating system where the guest client cannot be installed
(the Other value). If users selects this value, they receive a warning that their network access might be
restricted or denied. Administrators should set the Health level for 'Other' OS option on the McAfee NAC
Guest Portal server settings page to an appropriate value for their company security policy. This option
defaults to Unknown.
Guest portal configuration
Configuring the Guest Portal is done by setting option values on the McAfee NAC Guest Portal server
settings page.
The options you can set are listed here.
102
Option
Definition
Guest portal logo
Sets the file path to the image file you want to use as the logo displayed on the
Guest Portal. This is typically your company logo. Place the logo image file
anywhere on the ePolicy Orchestrator server, and give the absolute path for this
option. The JPG and GIF file formats are recommended, but you should be able
to use any format supported by Web-standard HTML.
Guest system
policy statement
Sets the statement you want to display on the Guest Portal describing your
company's network security policy for unmanaged, or guest, systems on your
network. This is a text field that can contain approximately 10,000 characters.
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and monitoring
Health level overrides
Option
Definition
Default guest client Sets the default value, in days, for the Network access period option on the Guest
authorization
Portal page. This setting determines how long the McAfee NAC guest client is
active on a guest system before the client is automatically uninstalled. The
allowed values are 0, 1, 2, 5, 15, 30, and 90. A value of zero means the McAfee
NAC guest client scans the system once, then is immediately uninstalled.
Health level for no
guest client
Sets the default health level that is assigned to unmanaged systems on your
network that do not have the McAfee NAC guest client installed. One way this
would happen is if the user cancels out of the Guest Portal.
Health level for
'Other' OS
Sets the default health level that is assigned to unmanaged systems on your
network when the user of the system selects the value Other for the Operating
system option on the Guest Portal page.
Configure the guest portal
Set option values that configure the McAfee NAC guest portal. Typically, these settings would change
infrequently.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Configuration | Server Settings, then in the Setting Categories column, select NAC Guest Portal.
2
Click Edit.
3
On the Edit page, enter values for these options:
4
•
Guest portal logo
•
Guest system policy statement
•
Default guest client authorization
•
Health level for no guest client
•
Health level for 'Other' OS
Click Save.
Health level overrides
Using the Modify health level action, you can force a managed system to be enforced at a specific health
level. You can use this action any time on any managed system, except those that are exempt by rule
or exempt by administrator.
Enforcing systems this way places a managed system in a permanent enforcement state that is no
longer affected by the assessor. That is, if the system is subsequently assessed, the new assessment
result does not influence the system's enforcement status.
Systems that have been enforced manually must be reset using the Reset health level action. This
removes the Manual Enforcement Request flag, and sets the System Health Status to the current
value of Enforced Health Level. The system's enforcement status changes accordingly.
Enforcing systems manually can be useful when you are evaluating benchmarks (that is, their mode is
Audit Only). For example, when auditing a new benchmark, you discover that several systems have been
assessed as Critical. Though you might still be testing the benchmark, if it tests for a serious security
violation, you might want to enforce any systems that are not compliant.
McAfee Network Access Control 4.0.0
Product Guide
103
8
Network access administration and monitoring
Health level overrides
Modify a system's health level
You can manually override a system's assessed health level. The effect is to force the system to be
enforced at the health level you specify. This action has no effect on systems with exemptions.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Reporting | Dashboards, or any other active dashboard with McAfee NAC monitors.
2
From a McAfee NAC monitor, click an entry to open a summary page or the Network Access Control
Detected System Status Details page.
If a summary page opens, select one or more listed systems.
3
Click Actions | Modify health level.
4
In the Modify health level pane, select a health level from the drop-down list for Set enforced health level.
5
Click OK.
A message in the Actions Taken pane informs you whether the action was successful. The ePO
message window lists the result of the action.
6
On the Network Access Control Detected System Status Details page for the system, verify that the
Enforced Health Level field has changed, and that the Network Access Status and Network Access Zone fields
indicate that the system is enforced correctly, according to the system's network access policy.
Reset a system's health level
Use Modify health level to remove a manual enforcement override, which was set by an administrator. This
action sets the enforced health level of a system to the most recently assessed health level.
Before you begin
Systems that have manual enforcement overrides can be difficult to locate using only the
supplied McAfee NAC queries as monitors. To track manual enforcement overrides more
easily, create a query that reports the Enforced Health Level or Manual Enforcement Request fields.
See Creating an Enforced Health Level query or Creating a Manual Enforcement Request
query.
Task
For option definitions, click ? in the interface.
104
1
Go to Menu | Reporting | Dashboards, or click Dashboards or any other active dashboard with McAfee NAC
monitors.
2
From a McAfee NAC monitor, click an entry to open a summary page or the NAC Detected System
Status Details page.
3
Locate and select a system or systems that have an enforcement override you want to remove.
4
Click Actions | Reset health level to default.
5
Check the Action Taken pane in the ePO message window to verify that the action was successful.
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and monitoring
Events and responses
Events and responses
Event reporting is a core feature of ePolicy Orchestrator. McAfee NAC does not use the ePolicy
Orchestrator common event format because it is a product for network-based assessment and control,
rather than a managed product that is deployed to individual systems.
This means that McAfee NAC events are not reported and used the same way as standard ePolicy
Orchestrator events. The McAfee NAC events are reported by the McAfee NAC client directly to the
server; they do not go through the McAfee Agent.
Rogue System Detection events are the same category as McAfee NAC events. It can be useful to set up
automatic responses for events of both types.
McAfee NAC events are used for response generation, and use the automatic response feature (Menu |
Automation | Automatic Responses), which is a core feature of ePolicy Orchestrator 4.5 and 4.6. The allowed
response types, such as sending an email or running a command, depend on the event type. This is
also true of Rogue System Detection.
McAfee NAC generates these events:
•
System no longer healthy — Occurs when a system’s health level changes from Healthy to any other value
•
Malicious system detected — Occurs when a message is received from a Network Security Sensor that it
has detected behavior that is defined as malicious (see Malicious systems)
•
System is not enforceable — Occurs when a system is detected that cannot be enforced (see System
classifications)
•
Failed to apply network access policy to system — Occurs when a system does not have any applicable
system health policies that can be assessed by the McAfee NAC client (determined by the policy
activation settings of your system health policies)
These events are reported in the audit log (Menu | User Management | Audit Log).
Create automatic event responses
Create or edit an automatic event response for predefined McAfee NAC events.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Automation | Automatic Responses, then click New Response or Actions | New Response to create
an event response, or click Edit in the Action column for an existing event response.
2
On the Description page:
a
Type a name and description for the response.
b
Select the language.
c
For Event group, select Network Access Control Events from the drop-down list.
d
For Event type, select the type of event you want to generate an automatic response.
e
For Status, select whether you want the response Enabled or Disabled.
3
On the Filters page, set one or more properties to use as event filters.
4
On the Aggregation page, specify an aggregation level for the event type. You can specify no event
aggregation, or aggregation based on a time interval or an event count.
McAfee Network Access Control 4.0.0
Product Guide
105
8
Network access administration and monitoring
Manual control of exemptions
5
On the Actions page, specify the actions to initiate as response to the event.
6
Review the selected parameters on the Summary page, then click Save.
Manual control of exemptions
You can control the exemption status of systems manually, using Set NAC exempt and Remove NAC exempt.
You can set an exemption on any system that has been detected. The Set NAC exempt action works under
any circumstances. You can remove an exemption only on systems where the System Status is
"exempt by administrator."
If the System Status is "exempt by rule," the Remove NAC exempt action is ignored (see How exemption
rules work).
Imported scan exemptions
Typically, the Import exempt systems action is used to create scan exemptions for devices that are
unmanageable, such as printers and FAX machines. These systems report as rogues on the Systems |
Detected Systems page. Since these systems are not truly rogues (that is, you know they are legitimate
devices and are inherently unmanageable and unenforceable), McAfee recommends that you mark
these systems as exceptions, so that they are not reported as rogues.
If you remove the scan exemption using Remove NAC exempt, the system or device is still reported in the
McAfee NAC monitors with a health level of Unknown, and a network access status of None. If you are
using only McAfee NAC, removing the exemption does not create any problems because these devices
cannot be enforced using Host enforcement; that is, the McAfee NAC client as the enforcer.
However, if you are using McAfee NAC with another enforcer (Microsoft Network Access Protection or
McAfee Network Security Platform), you might end up quarantining the device. In the case of a printer
or FAX machine, this might not be critical, but certainly not desired.
When removing an exemption, you are notified in the ePolicy Orchestrator message window if the
McAfee NAC manager determines that the system might be unenforceable.
At any time, you can reapply an exemption to these systems manually, using Set NAC exempt.
If you are retiring or replacing a device such as a printer or FAX machine, you might want to clean up
the database by removing the device. See Removing retired or invalid systems.
Set a system's exemption status
You can set an exemption for a system by administrator status, or remove an exemption from a
system by administrator status.
Exemptions specified by an administrator with Set NAC exempt have different properties than exemptions
that result from an exemption rule. See Using exemptions.
Task
For option definitions, click ? in the interface.
106
1
Go to Menu | Reporting | Dashboards, then select NAC Summary or any other active dashboard with McAfee
NAC monitors.
2
From any McAfee NAC monitor, click a chart section to list the systems where you want to set or
remove a scan or enforcement exemption.
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and monitoring
Unmanageable devices and what to do with them
3
If you are on a summary page listing more than one system, select each system you want to
affect; otherwise, you are on a details page for a single system.
4
To set an exemption, click Actions | Set NAC exempt, select the exemption type, then click OK.
5
To remove an exemption, click Actions | Remove NAC exempt. Be sure that the system's current
exemption status is Exempt by administrator.
If removing an exemption would result in a system or device becoming unenforceable, a message
appears in the Action Taken pane in the ePolicy Orchestrator message window.
Unmanageable devices and what to do with them
Handle situations where most networks have legitimate devices connected to it that are inherently
unmanageable, such as printers and FAX machines that cannot host McAfee NAC.
Since these systems cannot host the McAfee Agent, the McAfee NAC client, or the McAfee NAC guest
client, they:
•
Are detected as rogues (by the Rogue System Detection service)
•
Cannot be assessed
•
Are not subject to enforcement by the McAfee NAC client or guest client
However, if you are also using Microsoft Network Access Protection as an enforcer, or McAfee Network
Security Platform (potentially as both a detector and enforcer), not treating these devices correctly
can result in undesirable consequences, such as a printer being quarantined.
Unmanageable systems initially are reported as rogues by the Rogue System Detection service on the
Menu | Systems | Detected Systems page. Since these systems are not truly rogues (you know they are
legitimate devices and are inherently unmanageable and unenforceable), McAfee recommends that
you mark these systems as exceptions. This way, all your unmanageable systems are identified and
grouped as exceptions. For details, see the information about Rogue System Detection in the ePolicy
Orchestrator Product Guide.
However, marking an unmanageable system as an exception from the Rogue System Detection
interface does not influence how the McAfee NAC manager views it. In McAfee NAC, an unmanageable
system is always assigned a health level of Unknown, and a network access status of None.
Because an unmanageable system cannot host the McAfee NAC client, the most useful action is to
mark these systems as exempt from scans.
McAfee NAC exemptions are not the same as Rogue System Detection exceptions. See Using
exemptions.
How to handle unenforceable systems
To McAfee NAC, an unenforceable system is one that cannot be enforced by the McAfee NAC client, or
its enforcement status has not been or cannot be reported to the McAfee NAC manager.
Managed systems might become temporarily unenforceable if the McAfee NAC client is shut down or
stops working. In this case, you can use a query that tests for the McAfee NAC client being started
(see Creating a NAC Client Started query).
Unmanaged systems are, by definition, unenforceable if you are using only McAfee NAC: you must use
McAfee Network Security Platform to enforce unmanaged systems. Unmanageable systems are also
unenforceable to McAfee NAC because they cannot host the McAfee NAC client.
McAfee Network Access Control 4.0.0
Product Guide
107
8
Network access administration and monitoring
Post admission control for malicious systems
A system that is identified as unenforceable does not imply that the system cannot be enforced. The
McAfee NAC manager can determine only that a system cannot be enforced by the McAfee NAC client.
Managed systems that are unenforceable by McAfee NAC might be enforceable by one of the other
supported enforcers, depending on your enforcement configuration. See Enforcers and how they
operate.
Remove retired or invalid systems
Remove a system from the database that is no longer on your network. This allows you to clean up
the database so that these systems are no longer reported on your monitors.
This task is most commonly used for guest systems that you have allowed to access your network,
and for printers and other devices that you replace or retire.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Systems | Detected Systems.
2
In the Overall System Status window, click Rogue or Exceptions. The category you select depends on
how you marked a system when it was detected. See Unmanageable devices and what to do with
them and How to handle unenforceable systems.
3
Identify, then select the systems to remove from the list. To identify the correct systems, you
might need to know a MAC address, canonical name, or the text of a comment you entered for a
system or group of systems.
4
Click Delete or click Actions | Delete.
Post admission control for malicious systems
The post admission control (PAC) feature allows you to set the health level of managed systems for
which the McAfee NAC manager has received a malicious system detected event or an administrator
request. Post admission control is not applicable to unmanaged systems because they cannot be
assigned a post admission policy.
One source of events is from a McAfee® Network Security Sensor. For details about using post
admission control with McAfee Network Security Platform, see Malicious system events.
There are two parts to using the PAC feature, both of which must be configured for post admission
enforcement to work:
•
An enabled post admission policy that is deployed to managed systems
•
An enabled event response to a Malicious system detected event that has the response action set to
Enforce malicious system (see Malicious system event responses)
What are malicious systems
Malicious behavior is whatever you define it to be using the tools available in the McAfee Network
Security Manager, or any other software that reports a Malicious system detected event to the Network
Access Control manager.
It could be anything from a malware threat to a system trying to access another system it should not
be allowed to access. The McAfee NAC software does not play a role in defining what is or is not
malicious behavior.
108
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and monitoring
Post admission control for malicious systems
Identifying and enforcing systems as malicious automatically depends on two settings:
•
A post admission policy
•
A response that catches the Malicious system detected event
McAfee Network Access Control also allows you to mark systems as malicious manually using the Set
malicious status action. You can use this action as a precaution if a system demonstrates unusual
behavior. Under these circumstances, you are bypassing any rules you established for identifying
malicious behavior. You then need to determine whether a system is a real security threat or is
infected by some other method.
Malicious systems are enforced using a different methodology than systems that are unhealthy
according to your system health policies. See How post admission control works and Post admission
control enforcement.
How post admission control works
The McAfee NAC manager listens for messages from a Network Security Sensor that it has established
trusted communications with, or other supported products. When the McAfee NAC manager receives
the message, it ascertains the current status of each system the message identifies, then sets each
system's Is Malicious flag to true.
The McAfee NAC manager changes the Is Malicious flag to true even if a system is exempt. For exempt
systems, the post admission policy and malicious system event response are ignored.
Whether other actions like enforcement occur, depends on the actions specified in the response to a
Malicious system detected event and how your post admission policies are configured.
This table describes the result of different configurations of your post admission policies, and your
response settings for the malicious system detected event.
Post
admission
policy
settings
Response settings
Admission
No response configured,
control option response is disabled, or
set to Disable. response is enabled, the
Event type is set to
Malicious system detected, and
the Action is set to Enforce
malicious system.
Response enabled. Event
type is set to Malicious
system detected. Action is
any value other than
Enforce malicious system.
Admission
No response configured,
control option or response is disabled.
set to Enforce
McAfee Network Access Control 4.0.0
Result
No change in health level and no enforcement occurs as a
result of a system being identified as displaying malicious
behavior. All systems identified by the incoming "malicious
system" message have their Is Malicious flag set to true.
No change in health level and no enforcement occurs as a
result of a system being identified as displaying malicious
behavior. All systems identified by the incoming "malicious
system" message have their Is Malicious flag set to true.
Depending on the action specified in the response, an
email notification can be sent or an external command can
be run.
No change in health level and no enforcement occurs as a
result of a system being identified as displaying malicious
behavior. All systems identified by the incoming "malicious
system" message have their Is Malicious flag set to true.
Product Guide
109
8
Network access administration and monitoring
Post admission control for malicious systems
Post
admission
policy
settings
Response settings
Result
Event type is set to
Malicious system detected, and
the Action is set to Enforce
malicious system.
The health level changes to the value specified by the
Malicious system health level option in the post admission policy
only if that value is more severe than a system's current
health status. If the value is less severe or the same, no
change in health level occurs. All systems identified by the
incoming "malicious system" message have their Is Malicious
flag set to true. Enforcement occurs, but is dependent on
which enforcer is configured in the McAfee NAC client
policy assigned to a system (see Post admission control
enforcement).
Response enabled. Event
type is set to Malicious
system detected. Action is
any value other than
Enforce malicious system.
No change in health level and no enforcement occurs as a
result of a system being identified as displaying malicious
behavior. All systems identified by the incoming "malicious
system" message have their Is Malicious flag set to true.
Depending on the action specified in the response, an
email notification can be sent or an external command can
be run.
McAfee NAC does not include a predefined query or monitor that specifically shows systems whose Is
Malicious is set to true. To identify malicious systems, you must look at the Network Access Control
Detected System Status Details page. The boolean data field Is Malicious allows you to determine if the
system is unhealthy due to potentially malicious behavior. This page also contains Actions that allow
you to set or remove the malicious status of a system manually.
To determine whether a system is marked as malicious, you can:
•
Check the Network Access Control Network Access Status monitor for systems that are restricted to
the network access zone you mapped to the health level specified in the post admission policy.
•
Check the Network Access Control System Health Status monitor for systems with the health level
specified in the post admission policy.
•
Create a query to use as a monitor that tests the Is Malicious flag. See Create a Malicious System
query.
Once a system is marked as malicious, the only way to remove this status is for the administrator to
use the Remove malicious status action from a Network Access Control Detected System Status page
(either summary or details). If the system has been enforced as malicious (its health level was
changed), removing the malicious status also resets the system's health to its last known value. For
details, see Reset the malicious status flag.
An administrator can manually mark a system as malicious using the Set malicious status action on a
Network Access Control Detected System Status summary or details page. Whether enforcement
occurs as a result of this action is subject to the same configuration rules involving the malicious
system event response and post admission policy. The same behavior occurs regardless of whether a
system is marked as malicious due to a "malicious system" message (for instance, from a Network
Security Sensor), or an administrator action.
Post admission control enforcement
Post admission control enforcement of managed systems depends on which enforcer is configured in a
system's network access policy. Like any enforcement request, malicious systems are allowed or
denied network access based on a health level.
Normally, the health level is derived from a system's applicable health policies. However, if a system is
marked as malicious, the post admission policy allows for the potential of a health level override.
110
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and monitoring
Post admission control for malicious systems
If post admission control is configured so that enforcement occurs, the health level sent to the
enforcer comes from one of these sources:
•
The current value of the enforced health level resulting from the latest scan
•
The value of the Malicious system health level option in the post admission policy
Whichever health level value is the most severe is the one that is sent to the enforcer, and set as the
enforced health level. For example, if a system with a health level of Poor is identified as malicious,
and the post admission policy sets the health level at Critical, the configured enforcer is sent a value
of Critical. If a system with a health level of Critical is identified as malicious, and the post admission
policy sets the health level at Serious, the configured enforcer is still sent a value of Critical, even
though that value did not come from the post admission policy.
Whether enforcement occurs, and the end result of any enforcement action, depends on which
enforcer is configured for a managed system.
Enforcer
Post admission control enforcement
McAfee Network
Access Control
client
Enforcement is based on the mapping of network access zones to health levels in
the network access policy that is assigned to a managed system.
Microsoft Network
Access Protection
The McAfee NAC client, acting as the Network Access Protection System Health
Agent (SHA), passes the health level to the McAfee System Health Validator
(SHV), which then forwards it to the Microsoft Network Policy Server.
Enforcement is based on your Network Access Protection policies. See
Integrating McAfee NAC with Microsoft Network Access Protection.
McAfee® Network
Security Sensor
The McAfee NAC manager passes the health level to the Network Security
Sensor. This health level can be used by the Sensor if health-based policies are
configured in McAfee® Network Security Manager.
®
Depending on your Network Security Sensor configurations, it is possible for them to override
enforcement by other enforcers. See Integrating McAfee NAC with McAfee Network Security Platform.
When you are using post admission control, McAfee recommends that you define a suitable network
access zone for restricting malicious systems. Both McAfee NAC and McAfee® Network Security
Manager use the concept of network access zones. If you are using Microsoft Network Access
Protection for enforcement, you might want to configure your health and network policy rules such
that the health level used for malicious systems is a special case and is associated specifically with
your organization's definition of a malicious system.
Post admission policies
A post admission policy is required for assigning a health level to managed systems that have been
identified or marked as malicious.
The policy contains two options: one that enforces the policy, and one that sets the system's health
level if malicious behavior is detected.
How these options affect a system depends on several factors. For details, see How post admission
control works. Like other McAfee Network Access Control policies, a post admission policy must be
assigned to your managed systems for it to have an effect. You cannot assign a post admission policy
to unmanaged systems.
McAfee Network Access Control 4.0.0
Product Guide
111
8
Network access administration and monitoring
Post admission control for malicious systems
Configure a post admission policy
You can specify whether to enforce managed systems that are identified as displaying malicious
behavior and reported to the McAfee NAC manager, and which health level to assign to those systems.
Enforcement only occurs if you have also created and enabled an event response. For details, see
Malicious system event responses.
After you configure a post admission policy, you must assign it to your managed systems using the
standard ePolicy Orchestrator policy assignment features.
Task
For option definitions, click ? in the interface.
1
Go to Menu | Policy | Policy Catalog, then from the Product drop-down list, select Network Access Control
4.0.0.
2
From the Category drop-down list, select Post Admission Policy.
3
To create a new policy, click Actions | New Policy or click Duplicate in the Actions column of an existing
policy.
4
Type a name for the new policy. If you use New Policy, you also select an existing policy as a basis
for the new one. Click OK.
5
Set the Admission control option to Enforce (required for the policy to have an effect on system
enforcement).
6
Set Malicious system health level to the health level value you want assigned if the system displays
malicious behavior.
For a post admission policy to have an effect, the health level you select must be more severe than
a system's enforced health level. For this reason, the Healthy and Unknown health levels are not
listed.
7
Click Save.
Malicious system event responses
A malicious system event response informs the McAfee NAC manager that you want to take a
particular action or set of actions when a Network Security Sensor or other supported product sends a
Malicious system detected message.
To create a response to the Malicious system detected event, you use the Responses feature in the ePolicy
Orchestrator interface (Menu | Automation | Automatic Responses). If you don't create and enable this event
response, the only action that occurs due to a Malicious system detected message is the McAfee NAC
manager sets each identified system's Is Malicious flag to true.
To enforce the "malicious" health level set in your post admission policies, at least one of the actions
you specify for the Malicious system detected event must be Enforce malicious system, and the response must
be enabled (see Configuring a malicious system event response). Other actions, such as sending an
email notification, also can be specified as part of an event response.
Responses can also contain filters, which allow you to identify systems according to various properties.
Using filters is one way to limit or restrict which systems are subject to the actions you specify. For
example, you might want to enforce one set of systems when detected as malicious, but only receive
email notification for a different set.
112
McAfee Network Access Control 4.0.0
Product Guide
8
Network access administration and monitoring
Post admission control for malicious systems
Configure a malicious system event response
You must configure and enable an event response to enforce the health level specified in the post
admission policy.
For enforcement to occur, the Admission control option of the post admission policy must be set to Enforce.
For details, see How post admission control works.
Task
For option definitions, click ? in the interface.
1
Click Menu | Automation | Automatic Responses, then click Actions | New Response, or for an existing event
response, click Edit in the Action column.
2
On the Description page:
3
a
Type a name and description that indicates the type of response or type of event.
b
Select a language.
c
For Event, set Event group to Network Access Control Events, and Event type to Malicious system detected.
d
Set Status to Enabled.
On the Filter page, from the list of Available Properties, select properties you want to use to filter
event reporting, then click Next.
Using filters is not recommended for the Malicious system detected event.
4
On the Aggregation page, set Aggregation to Trigger the response for every event, then click Next.
Aggregating on multiple events over a time period is not recommended.
5
On the Actions page, select Enforce malicious system from the drop-down list, then click Next.
6
On the Summary page, review the settings, then click Save.
Set a system's malicious status
Use this task when you need to manually designate a system as malicious.
Task
For option definitions, click ? in the interface.
1
Click Menu | Reporting | Dashboards (or click Dashboards on the toolbar), then select NAC Summary from the
drop-down list, or any other active dashboard with McAfee NAC monitors.
2
From any monitor that includes the system you want to mark as malicious, click a chart section.
3
If there are multiple systems in the chart section, select the checkbox of the system(s) from the
summary page. If there is only one system for the chart section, the NAC Detected System Status
Details page opens.
4
Click Set malicious status.
5
Click Actions | Set malicious status.
McAfee Network Access Control 4.0.0
Product Guide
113
8
Network access administration and monitoring
Assessment and enforcement histories
Remove a system's malicious status
Remove a system's malicious status once you have determined that there is no longer a threat. This is
the only method to reset a system's Is Malicious status flag.
Before you begin
Make sure you have an active dashboard that contains the NAC: System Health Status
monitor so that you can access the NAC Detected System Status Details page.
If the system has been enforced by a post admission policy, removing the malicious status also resets
the system's enforced health level to the last value it had before being changed. If no enforcement
resulted from the malicious system event, removing the malicious status does not change the
system's current enforced health level.
Task
For option definitions, click ? in the interface.
1
Click Menu | Reporting | Dashboards or click Dashboards on the menu bar, then select NAC Summary from
the drop-down list, or any other active dashboard with Set malicious status monitors.
2
From any monitor that includes one or more malicious systems, click the appropriate chart section.
3
If there are multiple systems in the chart section, select the system(s) from the summary page. If
there is only one system for the chart section, the NAC Detected System Status Details page opens.
4
Check that the Is Malicious field is set to true.
5
Click Remove malicious status.
6
Click Actions | Remove malicious status.
7
Check the Action Taken pane in the ePolicy Orchestrator message window to verify that the action was successful.
Assessment and enforcement histories
McAfee NAC stores information every time a system is assessed, and every time an enforcement
action occurs. You can view an assessment or enforcement history through specific McAfee NAC
monitors. These histories allow you to track a sequence of actions, and can be useful for testing policies.
When you view an individual assessment (scan) result, you can then access the benchmark results for
that scan. This allows you to find out which rules passed and which failed.
You can also delete the historical assessment and enforcement results if or when you no longer need
them. Assessment results can be deleted for individual systems from the Scan History for Host page.
You can also delete all scan results for all systems using an ePolicy Orchestrator server task (see
Purging scan results automatically). Enforcement results can be deleted for individual systems from
the Enforcement History for Host page.
Purge scan results automatically
Create or edit a server task to purge all McAfee NAC scan results from the database. You can schedule
this task to run at an interval you define.
This task relies on the ePolicy Orchestrator Server Tasks feature, and assumes you understand the
process of working with server tasks.
114
McAfee Network Access Control 4.0.0
Product Guide
Network access administration and monitoring
Assessment and enforcement histories
8
Task
For option definitions, click ? in the interface.
1
Click Menu | Automation | Server Tasks, then click Actions | New Task, or click New Task, or click Edit in the
Action column for an existing task.
2
On the Actions page of the Server Task Builder, select McAfee NAC: Purge Scan Results from the
drop-down list.
3
For Purge records older than, set the number of days, weeks, months, or years.
4
On the Schedule page, set how often you want to run the task.
5
When you are done setting values, go to the Summary page and click Save.
Delete scan or enforcement results manually
Remove scan or enforcement results for an individual system.
This task relies on accessing the Scan History for Host page and the Enforcement History for Host
page through McAfee NAC monitors or queries.
Task
For option definitions, click ? in the interface.
1
Click Menu | Reporting | Dashboards (or click Dashboards on the menu bar), then select NAC Summary from
the drop-down list, or any other active dashboard with McAfee NAC monitors.
2
From any McAfee NAC monitor, click a chart section to list the systems where you want to remove
all or part of the scan or enforcement history.
3
If you are on a summary page that lists more than one system, select the checkbox next to a
system; otherwise, you are at a details page for a single system.
•
To list the system's scan history, click Actions | Show scan history. This displays the Scan History for
Host page.
•
To list the system's enforcement history, click Actions | Show enforcement history. This displays the
Enforcement History for Host page.
4
Select one or more entries.
5
Click Actions | Delete scan history or Actions | Delete enforcement history, depending on the page you are viewing.
McAfee Network Access Control 4.0.0
Product Guide
115
8
Network access administration and monitoring
Assessment and enforcement histories
116
McAfee Network Access Control 4.0.0
Product Guide
9
Integrating McAfee NAC with McAfee
Network Security Platform
McAfee NAC 4.0 supports McAfee Network Security Platform, specifically the McAfee® Network Security
Sensor, as a detector and an enforcer. The two products can work together to provide network access
control for both managed and unmanaged systems.
In this release of McAfee NAC, both managed and guest clients can communicate health-level
information directly to the McAfee Network Security Platform sensors. To achieve this, enable the
client sensor channel in the NACServer.properties file.
Contents
Configuration requirements
Operations when combined with McAfee Network Security Platform
McAfee® Network Security Sensor as a detector
McAfee® Network Security Sensor as an enforcer
Health-based access control
Identity-based access control
McAfee NAC manager configuration
Assessment of unmanaged systems
Configuration requirements
To operate correctly with McAfee Network Security Platform, you need to configure several
communication channels, and let the McAfee NAC manager know the location of your McAfee® Network
Security Manager server.
How components communicate
McAfee Network Security Platform can handle both unmanaged and managed systems in the network
for health-based and identity-based access control, when configured. McAfee NAC handles only
managed system enforcement.
To use McAfee Network Security Platform for detection and enforcement, these components must
communicate with each other:
•
The ePolicy Orchestrator server that hosts McAfee NAC
•
Your Network Security Sensors
•
The McAfee NAC client
•
Guest client
McAfee Network Access Control 4.0.0
Product Guide
117
9
Integrating McAfee NAC with McAfee Network Security Platform
Configuration requirements
When McAfee Network Security Platform is configured to use health-based access control, the primary
information communicated from McAfee NAC to a Network Security Sensor is a system health level.
Once communicated, enforcement decisions for unmanaged systems are controlled by your Network
Security Manager policies. Also, your Network Security Sensors must establish trusted
communications with the McAfee NAC manager.
Assumptions
The information presented here assumes that you are familiar with McAfee Network Security Platform,
its requirements, its operation, and its user interface.
In McAfee NAC, the configuration for using both products involves:
•
Setting the port for communication between Network Security Sensors and McAfee NAC clients
•
Specifying the location of the McAfee® Network Security Manager server
•
Setting a shared secret for trusted communication between the McAfee NAC manager and Network
Security Sensors
•
(Optional) Specifying that the McAfee NAC client send out a periodic identification message for the
Network Security Sensors
•
(Optional) Configuring a McAfee NAC client policy if you are going to use McAfee Network Security
Platform as an identity-based enforcer (see Identity-based access control)
Installation requirements
During installation, you are asked to specify a Network Security Sensor to McAfee NAC client
communication port. This corresponds to the Client identification request setup option in the McAfee NAC
server settings. The default port listed in the installer is the same port which ePolicy Orchestrator uses
for the Server-to-sensor communication port. The port was chosen because ePolicy Orchestrator already opens
it. If you want to use a different port, enter that port number in the installer.
However, you cannot change the port number after McAfee NAC is installed unless you uninstall the
McAfee NAC application and re-install it. You must also make sure that this new port is open, and not
blocked by any firewalls in between your sensors and the ePolicy Orchestrator server. Communication
between sensors and McAfee NAC clients is over an unsecured channel.
How sensors communicate with McAfee NAC
Sensors communicate with the McAfee NAC manager using a secure communication channel. This
secure, trusted communication uses port 8443, and can be configured to use a shared secret. When
McAfee NAC is installed, the Trusted communications setup shared secret is blank (no value). This setting is
valid, but you can also type a text string of your choice. You then use this string when you configure
your Network Security Sensors. If communication is not working, check that your shared secret values
are identical.
The periodic identification message setting in the McAfee NAC client policy is needed only if a
managed system has a firewall that blocks the configured Network Security Sensor to McAfee NAC
client communication port. This is the port listed for Client identification request setup in the McAfee NAC
server settings. Enabling this option causes the McAfee NAC client to initiate identification messages to
the Network Security Sensors. For unmanaged systems, this option is configured in the Unmanaged
System Policy, and applies only to the McAfee NAC guest client.
Types of configuration
If you are using McAfee Network Security Platform as a health-based enforcer, no special configuration
is needed for the McAfee NAC client policy.
118
McAfee Network Access Control 4.0.0
Product Guide
9
Integrating McAfee NAC with McAfee Network Security Platform
Operations when combined with McAfee Network Security Platform
If you are using McAfee Network Security Platform as an identity-based enforcer for both managed
and unmanaged systems, you also need to configure a McAfee NAC client policy with the Enforcement
Method set to None.
All other configuration to make McAfee NAC work with McAfee Network Security Platform is done
through the Network Security Manager and Network Security Sensor interfaces. For details, see the
McAfee Network Security Platform documentation.
Operations when combined with McAfee Network Security
Platform
When setting up an environment where McAfee NAC and McAfee Network Security Platform are used
together, the McAfee® Network Security Sensor can perform both system detection and enforcement.
A Network Security Sensor is an appliance that monitors network traffic and manages pre-admission
and post-admission access. The Sensor can:
•
Uniquely identify systems as part of an IP stream
•
Send detection messages for systems it detects to the McAfee NAC manager
•
Respond to enforcement requests (status messages) from the McAfee NAC manager
•
Enforce ACLs on the IP streams of these systems
Detection
When setting up Network Security Sensors for detection, the primary consideration is to make sure
that you cover all parts of the network you want to protect, and that each Network Security Sensor is
communicating with the McAfee NAC client or guest client, and with the McAfee NAC manager. Use the
information provided in the McAfee Network Security Platform documentation.
Enforcement
When using Network Security Sensors for enforcement, the primary consideration is that client
systems in your production and quarantine networks must be able to communicate with the ePolicy
Orchestrator server. Other considerations might be involved depending on the McAfee Network
Security Platform access control type you use. For instance, if you use identity-based access control,
you must configure and deploy a McAfee NAC client policy that has the Enforcement method option set
to None. See Network Security Sensor as an enforcer, and McAfee Network Security Platform access
control types.
Automatic remediation
Integrating McAfee NAC with McAfee Network Security Platform has no effect on automatic
remediation because all automatic remediation commands are always run by the McAfee NAC client.
Therefore, which enforcer you configure is irrelevant. You only need to be sure that unhealthy systems
can access remediation resources, such as required applications and operating system patches, from
your quarantine networks.
Operations unaffected by the McAfee® Network Security
Manager access control mode
Whether you are using health-based or identity-based access control in McAfee Network Security
Platform, the way that McAfee NAC detects systems and assesses system health are unaffected.
However, the access control mode does determine whether, and how, the detection and assessment
information is used.
McAfee Network Access Control 4.0.0
Product Guide
119
9
Integrating McAfee NAC with McAfee Network Security Platform
McAfee® Network Security Sensor as a detector
Scan results for managed and unmanaged systems (presuming the guest client has been installed) are
reported to the McAfee NAC manager, allowing you to access or generate reports. The McAfee NAC
client scans systems at whatever interval you have specified using the features available through
ePolicy Orchestrator and McAfee NAC. The guest client scans systems according to the scan interval
setting in the unmanaged system policy.
Automatic remediation of managed systems is unaffected by McAfee Network Security Platform,
regardless of the access control mode. You only need to be sure that an unhealthy managed system
can access remediation resources, such as required applications and operating system patches, from
your quarantine networks. For information about McAfee® Network Security Manager operations when
a system is unhealthy, refer to its documentation set.
Client systems that use firewall software
If firewall software is running on a client system, regardless of whether it is managed or unmanaged,
and the firewall is blocking the communication port used by a Network Security Sensor for client
identification requests, this can affect the detection and enforcement behavior, especially for managed
systems.
To ensure that your Network Security Sensors always can get client identification information, make
sure the Periodic identification option is enabled in both your McAfee NAC client policies, and in your
unmanaged system policy. This option causes the client to send an identification message onto the
network every 60 seconds, but the timing can be configured. By default, this option is enabled in the
unmanaged system policy and disabled in the McAfee NAC client policy.
McAfee® Network Security Sensor as a detector
A detector identifies systems that are connected to your network, and reports these systems to the
McAfee NAC manager. To qualify as a detector, the component must report at least one form of
identifying information about a system or device to the McAfee NAC manager.
McAfee NAC can use McAfee® Network Security Sensor detection information, and combine it with
information it receives from other supported detectors (see Detectors and how they work). Any Rogue
System Sensor on your network still functions normally and reports detections.
A Network Security Sensor can be configured for different detection types. The following table lists the
detection information that a Network Security Sensor reports to the McAfee NAC manager based on its
configuration. The specific deployment and configuration determines whether a Network Security
Sensor reports some or all of the identifying information listed.
Table 9-1 Network Security Sensor detector configuration
In-line detection
DHCP detection
VPN detection
At least one of the following:
At least one of the following:
At least one of the following:
• IP address
• IP address
• IP address
• MAC address
• MAC address
• Host name
• Host name
• McAfee Agent GUID
• McAfee Agent GUID
Multiple detectors do not interfere with each other. The most recent detection information received
that includes an IP address is considered valid for the detected host, independent of the detector. This
is because the IP address of a system is the one piece of information that might change under normal
circumstances. All other information from multiple detectors is combined for the same detected host.
120
McAfee Network Access Control 4.0.0
Product Guide
9
Integrating McAfee NAC with McAfee Network Security Platform
McAfee® Network Security Sensor as an enforcer
For example, if one detector reports a MAC address, and a different detector reports a MAC address
and host name, the McAfee NAC manager combines this information with existing detection results
that match; otherwise, the system is new, and previously unknown to the McAfee NAC manager.
McAfee® Network Security Sensor as an enforcer
An enforcer is responsible for restricting the network access of systems on your network. A Network
Security Sensor can use health-based or identity-based access control enforcement depending on your
Network Security Manager configuration.
No matter which Network Security Manager access control configuration you use, network access
restrictions are based on your definitions of network access zones. Both McAfee NAC and McAfee
Network Security Platform use network access zones, so McAfee recommends you name these such
that the product they are associated with is easily identifiable.
When configured for health-based access control, a Network Security Sensor enforces network access
restrictions for unmanaged systems based on the health level it is sent from McAfee NAC or received
from the client, provided the client sensor channel is enabled. For an unmanaged system, this can be
the enforced health level, an administrator-specified health level, or the post-admission policy health
level.
Other information regarding a system's status — such as whether it has an exemption, has a manual
enforcement request, or has been marked as malicious — is communicated to the Network Security
Sensor by the McAfee NAC manager or McAfee NAC client.
When configured for identity-based access control (IBAC), a Network Security Sensor enforces
network access restrictions for managed and unmanaged systems based on system properties or user
identity credentials. The McAfee NAC architecture is not involved when using McAfee Network Security
Platform in IBAC mode. When you configure the McAfee NAC client to support IBAC, it no longer
functions as an enforcer. The enforcement of unhealthy systems becomes solely the responsibility of
the Network Security Sensor.
The determination of whether a system is healthy, whether it is enforced, and how it is enforced, is
controlled by your policy Network Security Manager configuration.
To enable scalability, edit the NACServer.properties file of McAfee NAC server, with the parameters:
•
enable.client.sensor.channel=true
•
periodic.message.version=3
Make sure that you also enable scalability in the Network Security Sensor.
For details about the input used by and output supplied by a Network Security Sensor, see Enforcers
and how they work. For information about Network Security Manager policies and the operation of
components, see the McAfee Network Security Platform documentation.
Health-based access control
If you are using health-based access control in McAfee Network Security Platform, then McAfee NAC
enforces managed systems using the McAfee NAC client, and McAfee® Network Security Manager
enforces unmanaged systems using Network Security Sensors. Managed systems can also be enforced
by Network Security Sensors, if configured to do so.
Most of the behavioral differences that occur when you use McAfee Network Security Platform in
combination with McAfee NAC involve enforcement, and to a lesser degree, detection.
McAfee Network Access Control 4.0.0
Product Guide
121
9
Integrating McAfee NAC with McAfee Network Security Platform
Health-based access control
When a system’s health status changes, the McAfee NAC manager or McAfee NAC client sends a
message containing the new health level to the Network Security Sensor. If the system is managed,
the Network Security Sensor does not take any enforcement action. If the system is unmanaged, the
Network Security Sensor is responsible for restricting network access of the system using the network
access restrictions configured by the network access zones in Network Security Manager.
For easier identification of network access zones in monitors and reports, McAfee recommends that you
use a prefix for all network access zone names created in Network Security Manager. This way, you can
avoid conflicts and confusion trying to determine whether a system is affected by a McAfee NAC
network access zone or a Network Security Manager network access zone.
Configuration changes
When using Network Security Manager for health-based access control, make these configuration
changes in McAfee NAC:
•
Specify the location of your Network Security Manager (recommended) in the McAfee NAC server
settings.
•
Set all benchmarks in the unmanaged system policy to Enforce mode.
•
(Optional) Set a Trusted communications shared secret in the McAfee NAC server settings.
System detection
When you use McAfee Network Security Platform with McAfee NAC, the Network Security Sensor adds
another detection service. Nothing changes regarding detections performed by the Rogue System
Detection service and the McAfee NAC client. In other words, a Network Security Sensor can be added
when using health-based access control without requiring changes to the detection aspects of an
existing McAfee NAC deployment.
System assessment
The McAfee NAC client assesses managed systems using your managed system health policies and
your established scan schedule. The McAfee NAC manager or McAfee NAC client reports any health
status changes on managed systems to the Network Security Sensor, provided the client sensor
channel is enabled.
For unmanaged systems, users must download the McAfee NAC guest client. Once installed, the guest
client uses the unmanaged system policy to assess the system. Scans are repeated according to the
policy’s scan interval setting. Scan results and system health, reported to the McAfee NAC manager,
which then sends the health status to Network Security Sensor or when client sensor channel is
enabled, McAfee NAC guest client sends the health status to Network Security Sensor directly.
System enforcement
When using health-based access control in McAfee Network Security Platform, enforcement is still
based on a system's health. As described, the McAfee NAC client and guest client assess systems
according to your McAfee NAC policies, and report those results. McAfee Network Security Platform
enforcement of unmanaged systems is based on the enforced health level.
Using health-based access control, a Network Security Sensor can enforce managed and unmanaged
systems, and the McAfee NAC client always enforces managed systems.
122
McAfee Network Access Control 4.0.0
Product Guide
9
Integrating McAfee NAC with McAfee Network Security Platform
Identity-based access control
Exemptions
When using health-based access control, the McAfee NAC manager reports information about
exemptions to the Network Security Sensor. Any systems marked as exempt, using any McAfee NAC
method, might or might not be respected by the Network Security Sensor, depending on how its
configured. Your exemption rules and any systems manually marked as exemptions can be overridden
by other aspects of an Network Security Manager network policy.
Identity-based access control
If you are using identity-based access control (IBAC) in McAfee Network Security Platform, all
systems, managed and unmanaged, can be enforced by Network Security Manager using Network
Security Sensors.
If every managed system has a McAfee NAC client policy with the Enforcement method set to None,
then McAfee NAC has no control over enforcement in this configuration, and system health is not used
as the basis for enforcement. However, you can combine the solution, and have some managed
systems enforced by the McAfee NAC client, and some enforced by Network Security Sensors.
Configuration changes
To use identity-based access control, you need to make these configuration changes in McAfee NAC:
•
Set the Enforcement method option in your McAfee NAC client policies to None.
•
Specify the location of Network Security Manager server (recommended) in the McAfee NAC server
settings.
•
Optionally set a Trusted communications shared secret in the McAfee NAC server settings.
When a system’s health status changes, the McAfee NAC client sends a message containing the new
health level to the Network Security Sensor. However, when using identity-based access control, the
Network Security Sensor ignores this information. The McAfee NAC network access policy that
designates network access zones is not used. Instead, the network access restrictions configured by
the network access zones in Network Security Manager are used.
For easier identification of network access zones in monitors and reports, McAfee recommends that you
use a prefix for all network access zone names created using Network Security Manager. This way, you
can avoid conflicts and confusion trying to determine whether a system is affected by a McAfee NAC
network access zone or a Network Security Manager network access zone.
System detection
When you use McAfee Network Security Platform with McAfee NAC, the Network Security Sensor adds
another detection service. Nothing changes regarding detections performed by the Rogue System
Detection service and the McAfee NAC client. In other words, a Network Security Sensor can be added
when using identity-based access control without requiring changes to the detection aspects of an
existing McAfee NAC deployment.
System assessment
The NAC client assesses managed systems using your managed system health policies and your
established scan schedule. The McAfee NAC manager reports any health status changes on managed
systems to the Network Security Sensor.
McAfee Network Access Control 4.0.0
Product Guide
123
9
Integrating McAfee NAC with McAfee Network Security Platform
McAfee NAC manager configuration
For unmanaged systems, users must download the McAfee NAC guest client. Once installed, the guest
client uses the unmanaged system policy to assess the system. Scans are repeated according to the
policy’s scan interval setting. Scan results and system health and reported to the McAfee NAC
manager, which then sends the health status to the Network Security Sensor.
System enforcement
When using identity-based access control in McAfee Network Security Platform, enforcement is no
longer based on a system's health. Enforcement is based solely on system properties or user identity
credentials, and all managed and unmanaged systems can be enforced by a Network Security Sensor.
To do this, your McAfee NAC client policies must have the Enforcement method option set to None. In
this configuration, the McAfee NAC client no longer performs enforcement. All enforcement actions are
controlled by the Network Security Sensor, and configured using the Network Security Manager console.
Exemptions
When using identity-based access control, the McAfee NAC manager reports information about
exemptions to the Network Security Sensor. Any systems marked as exempt, using any McAfee NAC
method, might or might not be respected by Network Security Manager depending on how its
configured. Your exemption rules and any systems manually marked as exemptions can be overridden
by other aspects of an Network Security Manager network policy.
McAfee NAC manager configuration
You must properly configure the McAfee NAC manager so it operates with McAfee Network Security
Platform. All components must be able to communicate with each other.
If you want to use the Guest Portal so that unmanaged systems can install the McAfee NAC guest
client, see Guest portal and guest client.
To configure the McAfee NAC manager to operate with McAfee Network Security Platform, set these
options in the McAfee NAC server settings:
•
Network Security Manager location
•
Client identification request setup
•
Trusted communications setup
For details about this task, see Editing McAfee NAC server settings.
Network Security Manager location
This configuration option is used to create links within the McAfee NAC interface to the Network
Security Manager console. It informs the Network Access Control manager where the Network Security
Manager server is located. McAfee NAC assumes that the default Network Security Manager console
port is port 80. If the console uses a different port, you must set it using the optional port specification
format (<server_name>[<port>]).
Client identification request setup
This configuration option sets an encryption key that is used for communication between a McAfee
NAC client and a Network Security Sensor. The Network Security Sensor must communicate directly
with the McAfee NAC client to uniquely identify the system and determine whether it is managed. The
McAfee NAC manager distributes this key to a Network Security Sensor when it establishes
communications. The McAfee NAC manager distributes this key to the McAfee NAC client after it sends
its startup message.
124
McAfee Network Access Control 4.0.0
Product Guide
9
Integrating McAfee NAC with McAfee Network Security Platform
Assessment of unmanaged systems
Trusted communications setup
This configuration option sets a shared secret (effectively a password) that establishes trusted
communications between the McAfee NAC manager and a Network Security Sensor at sensor startup.
The value of this option must be used when configuring a Network Security Sensor. If the values do
not match, the Network Security Sensor cannot communicate with the McAfee NAC manager. The
default value is blank. This can be used, or you can specify your own password.
Configure a McAfee NAC client policy
Configure the McAfee NAC client to work with McAfee Network Security Platform.
Task
For option definitions, click ? in the interface.
1
Click Menu | Policy | Policy Catalog, then select Network Access Control Client 4.0.0 from the Product
drop-down menu. There is only one category value: General.
2
Select an existing policy from the list and click Duplicate to edit, or click Actions | New Policy.
If you are using ePolicy Orchestrator 4.5, then select an existing policy from the list and click Edit
Settings or Duplicate to edit, or click Actions | New Policy.
3
If creating a new policy, select an existing policy as a template, and type a name for the new
policy. The name should indicate that the policy is for use in a network enforcement environment.
4
Set the Enforcement method option to:
•
NAC client — For health-based access control
•
Microsoft Network Access Protection — For integration with Microsoft NAP.
•
None — For identity-based access control
5
Set the automatic remediation option to use and specify credentials (managed systems only).
6
Specify whether you want the McAfee NAC client to display the McAfee system tray icon.
7
Specify whether you want the McAfee NAC client to send periodic identification messages out on
the network for a Network Security Sensor to pick up.
8
Deploy this McAfee NAC client policy. McAfee Network Security Platform only enforces unmanaged
systems regardless of whether it is using health-based access control or identity-based access
control.
9
Specify how you want to configure the sensor settings.
Assessment of unmanaged systems
When using McAfee Network Security Platform in health-based access control mode, managed systems
are assessed by the McAfee NAC client using your managed system health policies, and unmanaged
systems are assessed by the McAfee NAC guest client using the unmanaged system policy.
Unmanaged systems are detected by your Network Security Sensors. The McAfee NAC guest client is
not the same as the McAfee NAC client, and will not install on a system that has the McAfee NAC
client. The guest client differs from the McAfee NAC client in these ways:
•
Guest client does not require the McAfee Agent.
•
Guest client is not configured by a McAfee NAC client policy.
McAfee Network Access Control 4.0.0
Product Guide
125
9
Integrating McAfee NAC with McAfee Network Security Platform
Assessment of unmanaged systems
•
Guest client is intended to be a temporary executable that is automatically removed after a
specified time, which is set from the Guest Portal.
•
Guest client can assess a system only with the unmanaged system policy.
•
Guest client cannot use automatic remediation. Unmanaged systems must be remediated manually.
A system with the guest client installed is not a managed system according to the McAfee NAC or
ePolicy Orchestrator definitions.
The guest client's role is to evaluate system health and report the results to the McAfee NAC manager.
The guest client evaluates only the unmanaged system policy, and scans the system according to the
policy’s scan interval. The McAfee NAC manager reports the system's health level to the Network
Security Sensor. All enforcement decisions are under Network Security Manager control. McAfee NAC
does not play a role in unmanaged system enforcement.
The guest client's configuration is set as shown in this table. Most of this configuration is fixed, except
where noted.
Scan interval
= Periodic interval during which scan is invoked on guest clients.
Scan results
= All benchmark and rule information.
Unhealthy host scan setting = Invokes a scan when the host is assessed as unhealthy.
System tray icon
= Enabled.
Periodic identification
= Enabled by default. This option is configurable in the unmanaged
system policy.
Sensor Settings
= Enabled by default. Receives sensor details from McAfee NAC
server.
For details about setting the health policy for unmanaged systems and providing remediation
instructions, see Unmanaged system policy.
Guest portal and guest client
The Guest Portal provides an access point to which you can direct unmanaged systems so users can
install the McAfee NAC guest client. The portal is essentially a pre-configured web page, but you can
customize it with your company's logo and statement of network security policy.
The Guest Portal is installed as an extension when you install McAfee NAC. All files and executables
are located on the ePolicy Orchestrator server. To verify this, check the ePolicy Orchestrator Extensions
page.
To configure the Guest Portal, you should:
•
Have a written network security policy statement to display on the portal page
•
Set portal configuration options on the McAfee NAC Guest Portal server settings page
For details, see Guest portal configuration and the associated task.
Redirecting unmanaged systems detected by a Network Security Sensor to the Guest Portal is
configured using the Network Security Manager. For information, see the McAfee® Network Security
Manager documentation.
How users install the guest client
The guest client can be installed only through the Guest Portal. The guest client installer is part of the
Guest Portal extension. If you uninstall the Guest Portal extension, the guest client installer is also
removed.
126
McAfee Network Access Control 4.0.0
Product Guide
9
Integrating McAfee NAC with McAfee Network Security Platform
Assessment of unmanaged systems
When users are redirected to the Guest Portal, they must select values for two options:
•
The Network access period, which sets how many days the guest client remains installed on their
system before being automatically uninstalled.
•
Their computer's Operating system. The system tries to automatically detect the operating system and
defaults to that value, but users can choose the correct operating system (Windows, Linux, Mac
OS, or other). If a user selects Other, it means they are running an operating system that is not
supported by the guest client.
With these options set, users can install the guest client and have their systems scanned.
Behavior for no guest client installed
The Guest Portal does not force a user to install the guest client. If a user clicks Cancel on the guest
portal, they receive a warning that their network access might be restricted or denied. Administrators
should set the Health level for no guest client option on the McAfee NAC Guest Portal server settings page to
an appropriate value for their company security policy. This option defaults to Critical.
Alternately, a user might be running an operating system on which the guest client cannot be installed
(the Other value). If a user selects this value, they receive a warning that their network access might
be restricted or denied. Administrators should set the option Health level for 'Other' OS on the McAfee NAC
Guest Portal server settings page to an appropriate value for their company security policy. This option
defaults to Unknown.
Guest portal configuration
Configuring the Guest Portal is done by setting option values on the McAfee NAC Guest Portal server
settings page.
The options you can set are:
Option
Definition
Guest portal logo
Sets the filepath to the image file you want to use as the logo displayed on the
Guest Portal. This is typically your company logo. Place the logo image file
anywhere on the ePolicy Orchestrator server, and give the absolute path for this
option. The JPG and GIF file formats are recommended, but you should be able
to use any format supported by web-standard HTML.
Guest system
policy statement
Sets the statement you want to display on the Guest Portal describing your
company's network security policy for unmanaged, or guest, systems on your
network. This is a text field that can contain approximately 10,000 characters.
Default guest client Sets the default value, in days, for the Network access period option on the Guest
authorization
Portal page. This setting determines how long the McAfee NAC guest client is
active on a guest system before the client is automatically uninstalled. The
allowed values are 0, 1, 2, 5, 15, 30, and 90. A value of zero means the McAfee
NAC guest client scans the system once, then is immediately uninstalled.
Health level for no
guest client
Sets the default health level that is assigned to unmanaged systems on your
network that do not have the McAfee NAC guest client installed. One way this
would happen is if the user cancels out of the Guest Portal.
Health level for
'Other' OS
Sets the default health level that is assigned to unmanaged systems on your
network when the user of the system selects the value Other for the Operating
system option on the Guest Portal page.
Configure the guest portal
Set option values that configure the McAfee NAC guest portal. Typically, these settings change
infrequently.
McAfee Network Access Control 4.0.0
Product Guide
127
9
Integrating McAfee NAC with McAfee Network Security Platform
Assessment of unmanaged systems
Task
For option definitions, click ? in the interface.
1
Go to Menu | Configuration | Server Settings, then in the Setting Categories column, select NAC Guest Portal.
2
Click Edit.
3
On the Edit page, enter values for these options:
4
128
•
Guest portal logo
•
Guest system policy statement
•
Default guest client authorization
•
Health level for no guest client
•
Health level for 'Other' OS
Click Save.
McAfee Network Access Control 4.0.0
Product Guide
10
Integrating McAfee NAC with Microsoft
Network Access Protection
McAfee NAC 4.0 supports Microsoft Network Access Protection (NAP) as an enforcer. Microsoft NAP
enforces network access restrictions for managed systems from a central NPS server.
The McAfee NAC client, acting as a System Health Agent (SHA), passes a Statement of Health to the
NPS server, which is validated by the McAfee System Health Validator and the McAfee NAC manager.
Contents
How McAfee NAC communicates with Microsoft NAP
Setup requirements
ePolicy Orchestrator considerations
Microsoft NAP as an enforcer
Support for non-native operating systems
McAfee System Health Validator operations
Failure categories of System Health Validator
Error conditions of System Health Validator
How McAfee NAC communicates with Microsoft NAP
How the Statement of Health is used to affect enforcement depends on your Microsoft NAP policy
configuration. To use Microsoft NAP as an enforcer, these components must communicate with each
other:
•
ePolicy Orchestrator server that hosts McAfee NAC
•
Microsoft 2008 Server that hosts the Network Policy Server (NPS)
•
McAfee NAC client
For the McAfee NAC client to communicate with both the NPS and ePolicy Orchestrator servers, both
servers must be deployed in the NAP boundary network.
The McAfee NAC components that support using Microsoft NAP as an enforcer are a custom McAfee
System Health Validator (SHV) that is installed on the NPS server, and the McAfee NAC client. The
McAfee NAC client must be set to NAP enforcement mode in the McAfee NAC client policy. McAfee NAC
4.0 also supports NAP enforcement on managed systems with some Microsoft operating systems that
are not natively supported by Microsoft NAP with a DHCP Agent.
You cannot use Microsoft NAP enforcement for client systems running a supported MAC OS or Linux
operating system.
McAfee Network Access Control 4.0.0
Product Guide
129
10
Integrating McAfee NAC with Microsoft Network Access Protection
Setup requirements
In addition, you must configure the Network Access Control Server Settings using Trusted
communications setup. The shared secret configured here must be specified in McAfee System Health
Validator UI after installation, so that the McAfee System Health Validator can communicate with the
McAfee NAC manager. Once it is installed on the NPS server, the McAfee System Health Validator is
configured using the NPS console.
The information presented here assumes that you are familiar with the Microsoft NAP product, its
requirements, its operation, and its user interface components.
Setup requirements
Each component that supports the use of Microsoft Network Access Protection (NAP) as an enforcer
has specific setup and configuration requirements.
Table 10-1 Setup requirements for using Microsoft NAP as an enforcer
Component
Requirements
ePolicy Orchestrator
server
The server machine must be deployed into the Network Access Protection
boundary network. McAfee Network Access Control (McAfee NAC) 4.0 must be
installed.
Microsoft Network
Policy Server
The server machine must use the Windows 2008 Server 32-bit operating
system. The Network Policy Server role must be configured and deployed into
the Network Access Protection boundary network. The McAfee System Health
Validator (SHV) must be installed.
McAfee NAC client
The McAfee NAC client policy on any managed system you want Microsoft
Network Access Protection to enforce must have the Enforcement method set
to Microsoft Network Access Protection (NAP).
McAfee System
Health Validator
The McAfee System Health Validator must be installed on the Microsoft
Network Policy Server, and configured through the Network Policy Server
console. In the McAfee System Health Validator Properties interface, the
Communication port number on the Setup tab, 8444 by default, must match the
setting for Server-to-sensor communication port on your ePolicy Orchestrator server.
On the Request New Certificate dialog box, the Server UI Port number, 8443 by
default, must match the setting for Console-to-application server communication port on
your ePolicy Orchestrator server.
McAfee DHCP Agent
(optional)
The DHCP Agent must be installed on a DHCP server running the Windows
2008 Server 32-bit operating system. You must have Microsoft NAP policies
that are configured for DHCP-based enforcement.
ePolicy Orchestrator considerations
A typical ePolicy Orchestrator deployment in a Microsoft Network Access Protection environment has
the ePolicy Orchestrator server in the boundary network. This means it should be able to communicate
with client systems in either the trusted or non-trusted networks.
To be trusted, the ePolicy Orchestrator server must have a valid health certificate.
Typically, a health certificate is obtained manually, using the Certificates MMC snap-in for the local
computer account. If Active Directory has been configured properly for Network Access Protection, you
select the Personal certificate store, then create a certificate request for a System Health
Authentication certificate.
A more subtle issue with ePolicy Orchestrator in a Network Access Protection environment is that it
might become impossible for ePolicy Orchestrator to issue agent wake-up calls to client systems. In
some configurations, for example when using IPsec enforcement, the ePolicy Orchestrator server
130
McAfee Network Access Control 4.0.0
Product Guide
Integrating McAfee NAC with Microsoft Network Access Protection
Microsoft NAP as an enforcer
10
cannot establish communication with a non-trusted client. The client can initialize communication with
the ePolicy Orchestrator server, but not the other way around. When using DHCP and 802.1x
enforcement methods, it should be possible to get around this via network configuration.
Microsoft NAP as an enforcer
Microsoft Network Access Protection can enforce network access restrictions for McAfee NAC managed
systems from a central Network Policy Server. When you configure the McAfee NAC client for Network
Access Protection mode, it no longer functions as an enforcer. The enforcer role is transferred to
Microsoft Network Access Protection.
The McAfee NAC client continues to function as a detector and assessor, but its assessor role is
expanded so that it also functions as a Microsoft Network Access Protection System Health Agent
(SHA). In its role as an System Health Agent, the McAfee NAC client sends a Statement of Health to
the McAfee System Health Validator (SHV) on the Network Policy Server every time the system is
assessed. The Statement of Health contains a health level, and other information needed to identify
the system and determine its status.
The determination of whether a system is healthy, whether it is enforced, and how it is enforced, is
controlled by your Microsoft Network Policy Server policy configuration. Typically, most enforcement in
Microsoft Network Access Protection is controlled by your health and network policies, which receive
information from System Health Validators. The McAfee System Health Validator is only one of
potentially many System Health Validators that can be used by Microsoft Network Access Protection to
determine a system's health, and whether an enforcement action is required. Any enforcement
decision based on information from McAfee NAC depends on the configuration of the McAfee System
Health Validator, and how it is evaluated in your Network Access Protection policies.
Other information regarding a managed system's status — such as whether it has an exemption, has a
manual enforcement request, or has been marked as malicious — is communicated to the McAfee
System Health Validator by the McAfee NAC manager. This communication occurs after the McAfee
System Health Validator has received the Statement of Health. See McAfee System Health Validator
operations.
For information about Microsoft Network Access Protection policies and the operation of its
components, see the Microsoft Network Access Protection documentation.
Exemptions and NAP enforcement
A system's exemption status, whether from an exemption rule or set by an administrator, is
communicated to the Network Policy Server by the McAfee System Health Validator. Your Network
Access Protection policies are not required to act on this information, and can choose to respect or
ignore the McAfee NAC exemption status as is appropriate for your environment. Systems that are
considered exempt in McAfee NAC can be quarantined if your Network Access Protection network
policy configuration determines that the system is unhealthy.
Automatic remediation with NAP enforcement
When using McAfee NAC in a Microsoft Network Access Protection environment, McAfee recommends
that you configure your system health policies and McAfee NAC client policies according to your
remediation requirements. All McAfee NAC automatic remediation features must be enabled, and your
Network Access Protection policies must enable automatic remediation. When configured this way,
Microsoft Network Access Protection attempts to run all automatic remediation actions specified in
your McAfee NAC managed system health policies.
McAfee Network Access Control 4.0.0
Product Guide
131
10
Integrating McAfee NAC with Microsoft Network Access Protection
Microsoft NAP as an enforcer
In addition, for the McAfee NAC automatic remediation feature to work properly, your Network Access
Protection policies for noncompliant systems cannot use the Deny Access option. Instead, use the
Allow Limited Access option. You must also configure a Network Access Protection Remediation Server
Group that allows access to:
•
ePolicy Orchestrator server
•
Network systems that host or allow access to remediation resources, such as required applications
and operating system patches
•
(Optional) Your DNS server, DHCP server, and domain controllers
McAfee NAC client operations in Network Access Protection
mode
When the McAfee NAC client is configured in Network Access Protection enforcement mode, its
operation changes.
•
It no longer functions as an enforcer. As a result, your McAfee NAC network access policies are
invalid when the McAfee NAC client is in Network Access Protection mode.
•
Its assessor role is expanded so that it also functions as a Microsoft System Health Agent (SHA).
There are no changes to the McAfee NAC client's normal operations as an assessor. All applicable
system health policies are assessed and reported to the McAfee NAC manager.
A managed system in a Microsoft Network Access Protection environment might have several System
Health Agents installed.
The McAfee NAC client as a System Health Agent
As an System Health Agent, the McAfee NAC client is responsible for sending a Statement of Health to
the McAfee System Health Validator (SHV) installed on the Network Policy Server. The Statement of
Health contains a health level and other information the McAfee System Health Validator needs to
obtain validation of the managed system from the McAfee NAC manager. The health level contained in
the Statement of Health is always the system's assessed health level.
The McAfee NAC manager attempts to validate the system, and returns that information to the McAfee
System Health Validator, along with other information it knows about the system, such as whether it
has an exemption, has an enforced health level override, or is marked as malicious and has an
associated post admission policy health level. The McAfee System Health Validator then reports all the
information it has to the Network Policy Server, which is acted on according to your configured
Network Access Protection health and network policies.
When a system’s enforcement status changes, the Network Access Protection Agent on the managed
system sends an Isolation State Change event to the McAfee NAC client (and any other System Health
Agents installed on the system). The McAfee NAC client reports these events to the McAfee NAC
manager, which updates the system's status. These events can be useful for generating reports about
enforced systems, because an enforcement change can be caused by an SHA other than the McAfee
NAC client.
Configure a McAfee NAC client policy for Network Access
Protection mode
You can configure the McAfee NAC client to operate in Microsoft Network Access Protection
enforcement mode.
132
McAfee Network Access Control 4.0.0
Product Guide
Integrating McAfee NAC with Microsoft Network Access Protection
Microsoft NAP as an enforcer
10
Task
For option definitions, click ? in the interface.
1
Click Menu | Policy | Policy Catalog, then select Network Access Control Client 4.0.0 from the Product
drop-down menu. There is only one category value: General.
2
Select an existing policy and click Duplicate, or click Actions | New Policy. You can also click New Policy.
For ePolicy Orchestrator 4.5, select an existing policy, then click Edit Settings or Duplicate to edit an
existing policy.
3
If creating a new policy, select an existing policy as a template, and type a name for the new
policy. The name should indicate that the policy is for use in a Microsoft Network Access Protection
environment.
4
For Enforcement method, select Microsoft Network Access Protection (NAP); for Scan results, select the
required option.
If your Network Access Protection policies allow remediation to be requested from McAfee NAC, see
Configuring automatic remediation for NAP mode.
5
Specify whether you want the McAfee system tray icon enabled, then save the policy.
6
Enable Periodic identification as needed, select the Sensor Settings, then click Save.
7
Go to Menu | Configuration | Server Settings, then select Network Access Control from the category list. Check
the value for Default rule health level. This health level is sent in the Statement of Health if a benchmark
rule does not explicitly set a health level to assign when a rule fails. To change the value, click Edit,
then select the health level you want reported from the Default rule health level drop-down menu.
8
Deploy this McAfee NAC client policy to all managed systems you want enforced by Microsoft
Network Access Protection.
Configure automatic remediation for Network Access Protection
mode
Configure your McAfee NAC client policies and managed system health policies so that Microsoft
Network Access Protocol can request that McAfee NAC attempt to remediate unhealthy systems.
Before you begin
This task assumes that you have already configured a McAfee NAC client policy to use the
Microsoft Network Access Protocol enforcement method. If not, combine this task with
Configure a McAfee NAC client policy for Network Access Protection mode.
McAfee Network Access Control 4.0.0
Product Guide
133
10
Integrating McAfee NAC with Microsoft Network Access Protection
Support for non-native operating systems
Task
For option definitions, click ? in the interface.
1
Click Menu | Policy | Policy Catalog, then select Network Access Control Client 4.0.0 from the Product
drop-down menu.
2
For an existing McAfee NAC client policy configured for Network Access Protocol enforcement, click
Duplicate.
If you are using ePolicy Orchestrator 4.5, click Edit for an existing NAC client policy configured for
NAP enforcement. For Automatic remediation, select Use local system credentials or Use the following
credentials. Type administrator credentials for Username and Password if you are specifying
credentials. Click Save.
3
In the Duplicate Existing Policy window, enter a name for the duplicate policy, and click OK to
duplicate and edit the last saved version of this policy.
4
Click the created duplicate policy to edit the health level to network access zone mapping
parameters and click Save. Click New Network Access Zone to create a new zone.
5
Click Menu | Risk & Compliance | Network Access Control, then select Managed System Health Policies from the left
column.
6
For every system health policy:
a Click Edit.
7
b
In the policy builder, click the Select Benchmarks page.
c
Select every benchmark that specifies a remediation command, then click Actions | Auto-remediation.
d
In the dialog box, select Enable auto-remediation, then click OK.
Click Save.
Support for non-native operating systems
McAfee NAC includes a DHCP Agent that allows you to use Microsoft Network Access Protection
enforcement on managed systems running some operating systems that are not natively supported by
Network Access Protection. Microsoft refers to these as Down Level Clients or DLCs).
Therefore, you can enforce any system that can host the McAfee NAC client, but cannot host the
Microsoft Network Access Protection System Health Agent. The DHCP Agent allows you to use
Microsoft Network Access Protection enforcement on:
•
Windows XP SP2 systems
•
All 32-bit versions of Windows 2000 where the McAfee NAC client can be installed
•
All 32-bit versions of Windows 2003 where the McAfee NAC client can be installed
The Windows 2008 operating system is not supported by the DHCP Agent as a client system.
In the Microsoft Network Access Protection interface, all Down Level Client systems will look like
Windows wXP SP3 systems. If your Network Access Protection policies evaluate the Windows System
Health Validator, DLC systems will always pass. All compliance assessment you need performed on
DLC systems must be specified in your McAfee NAC system health policies. Enforcement of these
systems by Microsoft Network Access Protection is based solely on the Statement of Health received
from the McAfee System Health Validator.
134
McAfee Network Access Control 4.0.0
Product Guide
Integrating McAfee NAC with Microsoft Network Access Protection
McAfee System Health Validator operations
10
Install the DHCP Agent
Using Microsoft Network Access Protection, the DHCP agent allows you to enforce systems that run
some operating systems not natively supported by Network Access Protection.
Before you begin
The DHCP Agent can be installed only on a Windows 2008 DHCP server.
The McAfee DHCP Agent is compatible only with 32-bit operating systems. Your DHCP
server must be running a 32-bit version of Windows 2008.
You can also run this installer to modify, repair, or remove the DHCP Agent.
Task
For option definitions, click ? in the interface.
1
From the McAfee product download site, download the DHCPAgent.zip file to your Windows 2008
DHCP server. The DHCP Agent installation files are also located on the ePolicy Orchestrator server
at Program Files/McAfee/Network Access Control/Server/DHCP Agent. Copy this folder to
your DHCP server.
2
Unzip the DHCPAgent.zip file, then run the Setup program. If you copied the DHCP Agent folder
from your ePolicy Orchestrator server, run the Setup program.
3
On the Destination Folder screen, accept the default path (recommended), or click Change to specify
another location, then click Next.
4
Click Install.
McAfee System Health Validator operations
The McAfee System Health Validator (SHV) requires secure communications with the McAfee NAC
manager to authenticate client systems in a Microsoft Network Access Protection environment.
Certificate provisioning is the process of establishing the certificates needed for these activities.
Certificate provisioning is essential for the proper operation of the McAfee System Health Validator.
Without it, the System Health Validator cannot retrieve accurate system information from the McAfee
NAC manager, and the full power of McAfee NAC cannot be utilized.
If it cannot communicate with the McAfee NAC manager, the System Health Validator must trust the
information about a system provided by the McAfee NAC client (in its role as an System Health Agent).
Information about the system's policy age and exemption status, for example, could be out-of-date or
an approximation.
The McAfee System Health Validator configuration allows you to set compliance values for error
conditions, such as communication problems. Though it is possible to configure the System Health
Validator to ignore communication problems, this should not be considered a normal operating
condition, and used only as a solution for temporary communication outages. However, the ability to
ignore communication problems, even though the trust level is reduced, can be useful to customers
who do not want to risk many client systems becoming noncompliant because a communication
channel was temporarily lost.
The System Health Validator configuration interface opens before the installation finishes, allowing you
to perform some initial certificate provisioning as part of the installation process.
McAfee Network Access Control 4.0.0
Product Guide
135
10
Integrating McAfee NAC with Microsoft Network Access Protection
McAfee System Health Validator operations
Certificate status and the certificate store
The two most common Certificate Status values in the System Health Validator configuration interface
are:
•
PROVISIONED — Indicates that the local system certificate store contains what it considers valid
certificates
•
NOT PROVISIONED — Indicates that no certificates could be found
The System Health Validator configuration interface does not attempt to validate the certificates in the
store before displaying the status. The displayed status indicates only whether there are certificates in
the store specific to the McAfee System Health Validator. The interface can also show errors that occur
during the provisioning process.
In unusual circumstances, it is possible to have certificates in the store that cannot be used for
communication. One example is when the System Health Validator is provisioned against one ePolicy
Orchestrator server, then later reconfigured to use a second ePolicy Orchestrator server, without
re-provisioning. This situation can leave certificates in the store that do not work when communication
with the second ePolicy Orchestrator server is attempted. In this case, you must re-provision the
certificates against the second ePolicy Orchestrator server.
If the McAfee System Health Validator is uninstalled from the Network Policy Server, any certificates it
has provisioned are removed from the system certificate store.
How certificate provisioning is performed
Certificate provisioning configuration is performed by running the McAfee System Health Validator
configuration interface from the Network Policy Server console. By default, McAfee NAC and the
McAfee System Health Validator are installed with a blank value for the Trusted communications setup
shared secret. The blank value is valid, and allows initial certificate provisioning to occur.
When you request a new certificate from the McAfee System Health Validator configuration, you must
provide the Trusted communications setup shared secret that is set in the McAfee NAC server settings.
Regardless of the actual value, the requirement is that the Trusted communications setup shared secret and
the Shared secret for certificate provisioning must match. If you experience problems, verify these two settings.
Install the McAfee System Health Validator
Install the McAfee System Health Validator (SHV) on your Microsoft Network Policy Server.
During installation, the McAfee System Health Validator configuration interface is opened. If you want
to set configuration options at this time, see Configure the McAfee System Health Validator for details.
The McAfee System Health Validator is compatible only with 32-bit operating systems. Your Microsoft
Network Policy Server must be running a 32-bit operating system.
Task
For option definitions, click ? in the interface.
136
1
Download the McAfeeSHV.zip file from the McAfee product download site to your Network Policy
Server.
2
Unzip the file, then run the Setup program.
3
On the Destination Folder screen, accept the default path (recommended), or click Change to specify
another location, then click Next.
McAfee Network Access Control 4.0.0
Product Guide
Integrating McAfee NAC with Microsoft Network Access Protection
McAfee System Health Validator operations
10
4
Click Install.
5
Click Finish to open the System Health Validator configuration interface. If you want to configure the
System Health Validator later, click Cancel.
Configure the McAfee System Health Validator
Configure the McAfee System Health Validator properties once it is installed on the Microsoft Network
Policy Server.
Before you begin
If you want to use a shared secret for trusted communications between your ePolicy
Orchestrator server and the McAfee System Health Validator, do the following before
configuring the McAfee System Health Validator:
1
Go to Menu | Configuration | Server Settings, then select Network Access Control from the category
list.
2
Click Edit.
3
For Trusted communications setup, enable Password required, then type and confirm a
password for Shared secret.
4
Click Save.
Make a note of the string you entered for the Shared secret. You will need it for Step 7 below.
Task
For option definitions, click ? in the interface.
1
Open the Network Policy Server console, and under Network Access Protection, go to System Health
Validators.
2
Select the McAfee System Health Validator to open the Properties interface.
3
On the Settings tab under Error code resolution, set the compliance value to use for SHV unable to
contact required services and SHA not responding to NAP Client.
4
Click Configure. On the Configuration tab:
a
Set a minimum health level value. If the Statement of Health from the McAfee NAC client
contains at least this value, the McAfee System Health Validator reports the system's status as
healthy.
b
Enable or disable the quarantine of systems based on the interval between policy updates. If
enabled, you can set the number of days allowed between updates.
c
Enable or disable whether the System Health Validator is allowed to trust the information about
a system it receives in the Statement of Health without validation from the McAfee NAC manager.
5
Click the Setup tab.
6
Under ePolicy Orchestrator server details, type the name or IP address of the ePolicy Orchestrator
server you want the McAfee System Health Validator to communicate with. Do not change the
Communication port.
The communication port number, 8444 by default, must match the setting for Server-to-sensor
communication port on your ePolicy Orchestrator server.
McAfee Network Access Control 4.0.0
Product Guide
137
10
Integrating McAfee NAC with Microsoft Network Access Protection
Failure categories of System Health Validator
7
Under System Health Validator authentication certificate, click Request new certificate.
a
Type the name or IP address of the ePolicy Orchestrator server you want the McAfee System
Health Validator to communicate with.
b
Do not change the Communication port. This port number must match the setting for
Console-to-application server communication port on your ePolicy Orchestrator server.
c
For Shared secret for certificate provisioning and Shared secret confirmation, type the value of
the shared secret you set for Trusted communications setup in the McAfee NAC server settings. If the
shared secret for Trusted communications setup is blank, then leave these options blank in the System
Health Validator.
Failure categories of System Health Validator
In certain situations, the McAfee System Health Validator (SHV) might not be able to fully validate a
Statement of Health from a McAfee NAC client.
The two situations are:
•
When communication with the ePolicy Orchestrator server is lost
•
When the McAfee NAC client, functioning as a System Health Agent, stops communicating with the
local Network Access Protection Agent
In these situations, the McAfee System Health Validator might fall back on compliance settings
configured for it in the Network Policy Server console. These settings are sometimes referred to as
Failure Category settings.
To establish these failure category settings, you open the McAfee System Health Validator Properties
interface in the Network Policy Server console. The “Error code resolution” section defines the failure
categories. Of the five possible failures, the McAfee System Health Validator supports only these:
•
System Health Validator unable to contact required services
•
System Health Agent not responding to Network Access Protection Client
Changes to the other settings are ignored by the McAfee System Health Validator.
When the McAfee System Health Validator loses contact with the ePolicy Orchestrator server, it
immediately tries to re-establish the connection. By default it tries every ten seconds. If a Statement
of Health arrives from a McAfee NAC client during this time, the McAfee System Health Validator
cannot get current configuration data from the McAfee NAC manager for the system. If the System
Health Validator has been configured to ignore ePolicy Orchestrator communication problems, after it
validates the certificate it is forced to trust the information sent by the McAfee NAC client and make
the best compliance decision it can.
If the McAfee System Health Validator is not configured to ignore ePolicy Orchestrator communication
problems, it defers the compliance decision to the value of the setting System Health Validator unable to contact
required services.
It is also possible for the Network Access Protection Agent to send a Statement of Health based on
cached data for a McAfee NAC client that is no longer responding to it. The McAfee System Health
Validator never accepts this type of Statement of Health and always defers to the failure category
setting SHA not responding to Network Access Protection Client.
Changes to the failure category settings do not take effect until the IAS service is restarted. This can be
done from the command line by typing net stop ias, followed by net start ias.
138
McAfee Network Access Control 4.0.0
Product Guide
Integrating McAfee NAC with Microsoft Network Access Protection
Error conditions of System Health Validator
10
Error conditions of System Health Validator
The McAfee System Health Validator (SHV) uses a set of error codes for conveying information about
problematic conditions to a McAfee NAC client in its role as a System Health Agent. The McAfee
System Health Validator determines the error condition and reports it to the McAfee NAC client, where
it can be displayed on the client system.
Other errors are possible, such as out-of-memory, but they are not defined here because they are
generic errors.
The main sources of errors are:
•
Certificate provisioning problems, such as an attempt to re-provision but the port and/or shared
secret is wrong, or an attempt to change ePolicy Orchestrator servers without re-provisioning
•
Loss of communication with the ePolicy Orchestrator server
•
Loss of communication with the System Health Agent (the McAfee NAC client)
Most of the error codes are condition codes that indicate the reason a system was considered
noncompliant by the McAfee System Health Validator. The condition codes and their meaning are listed
in this table.
Condition code
Definition
No ePolicy Orchestrator
server communications
The System Health Validator cannot contact the ePolicy Orchestrator server.
No NAC client
communications
The Network Access Protection Agent on a system is serving as a proxy for
the McAfee NAC client because communication between them has failed or
been interrupted.
Invalid Statement of
Health
The proprietary data structure that contains health information passed
between the System Health Agent and System Health Validator is not what
the System Health Validator expected.
Bad certificate
The proprietary data structure passed from the System Health Agent
contained a bad certificate. The common causes are that the data structure
didn't exist or was the wrong size.
Bad signature
The proprietary data structure that was passed from the System Health
Agent contained a bad signature. The common causes are that the data
structure didn't exist or was the wrong size.
Invalid certificate
The proprietary data structured that was passed from the System Health
Agent contained a certificate that was not recognized by the System Health
Validator. The most likely reason is that the certificate was signed by the
wrong ePolicy Orchestrator server.
Authentication failed
The client could not be authenticated. The most likely reason is that the
signature was created using an unrecognized key (a key different from
what was found in the certificate).
Unknown client
The client was authenticated but the McAfee NAC manager has no
information about the system.
Insufficient health
The health level provided by the McAfee NAC client was less than the
required level configured in the System Health Validator.
Policy too old
The policy provided by the McAfee NAC client was out-of-date.
Unknown status
The System Health Validator hasn't responded with a compliance status.
The status is used by the System Health Agent to display a message on
startup.
McAfee Network Access Control 4.0.0
Product Guide
139
10
Integrating McAfee NAC with Microsoft Network Access Protection
Error conditions of System Health Validator
140
McAfee Network Access Control 4.0.0
Product Guide
Index
A
B
about this guide 7
access control
health-based, in McAfee NSP 121
benchmarks
automatic remediation 49
creating for use with McAfee NAC 55, 57
editing the unmanaged system policy 60
enabling automatic remediation 78
enforcement mode 50
enforcement modes 49
enforcement modes, Audit Only 98
for non-Windows operating systems 49
queries, NAC Benchmark Enforcement Mode 97
rules 53
system health levels 48
using for network access compliance 49
identity-based, in McAfee NSP 123
access restrictions 11
actions
Modify health level 104
remove malicious status 114
Remove NAC exempt 106
Request scan 100
Reset health level 104
Set malicious status 113
Set NAC exempt 106
administration, of McAfee NAC 91
administrator actions
Remove NAC exempt 75
Set NAC exempt 75
architecture
components, McAfee NAC 32
McAfee NAC manager 33
assessing system health 10
assessment
by administrator request 100
history, McAfee NAC 114
making systems exempt 70
of an unmanaged system 125
of system health 40, 41, 98
overriding assessed health level 104
policies for compliance 53
system health, scheduling McAfee NAC scans 99
assessors
McAfee NAC guest client 43
NAC client 41
auditing, system health compliance 98
automatic remediation
command reference 79
using with Microsoft NAP 133
with McAfee NSP enforcement 121
with Microsoft NAP enforcement 131
McAfee Network Access Control 4.0.0
C
certificates
provisioning, for McAfee System Health Validator 135
used by McAfee System Health Validator 135
client tasks, using ePolicy Orchestrator features 17
compliance
assessment, for system health 53
auditing system health 98
network access zones 62
components, McAfee NAC
functional architecture 32
how they work 35
configuration
guest portal 102, 103, 127
guest portal, configuring 127
McAfee NAC and Microsoft NAP communication 129
McAfee NAC manager 91, 124
McAfee NAC server settings 93
using McAfee NAC with McAfee NSP 117
using McAfee NAC with Microsoft NAP 130
contact information, for automatic responses 17
controlling exemptions manually 75, 106
conventions and icons used in this guide 7
creating
exemption rules 74
exemptions based on an imported list 74
McAfee NAC client deployment task 92
McAfee NAC client policies 66
Product Guide
141
Index
creating (continued)
network access policies 62
network access zones 64
creating, in McAfee NAC
benchmarks 55
benchmarks from checks 57
managed system health policies 58
D
dashboards
about 83
using ePolicy Orchestrator features 17
viewing exempt systems 69
deleting
McAfee NAC enforcement results 115
McAfee NAC scan results 115
deployment
supported configurations 13
task, creating for McAfee NAC client 92
detected systems
detections 10, 17
detecting systems
detections 10, 17
detectors
how they work 36
McAfee NAC guest client 39
NAC client 38
Network Security Sensor 120
Rogue System Detection service 37
devices, unmanageable 107
DHCP Agent
for Microsoft NAP enforcement 134
installing, repairing, and removing 135
documentation
audience for this guide 7
product-specific, finding 8
typographical conventions and icons 7
E
enforced health level
administrator overrides 103
removing a manual override 104
setting manually 104
enforcement
modes, for benchmarks 49, 50
deleting results for a single system 115
enforcing systems manually 103
history, McAfee NAC 114
making systems exempt 70
manual, creating queries 95
modes, for benchmarks 49, 50
NAC, with Microsoft NAP 131
of access restrictions 11
using McAfee NSP 121
142
McAfee Network Access Control 4.0.0
enforcers
how they work 43
McAfee NAC client 45
McAfee NSP 121
Microsoft Network Access Protection 131
ePolicy Orchestrator
considerations when using Microsoft NAP 130
creating McAfee NAC monitors 88
deploying the McAfee NAC client 92
features used by McAfee NAC 17
scheduling McAfee NAC scans 99
error conditions, See McAfee System Health Validator
event log, in ePolicy Orchestrator 17
events
cannot apply policy 105
McAfee NAC events 105, 113
exempt systems list, creating 74
exemption rules 71
exemptions
by imported list 73
controlling manually 75, 106
creating by imported list 74
creating with rules 74
effect on McAfee NSP enforcement 121
effect on Microsoft NAP enforcement 131
exporting rules 72
for identity-based access control 123
from assessment 70
from enforcement 70
importing a list of systems 74
importing rules 73
setting and removing 106
system classification 71
types of 69
when using health-based access control 121
exporting
exemption rules 72
network access zones 64
systems health policies 59
F
failure categories, See McAfee System Health Validator
FAQ, non-Windows McAfee NAC client 28
fixing unhealthy systems 11
G
guest client
about 101
as assessor 43
as detector 39
configuration 126
health-based access control 125
unmanaged system policy 59
Product Guide
Index
guest portal
about 101
configuration 102, 126, 127
installing 21
H
hardware requirements, installing McAfee NAC 22
health assessment
of a managed system 98
of an unmanaged system 100, 125
health compliance, auditing 98
health levels
enforced, administrator overrides 103
in benchmarks and policies 48
health of McAfee NAC-managed systems 98
health-based access control
effect on exemptions 121
in McAfee NSP 121
historical NAC information 114
I
IBAC, See identity-based access control
identity-based access control
effect on exemptions 123
in McAfee NSP 123
imported scan exemptions 106
importing
an exempt systems list 73
exemption rules 73
network access zones 64
systems health policies 59
installation
guidelines 21
McAfee DHCP Agent 135
installation requirements
integrating with McAfee NSP 117
integrating with Microsoft NAP 130
McAfee NAC 22
installing
McAfee DHCP Agent 135
McAfee Network Access Control 24
NAC guest portal 21
post-installation tasks 27
the McAfee NAC client manually 25
the McAfee NAC client manually on Linux 26
the McAfee NAC client manually on Mac 26
the McAfee NAC client manually on Windows 25
integration
ePO considerations for Microsoft NAP 130
with McAfee Network Security Platform 117
with Microsoft NAP 129
L
logs, notification 17
McAfee Network Access Control 4.0.0
M
malicious behavior, definition 108
malicious status
removing 114
setting 113
malicious systems
events, configuring a response 113
about 108
configuring an event response 113
creating queries 95
events 105
post admission control 108
resetting the status 114
setting the status 113
managed system health policies, See system health policies
managed systems
creating system health policies 58
description 12
health level override 103
health policies 51
scheduling McAfee NAC scans 99
manual control of exemptions 75, 106
manual enforcement of managed systems 103
manual remediation 79
manual remediation, required elements 80
McAfee Agent
update using automatic remediation 78
use by McAfee NAC 18
McAfee DHCP Agent
for Microsoft NAP enforcement 134
installing, repairing, and removing 135
McAfee NAC
monitors and queries 94
administration 91
architecture 32
assessment history 114
assessors 40
combining with Microsoft NAP 129
communication with Microsoft NAP 129
configuration requirements, for use with McAfee NSP 117
creating benchmarks 55
creating benchmarks from checks 57
detectors 36, 120
distributed components 35
editing permission sets 93
enforcement history 114
enforcers 43
events and responses 105
functional architecture 31
functional description 9
hardware and software requirements 22
installation 21
installing the guest portal 21
integrating with McAfee Network Security Platform 117
operations, with McAfee NSP 119
Product Guide
143
Index
McAfee NAC (continued)
policies 47
queries, network access monitoring 84
remediation commands 79
remediators 45
running queries 88
use of ePolicy Orchestrator features 17
use of McAfee Agent 18
use of Rogue System Detection 18
McAfee NAC administrator actions
purging scan results 114
remove malicious status 114
Remove NAC exempt 71, 106
removing enforcement results 115
removing scan results 115
Request scan 100
scheduling scans 99
Set malicious status 113
Set NAC exempt 71, 106
McAfee NAC client
as a detector 38
as an enforcer 45
deploying 92
installing manually 25
installing manually on Linux 26
installing manually on Mac 26
installing manually on Windows 25
operations in Microsoft NAP mode 132
system health assessment 40
uninstalling manually on Linux 26
used as assessor 41
McAfee NAC client policies
configuring for Microsoft NAP enforcement 132
configuring for use with McAfee NSP 125
creating and modifying 66
description 65
enabling automatic remediation 78
McAfee NAC client, non-Windows
differences 27
FAQ and useful commands 28
McAfee NAC deployment
supported configurations 13
with ePolicy Orchestrator 13
with McAfee NSP 15
with McAfee NSP and Microsoft NAP 16
with Microsoft NAP 14
McAfee NAC detectors
McAfee NAC guest client 39
NAC client 38
Rogue System Detection service 37
McAfee NAC enforcement
using McAfee NSP 121
with McAfee Network Security Platform 117
with Microsoft NAP 129
144
McAfee Network Access Control 4.0.0
McAfee NAC enforcers
McAfee NAC client 45
McAfee Network Security Platform 117
Microsoft NAP 129
McAfee NAC events
cannot apply policy 105
creating responses 105
malicious system 105
Malicious System Detected 113
system not enforceable 105
system not healthy 105
McAfee NAC guest client
as a detector 39
as assessor 43
McAfee NAC manager
architecture, how it works 33
configuration 91
configuring, for use with McAfee NSP 124
McAfee NAC server
editing configuration settings 93
guest portal configuration 103, 127
McAfee Network Access Control
installing 24
McAfee Network Security Platform
as a NAC enforcer 121
configuration requirements in McAfee NAC 117
configuring, McAfee NAC client 125
configuring, McAfee NAC manager 124
effect of firewall on client systems 120
integrating with McAfee NAC 117
McAfee ServicePortal, accessing 8
McAfee System Health Validator
certificate provisioning 135
configuring 137
error conditions 139
failure categories 138
installing 136
operations 135
McAfee system tray
icon, non-Windows systems 27
notifications for system health 41
Microsoft Network Access Protection
as a NAC enforcer 131
combining with McAfee NAC 129
configuring the McAfee NAC client 132
ePolicy Orchestrator considerations 130
installing, repairing, and removing the McAfee DHCP Agent
135
NAC automatic remediation 131
NAC exemptions 131
setup requirements 130
trusted communications setup 137
using NAC automatic remediation 133
using the McAfee DHCP Agent 134
Modify health level action 104
Product Guide
Index
monitoring
network access 91
network security 83
system health compliance 98
monitors
about 83
creating 87
creating, with ePolicy Orchestrator 88
Exemption Status 70
for McAfee NAC 83
using ePolicy Orchestrator features 17
viewing exempt systems 69
non-Windows systems (continued)
differences from Windows systems 27
FAQ and useful commands 28
noncompliance message 52
N
P
NAC Benchmark Enforcement Mode query 97
NAC client
as an assessor 41
queries, NAC Client Started 96
system health assessment 41
NAC enforcement
query, NAC Enforced Health Level 94
using Microsoft NAP 131
PAC, See post admission control
periodic identification message 120
permission sets
editing McAfee NAC permissions 93
using ePolicy Orchestrator features 17
policies
activation 54
assigning, for system health 53
configuring for Microsoft NAP enforcement 132
creating, for network access 62
for system assessment 53
McAfee NAC client 65
network access 61
network access, enforcing 45
overview 47
system health 51
system health, structure 52
updates, non-Windows McAfee NAC client 27
policy assignment, using ePolicy Orchestrator features 17
policy catalog, in ePolicy Orchestrator 17
NAC guest portal, installing 21
NAC Malicious Systems query 95
NAC Manual Enforcement Request query 95
NAC Remediation Command option 78
NAC Remediation Command Parameters option 78
NAP, See Microsoft Network Access Protection
network access
compliance, and benchmarks 49
controlling 9
enforcement 11
information, creating monitors 87
monitoring 91
monitoring, queries for 84
policy, enforcing 45
network access policies
about 61, 62
creating 62
network access zones
about 62
creating 64
importing and exporting 64
Network Security Sensor
and McAfee NAC automatic remediation 121
and McAfee NAC exemptions 121
as a detector 120
as a McAfee NAC enforcer 121
network security, monitoring 83
non-Windows client
FAQ and useful commands 28
requirements 22
non-Windows systems
benchmark recommendations 49
McAfee Network Access Control 4.0.0
notifications
logs 17
system health 41
NSP, See McAfee Network Security Platform
O
overriding the assessed health level 104
overriding the enforced health level 103
post admission control
creating an event response 113
enforcement 110
for malicious systems 108
how it works 109
post admission policy
about 108, 111
configuring 112
post-installation tasks 27
purging scan results 114
Q
queries
for use as McAfee NAC monitors 94
reports, network access monitoring 84
running 88
using ePolicy Orchestrator features 17
queries, for McAfee NAC
NAC Benchmark Enforcement Mode 97
NAC Client Started 96
Product Guide
145
Index
queries, for McAfee NAC (continued)
NAC Enforced Health Level 94
NAC Malicious System 95
NAC Manual Enforcement Request 95
R
remediation
and network access zones 81
automatic 78
automatic, and benchmarks 49
common commands 79
elements for manual remediation 80
manual 79
portal 79
remediators, how they work 45
required network resources 81
types of 77
Remove NAC exempt 71, 75, 106
removing
exemptions, McAfee NAC 106
malicious status from system 114
McAfee DHCP Agent 135
retired or invalid systems 108
repairing McAfee DHCP Agent
McAfee DHCP Agent 135
reporting 41
reports, See queries
requirements
installing McAfee NAC 22
integrating with McAfee NSP 117
integrating with Microsoft NAP 130
Reset health level action 104
responses
configuring for malicious system event 113
creating for McAfee NAC events 105
malicious system detected events 112
to events 105
using ePolicy Orchestrator features 17
Rogue System Detection
as a McAfee NAC detector 37
use in McAfee NAC 18
rules
for exemptions 71
in benchmarks 53, 55, 57
notifications 17
S
scan exemptions
from an import list 106
systems not assessed 70
scan results
deleting for a single system 115
purging 114
146
McAfee Network Access Control 4.0.0
scans
for McAfee NAC system health 100
request immediate scan 100
scheduling 99
server tasks, using ePolicy Orchestrator features 17
ServicePortal, finding product documentation 8
Set NAC exempt 71, 75, 106
setting a system's malicious status 113
setting an exemption, McAfee NAC 106
setup requirements
installing McAfee NAC 22
Microsoft Network Access Protection 130
SHV, See McAfee System Health Validator
software requirements, installing McAfee NAC 22
system classifications
effect on exemptions 71
managed 12
unenforceable 13
unmanageable 12
unmanaged 12
system detection 10
system health
assessment 10, 98
assessment by McAfee NAC client 40
assessment by NAC client 41
auditing for compliance 98
levels, in benchmarks and policies 48
setting 41
system health policies
about 51
assigning to systems 53
compliance assessment 53
creating and modifying 58
exporting 59
identifiers 52
importing 59
noncompliance message 80
noncompliance messages 52
policy activation 54
structure 52
System Health Validator for McAfee NAC 135
system tray, See McAfee system tray
systems
marking as exempt 69
removing from the database 108
unmanageable, handling 107
T
tag catalog, in ePolicy Orchestrator 17
Technical Support, finding product information 8
U
unenforceable systems
and devices 107
Product Guide
Index
unenforceable systems (continued)
description 13
events 105
unhealthy systems
events 105
remediating 11, 77
uninstalling
the McAfee NAC client manually on Linux 26
unmanageable systems and devices
description 12
handling 107
unmanaged system policy
editing 60
for guest client 59
unmanaged systems
checking health of 100
McAfee Network Access Control 4.0.0
unmanaged systems (continued)
description 12
using the guest client 125
users, in ePolicy Orchestrator 17
using this guide 8
W
Windows systems
benchmark recommendations 49
requirements 22
Z
zones, for network access 62
Product Guide
147
00

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz