Network Access Control 4.0 Product Guide for use with - McAfee

Product Guide

McAfee Network Access Control 4.0.0For use with ePolicy Orchestrator 4.5, 4.6 Software

COPYRIGHTCopyright © 2012 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Network Access Control 4.0.0 Product Guide

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Introduction 9Controlling network access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

System detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10System health assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Enforcing access restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 11How unhealthy systems are fixed . . . . . . . . . . . . . . . . . . . . . . . . 11

How systems are classified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Managed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Unmanaged systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Unmanageable systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Unenforceable systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Supported deployment configurations . . . . . . . . . . . . . . . . . . . . . . . . . 13Deployment with McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . 13Deployment with Microsoft Network Access Protection . . . . . . . . . . . . . . . . 14Deployment with McAfee Network Security Platform . . . . . . . . . . . . . . . . . 15Deployment with McAfee and Microsoft products . . . . . . . . . . . . . . . . . . 16

Using ePolicy Orchestrator features . . . . . . . . . . . . . . . . . . . . . . . . . . 17Using Rogue System Detection . . . . . . . . . . . . . . . . . . . . . . . . . 18How the McAfee Agent is used . . . . . . . . . . . . . . . . . . . . . . . . . 18

2 Installation 21Pre-installation information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . 22Install McAfee NAC 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Cluster installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Manually install the McAfee NAC client . . . . . . . . . . . . . . . . . . . . . . . . . 25

Install on Windows manually . . . . . . . . . . . . . . . . . . . . . . . . . . 25Install on Mac OS manually . . . . . . . . . . . . . . . . . . . . . . . . . . 26Install on Linux manually . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Post-installation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Key differences in the non-Windows McAfee NAC client . . . . . . . . . . . . . . . . . . 27FAQ for non-Windows McAfee NAC client . . . . . . . . . . . . . . . . . . . . . . . . 28

3 Functional architecture and components 31McAfee NAC functional architecture . . . . . . . . . . . . . . . . . . . . . . . . . . 32McAfee NAC manager and how it works . . . . . . . . . . . . . . . . . . . . . . . . . 33How McAfee NAC distributed component works . . . . . . . . . . . . . . . . . . . . . . 35Detectors and how they work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

McAfee Network Access Control 4.0.0 Product Guide 3

Rogue System Detection as a detector . . . . . . . . . . . . . . . . . . . . . . 37McAfee NAC client used as a detector . . . . . . . . . . . . . . . . . . . . . . 38McAfee NAC guest client used as a detector . . . . . . . . . . . . . . . . . . . . 39

Assessors and how they work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Network Access Control client used as an assessor . . . . . . . . . . . . . . . . . 41McAfee NAC guest client used as an assessor . . . . . . . . . . . . . . . . . . . 43

Enforcers and how they work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43McAfee NAC client used as an enforcer . . . . . . . . . . . . . . . . . . . . . . 45

Remediators and how they work . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4 McAfee NAC policies 47Types of policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47System health levels and their function . . . . . . . . . . . . . . . . . . . . . . . . . 48Benchmarks for McAfee NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Benchmark enforcement modes . . . . . . . . . . . . . . . . . . . . . . . . . 50Health policies of managed systems . . . . . . . . . . . . . . . . . . . . . . . . . . 51

System health policy structure . . . . . . . . . . . . . . . . . . . . . . . . . 52Work with managed system health policies . . . . . . . . . . . . . . . . . . . . . . . 55

Create a McAfee NAC benchmark . . . . . . . . . . . . . . . . . . . . . . . . 55Create a McAfee NAC benchmark from checks . . . . . . . . . . . . . . . . . . . 57Create and modify managed system health policies . . . . . . . . . . . . . . . . . 58Export managed system health policies . . . . . . . . . . . . . . . . . . . . . . 59Import managed system health policies . . . . . . . . . . . . . . . . . . . . . . 59

Unmanaged system policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Edit the unmanaged system policy . . . . . . . . . . . . . . . . . . . . . . . . 60

Network access policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Create network access policies . . . . . . . . . . . . . . . . . . . . . . . . . 62

Network access zones and compliance . . . . . . . . . . . . . . . . . . . . . . . . . 62Create network access zones . . . . . . . . . . . . . . . . . . . . . . . . . . 64Import and export network access zones . . . . . . . . . . . . . . . . . . . . . 64

McAfee NAC client policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Create and modify McAfee NAC client policies . . . . . . . . . . . . . . . . . . . 66

5 Using exemptions 69Types of exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Enforcement exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Scan exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70How system classification affects exemptions . . . . . . . . . . . . . . . . . . . . . . 71How exemption rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Export exemption rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Import exemption rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Using an imported exemption list . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Create an exempt systems list . . . . . . . . . . . . . . . . . . . . . . . . . 74Create exemption rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Import an exempt systems list . . . . . . . . . . . . . . . . . . . . . . . . . 74

How manual exemptions work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

6 Remediation of unhealthy systems 77Types of remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Automatic remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Common remediation commands . . . . . . . . . . . . . . . . . . . . . . . . 79Manual remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Elements needed for manual remediation . . . . . . . . . . . . . . . . . . . . . 80Remediation resources users must access . . . . . . . . . . . . . . . . . . . . . 81

Contents


7 Dashboards, monitors, and queries 83McAfee NAC dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . . . . 83Queries for network access monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 84Create McAfee NAC monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Create McAfee NAC monitors with ePolicy Orchestrator . . . . . . . . . . . . . . . . . . 88Run McAfee NAC queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

8 Network access administration and monitoring 91McAfee NAC manager configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 91Deployment and configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Deploy the McAfee NAC client with ePolicy Orchestrator 4.6 . . . . . . . . . . . . . . 92Edit McAfee NAC server settings . . . . . . . . . . . . . . . . . . . . . . . . . 93Edit McAfee NAC permission sets . . . . . . . . . . . . . . . . . . . . . . . . 93

Create queries for McAfee NAC monitors . . . . . . . . . . . . . . . . . . . . . . . . 94Create an Enforced Health Level query . . . . . . . . . . . . . . . . . . . . . . 94Create a Manual Enforcement Request query . . . . . . . . . . . . . . . . . . . 95Create a Malicious System query . . . . . . . . . . . . . . . . . . . . . . . . 95Create a Network Access Control Client Started query . . . . . . . . . . . . . . . . 96Create a Benchmark Enforcement Mode query . . . . . . . . . . . . . . . . . . . 97

Health compliance auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98System health assessment of managed systems . . . . . . . . . . . . . . . . . . . . . 98

Schedule managed system scans in ePolicy Orchestrator 4.5 . . . . . . . . . . . . . 98Schedule managed system scans in ePolicy Orchestrator 4.6 . . . . . . . . . . . . . 99Request an immediate scan . . . . . . . . . . . . . . . . . . . . . . . . . . 100

System health assessment of unmanaged systems . . . . . . . . . . . . . . . . . . . . 100Guest portal and guest client . . . . . . . . . . . . . . . . . . . . . . . . . 101Guest portal configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Configure the guest portal . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Health level overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Modify a system's health level . . . . . . . . . . . . . . . . . . . . . . . . . 104Reset a system's health level . . . . . . . . . . . . . . . . . . . . . . . . . 104

Events and responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Create automatic event responses . . . . . . . . . . . . . . . . . . . . . . . 105

Manual control of exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Set a system's exemption status . . . . . . . . . . . . . . . . . . . . . . . . 106

Unmanageable devices and what to do with them . . . . . . . . . . . . . . . . . . . . 107How to handle unenforceable systems . . . . . . . . . . . . . . . . . . . . . . 107Remove retired or invalid systems . . . . . . . . . . . . . . . . . . . . . . . 108

Post admission control for malicious systems . . . . . . . . . . . . . . . . . . . . . . 108What are malicious systems . . . . . . . . . . . . . . . . . . . . . . . . . . 108How post admission control works . . . . . . . . . . . . . . . . . . . . . . . 109Post admission control enforcement . . . . . . . . . . . . . . . . . . . . . . . 110Post admission policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Configure a post admission policy . . . . . . . . . . . . . . . . . . . . . . . 112Malicious system event responses . . . . . . . . . . . . . . . . . . . . . . . 112Configure a malicious system event response . . . . . . . . . . . . . . . . . . . 113Set a system's malicious status . . . . . . . . . . . . . . . . . . . . . . . . 113Remove a system's malicious status . . . . . . . . . . . . . . . . . . . . . . 114

Assessment and enforcement histories . . . . . . . . . . . . . . . . . . . . . . . . 114Purge scan results automatically . . . . . . . . . . . . . . . . . . . . . . . . 114Delete scan or enforcement results manually . . . . . . . . . . . . . . . . . . . 115

9 Integrating McAfee NAC with McAfee Network Security Platform 117Configuration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Operations when combined with McAfee Network Security Platform . . . . . . . . . . . . . 119

Operations unaffected by the McAfee® Network Security Manager access control mode . . 119

Contents


Client systems that use firewall software . . . . . . . . . . . . . . . . . . . . . 120McAfee® Network Security Sensor as a detector . . . . . . . . . . . . . . . . . . . . . 120McAfee® Network Security Sensor as an enforcer . . . . . . . . . . . . . . . . . . . . 121Health-based access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Identity-based access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123McAfee NAC manager configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Configure a McAfee NAC client policy . . . . . . . . . . . . . . . . . . . . . . 125Assessment of unmanaged systems . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Guest portal and guest client . . . . . . . . . . . . . . . . . . . . . . . . . 126Guest portal configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

10 Integrating McAfee NAC with Microsoft Network Access Protection 129How McAfee NAC communicates with Microsoft NAP . . . . . . . . . . . . . . . . . . . 129Setup requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130ePolicy Orchestrator considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 130Microsoft NAP as an enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

McAfee NAC client operations in Network Access Protection mode . . . . . . . . . . . 132Configure a McAfee NAC client policy for Network Access Protection mode . . . . . . . 132Configure automatic remediation for Network Access Protection mode . . . . . . . . . 133

Support for non-native operating systems . . . . . . . . . . . . . . . . . . . . . . . 134Install the DHCP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

McAfee System Health Validator operations . . . . . . . . . . . . . . . . . . . . . . . 135Install the McAfee System Health Validator . . . . . . . . . . . . . . . . . . . . 136Configure the McAfee System Health Validator . . . . . . . . . . . . . . . . . . 137

Failure categories of System Health Validator . . . . . . . . . . . . . . . . . . . . . . 138Error conditions of System Health Validator . . . . . . . . . . . . . . . . . . . . . . . 139

Index 141

Contents


Preface

This guide provides the information you need for all phases of product use, from installation toconfiguration to troubleshooting.

Contents

About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Using this guideThis guide will take you through the installation process and help you understand various features ofMcAfee NAC 4.0.

To do this... Look here...

Learn how McAfee NAC works, and how the components interact. Chapter 1, Introduction

Plan and perform the installation and deployment of McAfee NACcomponents.

Chapter 2, Installation

Plan an overall network access security strategy, learn thearchitectural description of the McAfee NAC components based ontheir functionality, operation and use of the Network AccessControl server and Network Access Control client, and theirinteraction with product features.

Chapter 3, Functional architectureand components

Learn the function and use of system health policies for bothmanaged and unmanaged systems, network access policies forcontrolling access based on health levels, and Network AccessControl client policies for scan and enforcement configuration.

Chapter 4, McAfee NAC policies

Find out ways of marking systems as exempt from enforcementor exempt from scanning.

Chapter 5, Using exemptions

Automatically or manually remediate unhealthy systems on yournetwork.

Chapter 6, Remediation ofunhealthy systems

Get information about network security and system healththrough dashboards, monitors, and queries.

Chapter 7, Dashboards, monitors,and queries

Use McAfee NAC on a day-to-day basis. Chapter 8, Network AccessAdministration and monitoring

Set up McAfee NAC to operate cooperatively with NetworkSecurity Platform.

Chapter 9, Integrating McAfeeNAC with McAfee NetworkSecurity Platform

Set up McAfee NAC to operate cooperatively with MicrosoftNetwork Access Protection.

Chapter 10, Integrating McAfeeNAC with Microsoft NetworkAccess Protection

Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFind product documentation


http://mysupport.mcafee.com

1 Introduction

McAfee® Network Access Control (McAfee NAC) 4.0 is an extension to McAfee® ePolicy Orchestrator®

4.5 and 4.6 that provides network access security.

McAfee NAC can:

• Detect and assess managed systems on your network, and enforce access to network resourcesbased on a system's health level.

• Detect and assess unmanaged systems on your network, and enforce network access based on asystem's health or user identity when combined with a supported product.

To support enforcement of network access security for unmanaged systems, you can combine McAfeeNAC with McAfee Network Security Platform.

To understand what McAfee NAC does and how to use it, you must be familiar with these basics:

• Functional components you can use to control access to your network.

• System classifications that determine which functional components can be used.

• Supported deployment solutions based on the type(s) of systems you want to control.

In addition, it is important to understand how McAfee NAC fits into the framework provided by ePolicyOrchestrator. See Use of ePolicy Orchestrator features, and the ePolicy Orchestrator documentation.

Contents

Controlling network access How systems are classified Supported deployment configurations Using ePolicy Orchestrator features

Controlling network accessMcAfee® Network Access Control allows and blocks access to your network.

• Detects and identifies connected systems.

• Assesses a system's health according to predefined rules in policies.

• Enforces network access restrictions based on policies that map health level to network access zones.

• Fixes (remediate) systems that are not healthy.

The functional components that support these principles are described in the following table. Fordetails, see McAfee NAC functional architecture.

1


Table 1-1 McAfee NAC components

Component name Description

Network AccessControl manager

The central management portion of McAfee NAC that provides policymanagement, exemption management, system classification, action triggers,component deployment, and data processing and storage.

Detectors A component that identifies systems that connect to a network. A detector canbe software only, or a combination of hardware and software. Detectors can becentralized or distributed as client-side agents.

Assessors A component that evaluates the health of a system based on policies thatdescribe or identify required software, patches, services, registry keys, andnumerous other conditions that can be described by a rule.

Enforcers A component that restricts a system's access to network resources according toa mapping of network access zones to health levels. Enforcers are typicallyhealth-based, but can use other criteria for restricting a system's network access.

Remediators A component that automatically attempts to bring an unhealthy system backinto compliance with the policies you have defined for a healthy system.

If you need to exclude specific systems from assessment or enforcement, McAfee NAC supports thisthrough exemptions. An exemption allows you to exclude a system or device, such as a printer, frombeing assessed or enforced.

System detectionThe primary purpose of detection is to identify a system as unique. A secondary purpose is to providethe Network Access Control manager with information that determines a system's classification.

McAfee NAC bases system detection on one or more of these factors:

• Acquisition of a DHCP assigned address • Deployment of the McAfee Agent

• Periodic network broadcasts • Deployment of the Network Access Control client

• Establishment of a network connection

System health assessmentAssessment of a system's health is based on configurable policies that allow you to define varioustypes of security rules. Which assessor you can use depends on a system's classification.

Health assessments (scans) can be scheduled and performed automatically, or initiated manually byan administrator through the NAC Summary Dashboard, or by a system user through the McAfeesystem tray. Health assessment also occurs automatically based on certain system conditions.

The software predefines a set of health levels that administrators use to rank a system's health state(or status) based on what is wrong. A system's health is evaluated automatically against the policiesyou create, or it can be set manually.

In descending order, the health levels are:

• Healthy • Serious

• Fair • Critical

• Poor

How the health levels are used depends entirely on your policy definitions. Only the relative order ofthese levels is important, and only as it relates to the way each level is mapped to network accesszones. See System health levels and their function.

1 IntroductionControlling network access


Another health level, Unknown, is assigned to a system automatically under these conditions:

• The first time a system is detected, including startup.

• The assessed health of a system expires

• A scan fails to finish successfully

• A system is unmanageable (see How systems are classified)

• A change occurs to the system's network connection and it is detected again

The Unknown health level is considered a special case, and typically is not considered part of thehealth ranking.

Enforcing access restrictionsEnforcing network access restrictions is the responsibility of an enforcer. The enforcer you use isconfigurable, and the method of restricting network access depends on the enforcer. The choice of anenforcer depends on the products you are using for network access control.

In McAfee NAC, access enforcement is based on a system's current health status. In this regard,McAfee NAC is exclusively a health-based enforcement mechanism.

The McAfee NAC enforcer bases enforcement on a configurable policy that maps network access zonesto health levels. Enforcement takes place locally on managed systems using a local firewall to blocknew, outgoing connections. The resources that are blocked depends on how you define your networkaccess zones. Other supported enforcement products (enforcers) might use a different method, oreven base enforcement on criteria other than health. See Enforcers and how they work.

Administrators can also control system enforcement by setting a health level manually.

How unhealthy systems are fixedUnhealthy systems can be brought back into compliance with your health policies manually orautomatically. In McAfee NAC, a remediator is a component that can automatically try to fix problemsor deficiencies with unhealthy systems.

McAfee NAC includes a built-in remediator, but it can be used only with managed systems because:

• Use of the McAfee NAC remediator is specified in policies that are passed only to managed systems.

• Remediation commands often require credentials, which are not typically available on unmanagedsystems.

How systems are classifiedThe way that McAfee NAC classifies each system on your network is important for setting up and usingthe product, and for using its features.

There are four system classifications:

• Managed systems

• Unmanaged systems

• Unmanageable systems

• Unenforceable systems

IntroductionHow systems are classified 1


These classifications, and their characteristics and requirements, apply exclusively to McAfee NACfunctionality. Other products, including those that can be combined with McAfee NAC, might use thesame classifications, but with different characteristics or requirements.

A system's classification determines which assessor, enforcer, and remediator can be used, if at all.

Managed systemsIn ePolicy Orchestrator, a managed system is one with the McAfee Agent installed and operating properly.

McAfee NAC extends this definition. A managed system is one with both the McAfee Agent and theMcAfee NAC client installed and operating properly. Being a managed system according to McAfee NACis the one prerequisite for using most of the software features.

A system that has the McAfee NAC guest client installed (as a detector and assessor) is not considereda managed system. See Detectors and how they work and Assessors and how they work.

Managed systems have these characteristics and requirements:

• Only ePolicy Orchestrator managed systems can host the McAfee NAC client.

• System health is assessed by the McAfee NAC client.

• System health is evaluated against your managed system health policies.

• Enforcement can be controlled locally by the McAfee NAC client.

• Enforcement can be controlled by the Microsoft Network Access Protection product.

Unmanaged systemsIn ePolicy Orchestrator, a rogue is a system without the McAfee Agent installed, or a system with anagent from another ePolicy Orchestrator server. McAfee NAC uses the concept of an unmanagedsystem, which is a system without the McAfee NAC client installed and operating properly, or a systemwithout the McAfee Agent.

Unmanaged systems have these characteristics and requirements:

• An unmanaged system can be assessed only by the downloadable guest client. It cannot use theMcAfee NAC client.

• System health is evaluated against a single unmanaged system policy.

• An unmanaged system cannot be enforced by the enforcer supplied by McAfee NAC.

• Enforcers supplied by other supported products, such as McAfee Network Security Platform orMicrosoft Network Access Protection (Network Access Protection), might handle unmanagedsystems. See the chapters that discuss use of McAfee NAC with other access control products.

Unmanageable systemsAn unmanageable system has the same characteristics as an unmanaged system, but does not meetthe requirements for using the McAfee NAC client or guest client.

Typically, an unmanageable system is one that is running an unsupported operating system.Unmanageable systems always appear in McAfee NAC monitors, queries, summary reports, etc. with ahealth level of Unknown because they cannot be assessed.

For a list of the supported operating systems, see Hardware and software requirements.

1 IntroductionHow systems are classified


Unmanageable systems have the following characteristics and requirements:

• The health of an unmanageable system cannot be assessed because the system cannot run theMcAfee NAC client or the guest client.

• An unmanageable system cannot be enforced by the enforcer supplied by the McAfee NAC software.

• Enforcers supplied by other supported products, such as McAfee Network Security Platform orMicrosoft Network Access Protection (Network Access Protection), might be able to handleunmanageable systems. See the chapters that discuss use of McAfee NAC with other access controlproducts.

Unenforceable systemsAn unenforceable system is one that could be classified as managed, unmanaged, or unmanageable.

In addition to that, it should have the following characteristics:

• It cannot be enforced by the enforcer supplied with the McAfee NAC software.

• Its enforcement status has not been or cannot be reported to the McAfee NAC Manager.

This classification refers exclusively to the McAfee NAC view of the system. It does not imply whetheranother product can enforce the system. An unenforceable system typically occurs when a RogueSystem Sensor detects an unmanaged system that is on a part of the network not covered by aMcAfee® Network Security Sensor (a hardware component of the McAfee Network Security Platform).

To be notified about unenforceable systems, create an automatic response that is triggered by theMcAfee NAC System is not enforceable event. See How to handle unenforceable systems.

Supported deployment configurationsMcAfee NAC 4.0 can be deployed in several configurations, depending on your network securityrequirements and the types of systems you need to detect, assess, and enforce.

Supported deployment scenarios are:

• McAfee NAC with McAfee ePolicy Orchestrator

• McAfee NAC with Microsoft Network Access Protection

• McAfee NAC with McAfee Network Security Platform

• McAfee NAC with McAfee Network Security Platform and Microsoft Network Access Protection

Deployment with McAfee ePolicy OrchestratorOne of the supported deployment option to use McAfee NAC with McAfee ePolicy Orchestrator for yournetwork access security.

The following table outlines the basic aspects of this deployment.

IntroductionSupported deployment configurations 1


Required levelof accesscontrol

Products needed Functional agents Description

Managedsystems only (nounmanagedsystem support)

• ePolicy Orchestrator4.5 or 4.6

• Rogue SystemDetection 2.0

• McAfee NAC 4.0

• Detector: McAfee NACand Rogue SystemDetection (no sensorsdeployed)

• Assessor: McAfee NAC

• Enforcer: McAfee NAC

McAfee NAC is used fordetection, assessment,and enforcement ofmanaged systems only.

Managedsystems plusunmanagedsystem detectionand assessment



• McAfee NAC 4.0

• Detector: McAfee NACand Rogue SystemDetection (with sensorsdeployed)

• Assessor: McAfee NACclient or McAfee NACguest client

• Enforcer: McAfee NAC orMcAfee Network SecurityPlatform

McAfee NAC is used fordetection, assessment,and enforcement ofmanaged systems only.Unmanaged systems canbe detected and assessed,but not enforced. TheMcAfee NAC guest client isused for unmanagedsystem assessment.

Deployment with Microsoft Network Access ProtectionOne of the supported deployment option to use McAfee NAC with Microsoft Network Access Protection(Network Access Protection) for your network access security.




Managedsystems only(no unmanagedsystem support)



• McAfee NAC 4.0

• Microsoft NetworkAccess Protocol

• Detector: McAfee NACclient and Rogue SystemDetection (no sensorsdeployed)

• Assessor: McAfee NACclient

• Enforcer: McAfee NACclient and MicrosoftNetwork Access Protection

McAfee NAC is used fordetection and assessment.Managed systems can beenforced by McAfee NACand Microsoft NetworkAccess Protection in anycombination.

Managedsystems plusunmanagedsystemdetection andassessment



• McAfee NAC 4.0

• Microsoft NetworkAccess Protection

• Detector: McAfee NACand Rogue SystemDetection (with sensorsdeployed)


• Enforcer: McAfee NACclient and MicrosoftNetwork Access Protection

McAfee NAC is used fordetection and assessment.Managed systems can beenforced by McAfee NACand Microsoft NetworkAccess Protection in anycombination. McAfee NACdetects and assessesunmanaged systems.

1 IntroductionSupported deployment configurations


Deployment with McAfee Network Security PlatformOne of the supported deployment option to use McAfee NAC with McAfee Network Security Platform,configured for health-based access control, for your network access security.




Managedsystems only(no unmanagedsystem support)



• McAfee NAC 4.0

• Detector: McAfee NACclient and Rogue SystemDetection (no sensorsdeployed)


• Enforcer: McAfee NACclient and McAfeeNetwork Security Sensor

McAfee NAC is used fordetection, assessment, andenforcement of managedsystems.




• McAfee NAC 4.0

• McAfee NetworkSecurity Platform

• Detector: McAfee NACclient, Rogue SystemDetection (with sensorsdeployed), and McAfeeNetwork Security Sensor


• Enforcer: McAfee NACclient

McAfee NAC is used fordetection, assessment, andenforcement of managedsystems. McAfee NAC candetect and assessunmanaged systems. McAfeeNetwork Security Platformcan be used to detectunmanaged systems.

Managed andunmanagedsystems



• McAfee NAC 4.0

• McAfee NetworkSecurity Platform

• Detector: McAfee NACclient, Rogue SystemDetection with deployedsensors, and McAfeeNetwork Security Sensor


• Enforcer: McAfee NACclient, and McAfeeNetwork Security Sensor

McAfee NAC is used fordetection, assessment, andenforcement of managedsystems. Detection andenforcement of unmanagedsystems is handled byMcAfee Network SecurityPlatform.

Pure McAfeeNetworkSecurityPlatform

McAfee NAC is not used withMcAfee Network SecurityPlatform when configured foridentity-based accesscontrol. Enforcement iscontrolled by a NetworkSecurity Sensor for bothmanaged and unmanagedsystems.

IntroductionSupported deployment configurations 1


Deployment with McAfee and Microsoft productsOne of the supported deployment option to use McAfee NAC with McAfee Network Security Platformand Microsoft Network Access Protection (Network Access Protection) for your network access security.

McAfee Network Security Platform can be configured in either health-based or identity-based modes.However, using McAfee Network Security Platform in identity-based mode is beyond the scope of thisdocument. See the McAfee Network Security Platform documentation.


Requiredlevel ofaccesscontrol


Managedsystems only(nounmanagedsystemsupport)

• ePolicy Orchestrator 4.5 or 4.6

• Rogue System Detection 2.0

• McAfee NAC 4.0

• Microsoft Network AccessProtection

• Detector: McAfee NACclient and RogueSystem Detection (nosensors deployed)


• Enforcer: McAfee NACclient and McAfee®

Network SecuritySensor

McAfee NAC is usedfor detection,assessment, andenforcement ofmanaged systems.


• ePolicyOrchestrator4.5 or 4.6

• McAfeeNetworkSecurityPlatform


• MicrosoftNetworkAccessProtection

• McAfee NAC 4.0

• Detector: McAfee NACclient, Rogue SystemDetection (withsensors deployed), andMcAfee® NetworkSecurity Sensor


• Enforcer: McAfee NACclient

McAfee NAC is usedfor detection,assessment, andenforcement ofmanaged systems.McAfee NAC candetect and assessunmanaged systems.McAfee NetworkSecurity Platform canbe used to detectunmanaged systems.

Managed andunmanagedsystems

• ePolicyOrchestrator4.5 or 4.6

• McAfeeNetworkSecurityPlatform


• MicrosoftNetworkAccessProtection

• McAfee NAC 4.0

• Detector: McAfee NACclient, Rogue SystemDetection withdeployed sensors, andMcAfee® NetworkSecurity Sensor


• Enforcer: McAfee NACclient, and McAfee®

Network SecuritySensor

McAfee NAC is usedfor detection,assessment, andenforcement ofmanaged systems.Detection andenforcement ofunmanaged systemsis handled by McAfeeNetwork SecurityPlatform.

1 IntroductionSupported deployment configurations


Using ePolicy Orchestrator featuresMcAfee NAC 4.0 is an extension to the McAfee ePolicy Orchestrator 4.5 or 4.6 software, which usesand relies on many ePolicy Orchestrator features, including Rogue System Detection.

In the user interface, elements specific to McAfee NAC are located in the Systems section on the NetworkAccess Control tab.

The following table lists the applicable ePolicy Orchestrator features and describes how they are usedby McAfee NAC. We recommend that you become familiar with each of the listed features and their tasks.

ePolicy Orchestrator feature andlocation

Use by McAfee NAC administrator

In ePolicy Orchestrator 4.5, Menu | Systems| System Tree | Client Tasks.In ePolicy Orchestrator 4.6, Menu | Systems| System Tree | Assigned Client Tasks.

• Deploy the Network Access Control client to managedsystems.

• To schedule the Network Access Control client toperform a scan.

In ePolicy Orchestrator 4.5 and 4.6, Menu| Automation | Server Tasks.

• Purge Network Access Control scan results.

• Run a query according to a schedule.

• Synchronize Benchmark Editor content.

In ePolicy Orchestrator 4.5 and 4.6, Menu| Automation | Automatic Responses.

Specify an automatic action in response to a particulartype of Network Access Control event.

In ePolicy Orchestrator 4.5 and 4.6, Menu| Systems | System Tree | Assigned Policies(for policy assignment).

Assign Network Access Control client and network accesspolicies to managed systems.

In ePolicy Orchestrator 4.5 and 4.6, Menu| Policy | Policy Catalog.

• Manage network access policies (Create, Edit, Delete,Duplicate, Import, Export, and Rename).

• Manage Network Access Control client policies (Create,Edit, Delete, Duplicate, Import, Export, and Rename).

In ePolicy Orchestrator 4.5 and 4.6, Menu| Systems | Tag Catalog.

Create tags that can be used in a system health policy tospecify the systems that are to have that policy assigned.

In ePolicy Orchestrator 4.5 and 4.6,Dashboards (for dashboards andmonitors) Menu | Reporting | Dashboards.

• View an active Network Access Control dashboard.

• Create a new dashboard containing Network AccessControl monitors.

• Manage the various dashboards you use for networkaccess monitoring, and other queries related to NetworkAccess Control.

• Access detailed information about systems or NetworkAccess Control components.

In ePolicy Orchestrator 4.5, Menu |Reporting | Queries.In ePolicy Orchestrator 4.6, Menu |Reporting | Queries & Reports.

Create and manage the database queries you use toobtain Network Access Control network securityinformation.

In ePolicy Orchestrator 4.5 and 4.6, Menu| Software | Master Repository

Check in and manage content required by the NetworkAccess Control software, such as the Audit Engine contentcontaining all the compliance and threat checks andbenchmarks.

IntroductionUsing ePolicy Orchestrator features 1


ePolicy Orchestrator feature andlocation

Use by McAfee NAC administrator

In ePolicy Orchestrator 4.5 and 4.6, Menu| Systems | Detected Systems

• Access detection information from the Rogue SystemDetection service.

• Configure and deploy Rogue System Sensors.

In ePolicy Orchestrator 4.5 and 4.6, Menu| Configuration | Registered Executables

Register an executable (see External Commands) that canbe run on the server as part of an automatic response to aNetwork Access Control event. In the automatic response,if the action is to run a registered executable, you specifyexternal commands as part of the action configuration.

In ePolicy Orchestrator 4.5 and 4.6, Menu| Configuration | Server Settings

Specify parameter values affecting the operations of theMcAfee NAC server.

In ePolicy Orchestrator 4.5 and 4.6, Menu| User Management | Permission Sets

Establish user permissions for using the McAfee NACsoftware.

In ePolicy Orchestrator 4.5 and 4.6, Menu| User Management | Users

Create or edit a specific person as a user of the NetworkAccess Control and their permission type.

In ePolicy Orchestrator 4.5 and 4.6, Menu| User Management | Contacts

Create user contact information for use in automaticresponses when you want to notify specific personnel byemail of an event.

In ePolicy Orchestrator 4.5 and 4.6, Menu| Reporting | Threat Event Log

View a history of events that are reported to the ePolicyOrchestrator server. However, McAfee NAC events arereported in the Audit log. See McAfee Network AccessControl Events and responses.

Using Rogue System DetectionWhen using McAfee NAC by itself, it uses the Rogue System Detection service for the initial detectionof systems on a network.

The Rogue System Detection service can be used with or without the deployment of sensors. Withoutdeploying sensors, you only get information about ePolicy Orchestrator managed systems; that is,those that have the McAfee Agent installed. Deployment of sensors provides information aboutmanaged and unmanaged systems. See Detectors and how they operate.

Not all features of the Rogue System Detection service can be used in combination with McAfee NAC;some are even detrimental. For details, see Rogue System Detection as a detector.

If you are using McAfee Network Security Platform, you would also get system detections from NetworkSecurity Sensors.

How the McAfee Agent is usedThe McAfee Agent is installed on systems you intend to manage with ePolicy Orchestrator. TheNetwork Access Control client requires the presence of the McAfee Agent for normal operations, servercommunications, and use of ePolicy Orchestrator features such as client tasks and policy updates.

While running in the background, the McAfee Agent:

• Installs products, product updates, and content on managed systems

• Gathers information and events from the managed system and sends this information to the server

• Records and reports events that occur on the managed system

• Runs tasks on the managed system, such as deploying the Network Access Control client

• Makes sure that McAfee NAC policies are up to date

1 IntroductionUsing ePolicy Orchestrator features


McAfee NAC events are communicated directly to the Network Access Control manager by the NetworkAccess Control client, and do not involve the McAfee Agent.

For information about deploying the McAfee Agent, see the ePolicy Orchestrator 4.5 or 4.6documentation.

IntroductionUsing ePolicy Orchestrator features 1


1 IntroductionUsing ePolicy Orchestrator features


2 Installation

McAfee NAC 4.0 installs as an extension to ePolicy Orchestrator 4.5 or 4.6 to provide network accesssecurity for your organization.

McAfee NAC uses a separate installer (does not use the ePolicy Orchestrator Extensions interface).

The major components and features of the product are:

• Network Access Control manager

• Network Access Control client

• Network Access Control guest client

Contents

Pre-installation information Install McAfee NAC 4.0 Cluster installation Manually install the McAfee NAC client Post-installation tasks Key differences in the non-Windows McAfee NAC client FAQ for non-Windows McAfee NAC client

Pre-installation informationContains information you need to know before installing the software.

What is installed

The McAfee NAC 4.0 installer is run on an existing ePolicy Orchestrator 4.5 or 4.6 server. In addition toinstalling the Network Access Control manager and all server-side components, the installer also:

• Adds the Network Access Control client installation files for all supported platforms to the ePolicyOrchestrator master repository

• Adds these policies to the master repository and lists them in the Policy Catalog: a default NetworkAccess Control client policy, network access policy, and post admission policy

• Adds McAfee NAC queries to the master repository

• Installs the Benchmark Editor (if it has not been installed previously)

• Installs the Guest Portal and guest client installer on the ePolicy Orchestrator server

2


• Adds the Check Builder and check content

• Creates a client task that, by default, runs a daily scan at 12 A.M. for all Network Access Controlclients

Network Access Control Guest Portal

The McAfee NAC guest portal installs automatically as an ePolicy Orchestrator extension duringproduct installation. The guest portal resides on the ePolicy Orchestrator server. Portal configurationoptions are located on the ePolicy Orchestrator Server Settings page, and the extension name is NetworkAccess Control Guest Portal.

McAfee NAC 4.0 does not support previous versions of the guest portal. If you have an earlier versionof the guest portal installed you should remove it, but save any information you might want to usewhen configuring the McAfee NAC 4.0 guest portal.

You uninstall the guest portal by removing the extension from the ePolicy Orchestrator Extensions page.

Hardware and software requirementsBefore installing McAfee NAC 4.0, make sure your environment meets these hardware and softwarerequirements for the product.

McAfee NAC server-side components

The hardware requirements for the Network Access Control manager and all server-side componentsare the same as for the ePolicy Orchestrator 4.5 or 4.6 server. For best performance, use therecommended hardware configuration for an ePolicy Orchestrator server, rather than the minimumconfiguration.

Table 2-1 McAfee NAC software requirements

ePolicy Orchestrator 4.5 ePolicy Orchestrator 4.6

Patch 6 or greater installed No additional requirements. Rogue System Detectionis installed as a fully integrated part of ePolicyOrchestrator 4.6.

Rogue System Detection version 2.0.2 or later

McAfee NAC client components

Systems where you install the Network Access Control client or Network Access Control guest clientmust meet these requirements.

2 InstallationPre-installation information


Table 2-2 Client system requirements

Category Requirement

Operating system • Windows 2000 Professional, Service Pack 4

• Windows 2000 Advanced Server, Service Pack 4

• Windows 2000 Server, Service Pack 4

• Windows 2000 Terminal Services, Service Pack 4

• Windows XP Professional, Service Pack 2 or later (32-bit and 64-bit)

• Windows Server 2003 Enterprise, Service Pack 1 or later

• Windows Server 2003 Standard, Service Pack 1 or later

• Windows Server 2003 Web, Service Pack 1 or later

• Windows Server 2008, Service Pack 1 or later (32-bit and 64-bit)

• Windows Vista (32-bit and 64-bit)

• Windows 7 (32-bit and 64-bit)

• Mac OS X 10.5 (Leopard)

• Mac OS X 10.5 (Snow Leopard)

• Mac OS X 10.6 (Lion)

• RedHat Enterprise Linux 4

• RedHat Enterprise Linux 5

Memory 512 MB or higher RAM

ePolicy Orchestratorproducts

• McAfee Agent 4.5 patch 3 or later for non-Windows systems

• McAfee Agent 4.5 patch 5 for Windows systems

The Network Access Control guest client does not require the McAfee Agent.

McAfee NAC components for use with Microsoft Network Access Protection

The McAfee System Health Validator and DHCP Agent that are used when combining McAfee NAC withMicrosoft Network Access Protection can be installed only on 32-bit operating systems.

Firewall software

If managed or unmanaged systems use personal firewall software, you must open specific ports forserver and client communications. McAfee NAC uses ports that are configured in ePolicy Orchestrator.

Table 2-3 McAfee NAC communication port requirements

ePolicy Orchestrator 4.5 ports ePolicy Orchestrator 4.6 ports

Console-to-application server communicationport (default is 8443)

Console-to-application server communication port(default is 8443)

Sensor-to-server communication port (default is8444)

Client-to-server authenticated communication port(default is 8444)

Whatever the port numbers are for these ePolicy Orchestrator settings (defaults are 8443 and 8444),the firewall must open them.

Additionally, ePolicy Orchestrator might require other open ports on managed systems. McAfeerecommends that you do not run firewall software on your ePolicy Orchestrator server. If you do, makesure that all required ports are open.

InstallationPre-installation information 2


Install McAfee NAC 4.0Install the McAfee NAC 4.0 on your ePolicy Orchestrator 4.5 or 4.6 server. At the end of theinstallation, the McAfee NAC content is added automatically to the ePolicy Orchestrator MasterRepository.

The name of the package is Audit Engine Content. If you have modified your Update Master Repositoryserver task so that it only updates selected content, be sure to add Audit Engine Content, which islisted under Other in the Available Source Site Packages dialog box.

Task

1 Download the product zip file from the McAfee product download site, and store it in a temporarylocation on your ePolicy Orchestrator server.

2 Unzip the archive, then double-click the Setup program.

3 In the Setup Requirements window, check that each section displays the message All requiredapplications were found, then click Next. Any required applications that were not found arelisted, and you must exit and install these applications. See Pre-installation information.

4 Accept the license agreement, then click OK.

5 Accept the default installation path (recommended), or specify a different location on the ePolicyOrchestrator server, then click Next.

6 Type your ePolicy Orchestrator global administrator user name and password, then click Next.

7 Accept the default port (8444) for Network Security Sensor communications with the NetworkAccess Control client, or specify a different port. This port cannot be changed unless you reinstallthe software, then click Next.

Changing from the default port number results in having to perform additional configuration. If youuse McAfee NAC in combination with McAfee Network Security Platform. It is important that youread Configuration requirements in the Integrating McAfee NAC with McAfee Network SecurityPlatform chapter.

8 Verify that all information is correct, then click Next to start the installation.

9 When the installation is complete, click OK.

Cluster installationInstall McAfee NAC on a cluster if the ePolicy Orchestrator server is a member of a Microsoft ClusterServer (MSCS) cluster.

Task

For option definitions, click ? in the interface.

1 Install McAfee NAC 4.0 on the same shared drive where ePolicy Orchestrator is installed. Noconfiguration changes are required.

2 Test the cluster:

• Select the ePolicy Orchestrator group, then select Bring Online.

• Right-click any of the resources for the ePolicy Orchestrator group, then select Initiate Failover. Theresources should fail and come back online.

2 InstallationInstall McAfee NAC 4.0


Manually install the McAfee NAC clientManually install the McAfee NAC client on any of the supported operating systems.

To install the McAfee NAC client manually on a client system, the system must be running one of thesesupported operating systems:

• Windows

• Mac

• Linux

Normally, you install the McAfee NAC client to systems through an ePolicy Orchestrator client task (seeDeploying the McAfee NAC client). However, there might be situations where you need to install theMcAfee NAC client directly on a system before allowing a network connection.

The McAfee NAC client is multi-lingual, and all supported languages for the operating system platformare installed. The McAfee NAC client automatically detects the language setting of the operatingsystem. If the language is not supported, the default is English.

The Mac OS and Linux versions of the McAfee NAC client support only English and German.

Install on Windows manuallyManually install the McAfee NAC client on a system running one of the supported Windows operatingsystems.

Task

1 On the ePolicy Orchestrator server, go to Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\MNACSCNR3000\Install\0409. You need the entire contents of this directory.

2 Use one of these methods to install on a client system:

• Run the installer remotely from the ePolicy Orchestrator server.

• Copy the installation files to a network share.

• Copy the installation files to the local system or a CD.

3 Run the Setup program, and click Next at the Welcome screen.

4 Accept the default location to install the McAfee NAC client, then click Next. McAfee does notrecommend installing to a different location.

5 Click Install.

6 When the installation is complete, click Finish.

InstallationManually install the McAfee NAC client 2


Install on Mac OS manuallyManually install the McAfee NAC client on a system running one of the supported Mac operating systems.

Task

1 On the ePolicy Orchestrator server, go to Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\MNACSCNR3000MACX\Install\0409. You need the entire contents of thisdirectory.





3 Run the Setup script by double-clicking the .dmg or .pkg file, then click Next at the Welcome screen.

4 Accept the default location to install the McAfee NAC client, then click Next. McAfee does notrecommend installing to a different location.

5 Click Install.

6 When the installation is complete, click Finish.

To manually uninstall, navigate to /Library/McAfee/mnac/ and run the uninstall.sh script.

Install on Linux manuallyManually install the McAfee NAC client on a system running one of the supported Linux operatingsystems.

Task

1 On the ePolicy Orchestrator server, go to Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\MNACSCNR3000LNYX\Install\0409. You need the entire contents of thisdirectory.





3 Run the Setup script using the command rpm -i MNAC. By default it is installed under /opt/McAfee/mnac folder.

To uninstall, use the command rpm -e MNAC-4.0-0.

2 InstallationManually install the McAfee NAC client


Post-installation tasksAfter installing McAfee NAC, additional installation or configuration steps might be necessary to makeMcAfee NAC work with another product.

Determine or verify whether:

• You will integrate McAfee NAC with McAfee Network Security Platform as an access control solution.If so, see Integrating McAfee NAC with McAfee Network Security Platform, and the McAfee NetworkSecurity Platform documentation.

• You will integrate McAfee NAC with Microsoft Network Access Protection as an access controlsolution. If so, see Integrating McAfee NAC with Microsoft Network Access Protection, and theMicrosoft Network Access Protection documentation.

What happens when the license expires

When the license expires, the McAfee NAC client continues to scan systems using the current systemhealth policies, and continues to report compliance status to the server. The settings for the McAfeeNAC client in the deployment task are unchanged.

Key differences in the non-Windows McAfee NAC clientThere are a number of differences for managed systems running non-Windows operating systems(compared to Windows operating systems), and use of the McAfee NAC client on these systems.

Some general differences are:

• The McAfee Agent installation must be done manually.

• Firewall components are available, by default, with the Linux and Mac operating systems. TheMcAfee NAC client communicates with those components for enforcement.

• Mac OS X includes three user group levels: root or super user (su), administrators (adminuser), and normal users. Most Mac users are administrators and have more privileges thanWindows users. Only administrators have complete control over the system.

Other differences are categorized below.

User experience differences

The following are differences in the user experience on the client managed system.

• Tray icon and menu on client system — On Mac OS X systems, there is a menulet. Onsupported Linux platforms, the tray has been implemented using gtk+.

• Firewall integration — On Mac OS X systems, the McAfee NAC client uses ipfw, a system toolavailable by default with all Mac operating systems. On supported Linux platforms, the McAfee NACclient uses iptables, a system tool available by default with most flavors of Linux.

InstallationPost-installation tasks 2


Policy updates

Policy updates are performed in a different way on Mac OS X and Linux client systems. On Windowssystems, the McAfee NAC client can initiate a "pull-down" of new and updated policies, but the McAfeeNAC client for Mac OS X and Linux cannot do this. Instead, new and updated policies must be "pushed."

However, root users can update policies from ../McAfee/cma/bin folder and execute the command:

cmdagent -P -E -C

You could use any of the arguments listed:

• P — To collect and send properties • F — To forward events

• E — To enforce policies • ? — To view help

• C — To check for new polices or tasks

Administrators can do this by setting up a Wake-up McAfee Agent task, with the Get full product propertiesoption selected. Administrators can run this task whenever needed, or set it to run on a schedule.Administrators should be familiar with the relationship between the agent wake-up task and theagent-server communication interval (ASCI).

FAQ for non-Windows McAfee NAC clientHere are commonly asked questions about the McAfee NAC client for the supported non-Windowsoperating systems.

To use these commands, the user must know how to enter system commands for the specifiedoperating system.

1 How do I know whether McAfee NAC 4.0 or the McAfee Agent is installed on Linux?

Type the command rpm -q MNAC. The return value should be: MNAC-4.0

2 How do I check whether the McAfee NAC or McAfee Agent service is running?

Linux:

• Type service mnac status to see if a McAfee NAC process is running.

• Type service cma status to see if a McAfee Agent process is running.

Mac OS X:

• Type ps -ef | grep 'MNac' to see if a McAfee NAC process is running. The output does notnecessarily mean the process is healthy.

• Type ps -ef | grep 'cma' to see if a McAfee Agent process is running. The output does notnecessarily mean the process is healthy. You can also use Activity Monitor to view these processes.

3 Where can I find the McAfee NAC or McAfee Agent log files?

Linux & Mac OS X:

• To navigate to the folder where the McAfee NAC log files are stored, type: cd /opt/McAfee/mnac/logs

• To display the end of any log file, type: tail -f /<filename>.log

• To display the end of the McAfee Agent log file, type: tail -f /Library/McAfee/cma/scratch/etc/log. Using this command requires root permissions.

2 InstallationFAQ for non-Windows McAfee NAC client


4 How do I view the logs in debug mode?

Linux & Mac OS X (for McAfee Agent):

• Navigate to the folder /etc/cma.d, which contains policy folders like EPOAGENT3700LYNX,MNACSCNR3000 and NACPolicy3000.

• Open config.xml to modify McAfee Agent configurations or settings. You must restart McAfeeAgent for modifications to take effect.

Linux (for McAfee NAC):

• Navigate to /opt/McAfee/mnac/config/McNacClientLog.cfg

• Edit the first line to remove INFO, and replace it with DEBUG.

Mac OS X (for McAfee NAC):

• Navigate to /Library/McAfee/mnac/config/McNacClientLog.cfg

• Edit the first line to remove INFO, and replace it with DEBUG.

5 Where can I find the McAfee NAC or McAfee Agent policy objects?

Linux & Mac OS X (for McAfee Agent):

• Navigate to the folder /etc/cma.d, which contains policy folders like EPOAGENT3700LYNX,MNACSCNR3000 and NACPolicy3000.

• Open config.xml to modify McAfee Agent configurations or settings. You must restart McAfeeAgent for modifications to take effect.

Linux (for McAfee NAC):

• Use cd /opt/McAfee/mnac/data to go to the directory where all policy objects are available inbinary flat file format. Root permissions are required to access these files.

Mac OS X (for McAfee NAC):

• Use cd /Library/McAfee/mnac/data to go to the directory where all policy objects areavailable in binary flat file format. Root permissions are required to access these files.

6 How can I check the current state of the firewall?

Linux: service iptables status

Mac OS X: ipfw show

7 How do I reset the firewall?

Linux: iptables -F to flush all entries, and iptables -D <chain-name> to delete a specific chain.

Mac OS X: ipfw flush to flush all entries, and ipfw delete <entry_number> to delete a specificentry.

InstallationFAQ for non-Windows McAfee NAC client 2


2 InstallationFAQ for non-Windows McAfee NAC client


3 Functional architecture and components

The McAfee NAC software consists of a central manager and a system of distributed agents thatperform specific functions.

Contents

McAfee NAC functional architecture McAfee NAC manager and how it works How McAfee NAC distributed component works Detectors and how they work Assessors and how they work Enforcers and how they work Remediators and how they work

3


McAfee NAC functional architecture A high-level overview of how McAfee NAC components interact with McAfee or other third-partycomponents to provide network access security using ePolicy Orchestrator.

The following diagram illustrates this architecture.

3 Functional architecture and componentsMcAfee NAC functional architecture


McAfee NAC manager and how it worksThe McAfee NAC manager is the central management portion of McAfee NAC. It provides coremanagement functionality for all operations performed by the software. The manager provides for allpolicy configuration and management, and ensures that the policies are up to date.

It also provides reporting and monitoring services in the form of queries and monitors, which gatherand display system and network information related to network access control.

Figure 3-1 McAfee NAC manager — Architecture

Information reported from detectors, assessors, and enforcers is processed. If necessary, the McAfeeNetwork Access Control manager uses the information to make calculations or determinations of asystem's state and status.

Table 3-1 Functions of the McAfee NAC manager

Function Description

Assess and enforce policyconfiguration andmanagement

The policies that define health assessment and access enforcementcriteria for systems on your network. Provides all policy configurationand management, and ensures that the policies are up to date.

Deploy distributedcomponents

Server tasks that initially deploy and periodically update detectors,assessors, and enforcers and the policies used by each.

Process and store detectiondata

System state and status calculations, message processing, and datastorage.

Process and storeassessment data

System health status, verification, checks for exemptions, comparisonsagainst administrator settings and event handling. Takes informationfrom any supported assessor (McAfee NAC client and guest client).

Process and storeenforcement data

Depending on the configured enforcer, get enforcement status, errors,and network access zones.

Trigger enforcement actions Sends a health level to the configured enforcer. When MicrosoftNetwork Access Protection is the enforcer, this is reduced to aStatement of Health.

Evaluate and enforceexemption rules

Processes rules and identifies matching systems. This happens whenthe manager gets information from a detector, assessor, or enforcer.

Report stored data Provides reporting and monitoring services in the form of queries andmonitors, which gather and display system and network informationrelated to access control.

Functional architecture and componentsMcAfee NAC manager and how it works 3


For unmanaged systems, the McAfee NAC manager maintains setup configuration data, and sendshealth information to supported products that handle unmanaged system enforcement.

How a system's classification is determined

Classifying each system connected to a network is one of the core duties of the McAfee NAC manager.After receiving detector information, the McAfee NAC manager tries to determine which systems canbe managed and enforced, and which cannot.

How precise the McAfee NAC manager can be depends on how much information a detector provides.For instance, if the McAfee NAC manager receives enough information for it to use OS fingerprinting, itcan determine manageability, and in some cases, whether the system can be enforced.

The McAfee NAC manager continually evaluates the information it receives, and reclassifies systems asnecessary. Situations that can trigger reclassification are:

• More information from a detector. For example, a system's first detection was by the Rogue SystemDetection service, but subsequent detections are from the McAfee NAC client.

• Installation or uninstallation of the McAfee NAC client.

• Change to a system's exemption status.

• The OS fingerprinter runs against the system and identifies information the McAfee NAC managerdoes not have.

3 Functional architecture and componentsMcAfee NAC manager and how it works


How McAfee NAC distributed component worksThe McAfee NAC distributed component architecture allows the detection, assessment, enforcement,and remediation functionality to be combined in one unit, or separated and handled by differentcomponents, even different products.

Figure 3-2 McAfee NAC distributed component architecture

McAfee NAC uses these distributable components:

• McAfee NAC client — Functions as a detector, assessor, and enforcer on managed systems

• McAfee NAC guest client — Functions as a detector and assessor on unmanaged systems

The McAfee NAC client is deployed to systems in your organization using ePolicy Orchestrator featuresor manually (not recommended). The McAfee NAC guest client must be downloaded and installed byunmanaged system users.

Functional architecture and componentsHow McAfee NAC distributed component works 3


Detectors and how they workA detector identifies systems that are connected to your network, and reports these systems to theMcAfee NAC manager.

To qualify as a detector, the component must report at least one form of identifying information abouta system or device to the McAfee NAC manager (see the Detector input and output table).

All discussion of detectors in this guide relates to managed systems only, unless explicitly statedotherwise.

The McAfee NAC software as a standalone product (without the use of additional products), providesthe following detectors:

Table 3-2 Detector operations

Detector Operational description

Rogue SystemDetection (RSD)service

Provides the primary level of detection information for systems managed byePolicy Orchestrator. Once the McAfee NAC client is deployed to a system(classification changes to a McAfee NAC-managed system), Rogue SystemDetection moves to a secondary role, and the McAfee NAC client becomes theprimary detector. The Rogue System Detection service also provides detectioninformation about unmanaged and unmanageable systems, such as printers.This information is important if you use exemptions. See Using exemptions.

McAfee NAC client Provides the primary level of detection information for the McAfeeNAC-managed systems where it is deployed.

McAfee NAC guestclient

Provides the primary level of detection information for the unmanaged systemswhere it is installed.

The following table lists the information that detectors use as input, and report as output. The McAfeeNAC manager uses the output.

Table 3-3 Detector input and output

Detector Input Output

Rogue SystemDetection (RSD) service

McAfee Agent installation event andnetwork traffic, consisting of:

• DHCP requests

• ARP broadcasts

At least one of the following:

• IP address • Subnet

• MAC address • McAfee Agent GUID

• Host name

McAfee NAC client Local operating system queries At least one of the following:

• IP address • Subnet

• MAC address • McAfee Agent GUID

• Host name

The specific implementation determines whether a detector reports some or all of the identifyinginformation that is listed under Output. In addition, some detectors might provide operating systeminformation. McAfee NAC accommodates its own detectors as well as detectors from other McAfee orthird-party products.

Another supported detector is the Network Security Sensor, a hardware component of McAfee NetworkSecurity Platform. See Integrating McAfee Network Access Control with McAfee Network SecurityPlatform.

3 Functional architecture and componentsDetectors and how they work


Rogue System Detection as a detectorThe Rogue System Detection (RSD) service acts initially as the primary detector in an ePolicyOrchestrator-managed system environment. Systems with the McAfee Agent installed are detectedand reported to the ePolicy Orchestrator server.

However, these systems are not yet managed, according to the McAfee NAC definition. See Systemclassifications.

Once you deploy the McAfee NAC client, its detection service takes over to provide information aboutthe system where it resides. These systems are now managed, according to the McAfee NAC definition.

If you deploy Rogue System Sensors, the Rogue System Detection service can also provide limitedinformation about unmanaged systems.

The Rogue System Detection service must be installed as an extension to ePolicy Orchestrator prior toinstalling the McAfee NAC software. However, RSD is pre-installed on ePolicy Orchestrator 4.6 and later.

Rogue System Detection features incompatible with McAfee NAC

McAfee NAC is not compatible with certain Rogue System Detection features or capabilities. TheseRogue System Detection features cause no harm, and are even useful, in connection with ePolicyOrchestrator. However, when you add network access control to your environment, certain practiceswith Rogue System Detection can disable or nullify McAfee NAC functionality.

Prerequisites for using Rogue System Detection as a detector

You must set the user permissions for the Rogue System Detection service to View and Edit.

Rogue System Detection detector functionality

The Rogue System Detection service can function as a McAfee NAC detector with or without deployinga Rogue System Sensor.

Functional architecture and componentsDetectors and how they work 3


Table 3-4 Rogue System Detection detector functionality

Rogue SystemDetectionsetup

Detection functionality

Without sensordeployment

The Rogue System Detection service without sensor deployment provides:

• Information about managed systems only.

• Detections occur based on the McAfee Agent sending information to the ePolicyOrchestrator server. The Rogue System Detection service listens for thisinformation from the McAfee Agent and records the system as ePolicyOrchestrator-managed within ePolicy Orchestrator.

• Detection information about ePolicy Orchestrator-managed systems, consistingof network data such as an IP address, MAC address, host name, and subnet.The Rogue System Detection service also obtains the McAfee Agent GUID forsystem identification.

With sensordeployment

The Rogue System Detection service with sensor deployment provides all thefunctionality listed above, as well as:

• Detections occur based on the Rogue System Sensor sending information to theePolicy Orchestrator server. Sensors listen to DHCP requests and ARP broadcasts.

• Unmanaged system information, consisting of network data such as an IPaddress, MAC address, host name, and subnet.

• Systems detected by a sensor are reported on the Menu | Systems | Detected Systemspage in the Overall System Status pane.

Detection information provided by the Rogue System Detection service is reported to the ePolicyOrchestrator server and is accessed on the Menu | Systems | Detected Systems page. The status of thesesystems can be Rogue or Managed. If the system is listed as Managed it might or might not mean thesystem is managed according to the McAfee NAC definition. You will need to use the McAfee NACreports or queries to determine whether a system is managed by McAfee NAC.

Use of Rogue System Detection with deployed sensors

If you use the Rogue System Detection service with deployed sensors, consider these implications:

• Any exemption rules you create might not report correctly until the systems affected by the rulehave been detected. When you first create an exemption rule, it can be listed with zero systems,even though you know the network has systems that match the rule. This happens when a delayoccurs between the creation of the rule and the next detection event.

• Rogue System Sensors detect when a system has an “alien” McAfee Agent. This happens when asystem that reports to one ePolicy Orchestrator server is connected to a network controlled by adifferent ePolicy Orchestrator server. Most often this happens with laptops used during travel. Ifthis occurs, the system health policies that are normally active for that system cannot be used asthe basis of a health assessment. Systems with alien agents can use the guest client for healthassessment.

McAfee NAC client used as a detectorThe McAfee NAC client automatically functions as a detector once it is deployed.

To deploy the McAfee NAC client to a system, the system must have the McAfee Agent installed. Oncethe McAfee NAC client is deployed, the system becomes managed, according to the McAfee NACdefinition.

3 Functional architecture and componentsDetectors and how they work


Once deployed, the McAfee NAC client functions as the primary detector, and automatically reports itsdetection information to the McAfee NAC manager. For a McAfee NAC-managed system, the RogueSystem Detection service moves to a secondary role. The Rogue System Detection service still reportsunmanaged and unmanageable systems, and also takes over as primary detector if the McAfee NACclient is removed from a system or stops functioning properly.

To operate as a detector, the McAfee NAC client does not require any specific configuration. For eachmanaged system, the detection information the McAfee NAC client reports consists of:

• IP addresses • Subnets

• MAC addresses • McAfee Agent GUID

• Host name

To uniquely identify a system, the McAfee NAC manager needs at least one of the listed types ofidentifying information.

The McAfee NAC client cannot provide any detection information for unmanaged systems.

To use the McAfee NAC client as a detector, you must deploy the McAfee NAC client to ePolicyOrchestrator-managed systems.

McAfee NAC guest client used as a detectorThe McAfee NAC guest client automatically functions as a detector once it is installed on anunmanaged system. To install the guest client on a system, users must download and run the installer.The system does not require the McAfee Agent installed.

Installing the guest client on a system does not classify it as managed, according to the McAfee NACdefinition. The guest client also functions as an assessor, but does not function as an enforcer.

Once installed, the McAfee NAC guest client functions as the primary detector, and provides the samedetection functionality as the McAfee NAC client. The Rogue System Detection service moves to asecondary role. The Rogue System Detection service still reports unmanaged and unmanageablesystems, and also takes over as primary detector if the guest client is removed from a system or stopsfunctioning properly.

To operate as a detector, the guest client does not require any specific configuration. The guest clientreports the following detection information:

• IP addresses

• MAC addresses

• Host name

• Subnets

To uniquely identify a system, the McAfee NAC manager needs at least one of these types ofidentifying information.

To use the guest client as a detector, the user must download the guest client from an accessiblenetwork location and install it.

Functional architecture and componentsDetectors and how they work 3


Assessors and how they workAn assessor determines the health of systems that are connected to your network, and reports theassessment results to the McAfee NAC manager.

The McAfee NAC software supports two assessors. The assessor that is used depends on whether asystem is managed or unmanaged, according to the McAfee NAC system classifications.

Table 3-5 Assessor operations

Assessor Operational description

McAfee NACclient

Provides a health level assessment for managed systems, according to one or moreassigned system health policies. The McAfee NAC client assessor reports thefollowing information to the McAfee NAC manager:

• Assessed health level

• Details about benchmarks and rules

• Status of the assessment (scan) — whether it failed, or was successful

• Version of content and policy that was used

• Report the network access zone that the host is enforced to

• Post remediation results if enabled

McAfee NACguest client

Provides a health level assessment for unmanaged systems, according to a singleunmanaged system policy. The guest client assessor reports the followinginformation to the McAfee NAC manager:


• Details about benchmarks and rules

• Status of the assessment (scan) — whether it failed, or was successful

• Version of content and policy that was used

An assessor must have input to tell it what to assess on a system, and what to report about theassessment. An assessor also provides output.

Table 3-6 Assessor input and output

Assessor Input Output Output used by

McAfee NACclient

• Managed systemhealth policies

• A McAfee NAC clientpolicy

• Benchmark content(checks and rules)

• Network access policy

• A health leveldescriptor

• Network accesszone

The reporting service of the McAfeeNAC manager, and any supportedenforcer for a managed system.

Remediators use the commandassociated with rule or benchmark,when a specific rule fails and the hostbecomes non-compliant.

McAfee NACguest client

• A single unmanagedsystem policy

• Benchmark content(checks and rules)

A health leveldescriptor

The reporting service of the McAfeeNAC manager, and any supportedenforcer for an unmanaged system.Currently, a McAfee® Network SecuritySensor is the only supported enforcerfor an unmanaged system.

There is no automated remediator atthis time for unmanaged systems.

3 Functional architecture and componentsAssessors and how they work


When systems are assessed

An assessor runs a scan to determine the health of a system. The health assessment is based on thesystem health policies that are applicable to each managed system, or the unmanaged system policyfor unmanaged systems.

An assessor initiates a scan:

• At system startup

• When the McAfee NAC client service is restarted

• When a system is reconnected to the network or its network adapter changes

• When a system is assigned a new IP address

• When the McAfee NAC manager requests a scan or rescan (automatic) or from an administratorrequest

• When a McAfee NAC client receives a new or updated system health policy

Network Access Control client used as an assessorThe Network Access Control client is the only assessor you can use with McAfee NAC to determine thehealth of managed systems.

Before you can use the Network Access Control client as an assessor, you must deploy it to ePolicyOrchestrator managed systems. Once the Network Access Control client is deployed, the systembecomes managed, according to the McAfee NAC definition, and it automatically functions as an assessor.

The Network Access Control client does not require any specific configuration to function as aassessor, . However, the Network Access Control client policy contains configuration options that affectassessment operations. See McAfee NAC policies.

As an assessor, the Network Access Control client is responsible for:

• Assessing a system's health

• Setting a system's health level

• Reporting assessment results to the Network Access Control manager

• Sending notifications to the system tray on the managed system

How system health is assessed

The Network Access Control client assesses system health by running a scan. The scan is based on thesystem health policies that are applicable to each managed system.

An assessor initiates a scan:

• At system startup

• When the Network Access Control client service is restarted

• When a system reconnects to the network or its network adapter changes

• When a system is assigned a new IP address

• When the Network Access Control manager prompts for a scan or rescan

• When a Network Access Control client receives a new or updated system health policy

Functional architecture and componentsAssessors and how they work 3


How health levels are set

A system's health status is the result of several factors. A system has both an assessed health leveland enforced health level, and it has an overall system health status. The overall system health statusis derived from the assessed health level, and takes into account other factors such as exemptions.

The assessed health level is the result of evaluating all benchmarks in the system health policieswhose Enforcement Mode is Enforce or Audit Only. After completing a scan, the Network Access Controlclient sets the assessed health level at the most unhealthy value.

The enforced health level is the result of evaluating only those benchmarks in the system healthpolicies whose Enforcement Mode is Enforce. After completing a scan, the Network Access Control clientsets the enforced health level at the most unhealthy value.

The Network Access Control client changes the health level of managed systems based on scan resultsor explicit administrator instructions. If the health level is changed due to a scan, it is based on yourbenchmark rule properties. In each rule, you can specify the health level you want it to assign if therule fails.

Administrators can manually change the enforced health level of a system when they view systemsummary and system detail pages. These pages are accessed through NAC Summary dashboard or asthe result of a query.

Reporting of assessment results

After a scan is completed, the Network Access Control client reports the results to the Network AccessControl manager and checks whether the Network Access Control manager has newer policies. If so,the newer policies are downloaded, and the system is rescanned. The Network Access Control clientpolicy allows you to configure the scan result's level of detail that is sent to the Network AccessControl manager.

For each managed system, the assessment information the Network Access Control client reportsconsists of:

• Benchmark names that were assessed and which, if any, failed

• Benchmark rule names that were assessed and which, if any, failed

• Assessed health level of the system

• Assessment status (success or failure)

• Content and policy versions used in the assessment

How notifications are sent

The Network Access Control client notifies users of important events or situations using a popupnotification accessed from the McAfee system tray. If the system tray is not enabled, users cannotreceive these notifications.

Notifications occur when:

• The system's health level changes. The user is informed of the new health level, and the status ofthe benchmarks that were assessed. The new health level might be Healthy or one of the unhealthystates.

• The system is restricted to any network access zone other than the one assigned to the Healthystate. This occurs automatically based on the applicable network access policy, or based on amanual action by the administrator.

• A scan is in progress.

3 Functional architecture and componentsAssessors and how they work


• The Network Access Control client fails to run a scan successfully.

• The Network Access Control client is not running.

• Automatic remediation is in progress, completed or failed.

• Client enforcement status changes, when the client is moved to a different zone.

McAfee NAC guest client used as an assessorThe McAfee NAC guest client automatically functions as an assessor once it is installed on anunmanaged system.

To install the guest client on a system, users must download and run the installer. The system is notrequired to have the McAfee Agent installed.

Once installed, the McAfee NAC guest client provides the same assessment functionality as the McAfeeNAC client, with the exception that it assesses a system's health based on a single unmanaged systempolicy, rather than a set of managed system health policies.

Installing the guest client on a system does not classify it as managed, according to the McAfee NACdefinition. The guest client also functions as a detector, but does not function as an enforcer.

Enforcers and how they workAn enforcer is responsible for restricting the network access of systems based on their current healthlevel.

A system's health level can be set by several methods. Typically the restriction of network access isbased on the definition of one or more network access zones, which are mapped to each possiblehealth level.

Different enforcers can use different methods to restrict a system's access to a network. See Howhealth levels are set.

The McAfee NAC software supports three enforcers. The enforcer that is used depends on whether asystem is managed or unmanaged, and the method you use to restrict network access.

Functional architecture and componentsEnforcers and how they work 3


Table 3-7 Enforcer operations

Enforcer Operational description

McAfee NACclient

Provides local enforcement of network access restrictions for managed systemsbased on:

• Enforced health level

• Administrator-specified health level

• Post-admission policy health level

The McAfee NAC client enforcer reports the following information to the McAfee NACmanager:

• Network access zone being enforced

• Success or failure of the enforcement

MicrosoftNetwork AccessProtection(NAP)

Provides enforcement of network access restrictions for managed systems from acentral Network Policy Server (NPS) server based on:




Regardless of the health level's origin, it is validated by the McAfee System HealthValidator.

McAfee®

NetworkSecurity Sensor

Provides enforcement of network access restrictions for unmanaged systems whenconfigured for health-based access control based on:




Provides enforcement of network access restrictions for managed systems whenconfigured for identity-based access control (IBAC) based on:

• System properties

• User identity credentials

The McAfee NAC architecture is not involved when using McAfee Network SecurityPlatform in IBAC mode.

The following table lists the information that enforcers use as input, report as output, and whichcomponents use the output.

3 Functional architecture and componentsEnforcers and how they work


Table 3-8 Enforcer input and output

Enforcer Input Output Output used by

McAfee NACclient

• A health level from an assessor,post admission policy, or anadministrator action

• A managed network access policy

• A McAfee NAC client policy

• The network access zonebeing enforced

• The success or failure ofthe enforcement

The reportingservice of theMcAfee NACmanager

MicrosoftNetworkAccessProtection


• A McAfee System HealthValidator configuration

• The Network AccessProtection network accesszone being enforced


The reportingservice of theMcAfee NACmanager, and the

Microsoft NetworkAccess Protection

Status application

McAfee®

NetworkSecuritySensor


• The system classification(managed, unmanaged, orunmanageable)

• The Network SecurityManager network accesszone being enforced


The reportingservice of theMcAfee NACmanager

McAfee NAC client used as an enforcerUse McAfee NAC client to restrict network access, based on the network access policy assigned to thesystem.To have the McAfee NAC client operate as an enforcer, you must properly configure a McAfee NACclient policy. The default McAfee NAC client policy uses the McAfee NAC client as the enforcer. Beforeyou can use the McAfee NAC client as an enforcer, however, you must deploy it to ePolicyOrchestrator-managed systems, and it must obtain a McAfee NAC client policy.

When the McAfee NAC client is the enforcer, a local firewall blocks new outgoing connections, based onthe system's current enforced health level, or the health level manually set by an administrator usingModify health level. The network access zone associated with each health level determines which networkresources the system can or cannot access.

The McAfee NAC client enforcement method option can be set so that enforcement actions arecontrolled by another product. This version of McAfee NAC supports Microsoft Network Access Protection(Network Access Protection) and McAfee Network Security Platform as enforcers. Information aboutconfiguring the McAfee NAC client to use one of these enforcers is discussed in the chapters aboutintegrating with these products.

For each managed system, the McAfee NAC client reports consist of this enforcement information:

• Enforcement status (success or failure)

• Network access zone being enforced

Remediators and how they workA remediator automatically tries to fix systems that are not in compliance with your health policies.McAfee NAC 4.0 supports one remediator. Users of unhealthy systems also can make fixes to theirsystems manually.

Functional architecture and componentsRemediators and how they work 3


See Remediation of unhealthy systems. If a system is unhealthy, it is typically restricted fromaccessing particular network resources, based on the current health level. A system's health level canbe set by several methods. See How health levels are set.

Table 3-9 Remediator operations

Remediator Operational description

McAfee NAC client Runs remediation commands specified in the benchmarks that comprise eachsystem health policy. Commands can be:

• Single executables

• A script

• A batch file

The McAfee NAC client remediator reports the following information to the McAfeeNAC manager:

• Success or failure of the remediation

This table describes the input (required information) and output for the supported remediators, andwhat the output is used for.

Table 3-10 Remediator input and output

Remediator Input Output Output used by

McAfee NAC client • Managed systemhealth policies

• The success or failure ofthe remediation

The reporting service ofthe McAfee NAC manager

3 Functional architecture and componentsRemediators and how they work


4 McAfee NAC policies

You use various policy types to define and configure much of the McAfee NAC functionality for networksecurity. The assessors and enforcers use these policies to determine what data to report and whichactions to take.

Contents

Types of policies System health levels and their function Benchmarks for McAfee NAC Health policies of managed systems Work with managed system health policies Unmanaged system policy Network access policies Network access zones and compliance McAfee NAC client policies

Types of policiesMcAfee NAC distinguishes between system health policies for managed systems and the single policyused for all unmanaged systems.

This topic discusses the structure and use of all policy types except the post admission policy, which isdiscussed in Network access administration and monitoring.

Table 4-1 Policy types

Policy name Description

Managed systemhealth policy

Defines your network security criteria for health assessment of managedsystems, specifies which systems must adhere to these criteria, and specifieswhen to use the policy. This policy type uses benchmarks (based on the XCCDFand OVAL standards) to define compliance rules. Rules are built from predefinedchecks supplied by McAfee or custom checks you can construct.

Unmanagedsystem policy

Defines your network security criteria for health assessment of unmanagedsystems, specifies how often to run scans, how much information is reported tothe McAfee NAC manager, and whether you want identification messages sentonto the network. This policy type uses benchmarks (based on the XCCDF andOVAL standards) to define compliance rules. Rules are built from predefinedchecks supplied by McAfee or custom checks you can construct.

Network accesspolicy

Specifies the network access restrictions that you want to apply to each systemhealth level. This policy is a mapping between each health level and a networkaccess zone. How many network access zones you create determines yourchoices in the drop-down list.

4


Table 4-1 Policy types (continued)

Policy name Description

McAfee NAC clientpolicy

Configures the features of the McAfee NAC client component, which is deployedto managed systems. The McAfee NAC client always functions as a detector andan assessor. By default, the policy configures the McAfee NAC client as theenforcer. If you integrate with other network access solutions such as McAfeeNetwork Security Platform, you can configure the use of a different enforcer.

Post admissionpolicy

Specifies a health level to assign systems that are reported as exhibitingmalicious behavior.

System health levels and their functionSystem health levels represent the state of a system (managed or unmanaged) based on yournetwork security rules, as defined by your managed system health policies or your unmanaged systempolicy.

McAfee NAC defines the following health levels:

• Healthy • Serious

• Fair • Critical

• Poor • Unknown

The names of the health levels are arbitrary, and have no intrinsic meaning. What is meaningful is theorder, which represents a hierarchy of best (Healthy) to worst (Critical) states. The Unknown healthlevel is a special case. It is only assigned to systems by the client during scanner startup. Assignmentof the Unknown health level most often occurs when a system on the network starts up.

System health levels are used in:

• Reports, monitors, and informational tables shown in the product interface.

• Benchmark rules, to associate a particular health level with the rule’s failure. Benchmarks are usedin managed system health policies and the unmanaged system policy.

• The definition of a Network access policy, where each health level is mapped to a specific networkaccess zone.

Health levels in benchmarks

The first five health levels indicate a system’s state relating to its compliance with the rules defined inyour benchmarks. For each rule in a benchmark, you can set which health level to assign if the rulefails. If a system fails multiple rules, it is assigned the most severe health level.

Typically, you rank each rule according to the level of risk a violation poses to your network. However,associating a health level with each benchmark rule is not required. If a health level is not specified,the default value, which is specified in the McAfee NAC server settings, is used.

The Enforcement mode setting for each benchmark determines how the health level that results fromrule evaluation is applied to systems and used by enforcers. See Benchmark enforcement modes.

Health levels in network access policies

In a network access policy, each health level is mapped to a network access zone. Generally, youcreate multiple network access zones, each defining a different level of access to network resources.

4 McAfee NAC policiesSystem health levels and their function


The health level hierarchy is designed such that you can progressively restrict network access as asystem's health status worsens. The level of restriction depends on how serious a threat is to yournetwork security when a benchmark rule fails.

How the Unknown health level is used

Administrators cannot assign the Unknown health level to systems. This health level is reserved forspecific circumstances, and can be assigned only by the McAfee NAC manager. This health level isassigned when:

• A system starts up, and therefore, has not yet been assessed.

• The health grace period has expired. The grace period is an option in the McAfee NAC serversettings, and is applied to managed and unmanaged systems.

Benchmarks for McAfee NACEach managed system health policy and the unmanaged system policy requires at least onebenchmark, but can contain multiple benchmarks. Benchmarks are created and edited using theBenchmark Editor. Before you can create health policies, you must have benchmarks that areconfigured for McAfee NAC to use.

On the Add Benchmarks pages of the policy builders, only benchmarks with these characteristics aredisplayed:

• The Status must be set to “active” using Activate from the Benchmark Editor interface.

• The McAfee NAC property must be enabled. This property is located in the Properties section whenyou create or edit a benchmark, and is enabled by default when McAfee NAC is installed.

For a benchmark to perform any compliance checking, it must contain at least one rule. Each rulecontains one or more compliance checks for assessing system health. If multiple checks are used, youcan specify logic conditions.

For benchmarks you want to use with McAfee NAC, do the following within each rule:

• Set the McAfee NAC Health Level property to a health level value that is appropriate for thedesignated compliance checks.

• Make sure the Status property of each rule is set to Enabled.

• (Optional) To run a remediation action automatically when a rule is failed, type the remediationcommand and any parameters in the McAfee NAC Remediation Command and McAfee NACRemediation Command Parameters properties. See How to use remediation.

Benchmarks contain many other properties and attributes that are beyond the scope of this document.For more information about creating and editing benchmarks and creating custom checks, see theBenchmark Editor documentation.

For each benchmark you add to a health policy, you can set these attributes:

• Enforcement mode — You can specify whether to enforce, audit, or disable the benchmark’s rules(use Set Mode on the Select Benchmarks page). The default is Audit Only.

• Automatic remediation — You can enable or disable this feature. The default is Disabled (useAuto-remediation on the Select Benchmarks page).

Automatic remediation can be used when systems fail a benchmark rule. Enabling this option meansthat it is enabled for every rule in the benchmark. However, no remediation action occurs unless aremediation command is explicitly specified for a benchmark rule, and the benchmark's enforcementmode is Enforce. See How to use remediation.

McAfee NAC policiesBenchmarks for McAfee NAC 4


Recommendations

McAfee recommends the following when creating or editing benchmarks for use with McAfee NAC:

• Use the benchmark Tag feature to make groups to use as filters when adding benchmarks to yourpolicies.

• Limit the number and scope of the rules you add to each benchmark. Building and debugging yourpolicies is easier when the benchmarks are targeted toward particular security concerns, such asoperating system patches or anti-virus issues.

• If you have a mixed operating system environment (client systems using Windows andnon-Windows operating systems), create separate benchmarks for non-Windows systems, andconsider building separate managed system health policies for your Linux and Mac OS systems.

• Limit benchmark rules to only one check, or to one condition specified by multiple checks (forexample, that at least one anti-virus program from an approved set is installed). Focusing each ruleon a specific aspect of compliance works better than complex rules with numerous checks thataddress multiple security risks.

• Give each benchmark rule a name that describes the type of check, and provide a description thatinforms users what the rule looks for. The rule description is displayed to users through the systemtray in the system status dialog box, and in the remediation window.

Benchmark enforcement modesA benchmark's enforcement mode determines how an assessor uses the benchmark rules and reportsthe health of a system.

You can set an enforcement mode on every benchmark in a managed system health policy or in theunmanaged system policy. The enforcement mode affects all rules within a benchmark.

Table 4-2 Enforcement modes

Mode Description

Enforce All benchmark rules are enforceable, and determine the value of the system's EnforcedHealth Level. The actual enforcement applied to the systems is based on the configuredenforcer, the mapping in the network access policy, and whether the system has anenforcement exemption. The assessor reports the assessed health level and assessmentresults to the McAfee NAC manager. The level of assessment detail is configurable:McAfee NAC client policy for managed systems and unmanaged system policy forunmanaged systems.

Audit Only All benchmark rules are not enforceable, and do not affect the value of the system'sEnforced Health Level. The assessor reports the assessed health level and assessmentresults to the McAfee NAC manager. The level of assessment detail is configurable:McAfee NAC client policy for managed systems and unmanaged system policy forunmanaged systems.

Disabled All benchmark rules are disabled. Rules are not evaluated, and results are not reported tothe McAfee NAC manager.

Recommendations

McAfee recommends that you first test your policies with all benchmarks set to Audit Only mode. Wealso recommend this mode any time you add new benchmarks to your policies. See Enforcementmode monitoring.

4 McAfee NAC policiesBenchmarks for McAfee NAC


Health policies of managed systemsManaged system health policies define the security compliance criteria used to assess the health ofmanaged systems. There is no limit to the number of managed system health policies you can have.

Managed system health policies have two qualities that differ from other McAfee NAC policy types:

• Assignment method

• Whether the policy is active or inactive, based on network connection conditions

You assign managed system health policies to systems from the Select Systems page of the policybuilder. Policy assignment is based on criteria you specify. The policy is assigned and downloaded onlyto systems that match the criteria. As a result, each policy can use unique assignment criteria, andeach managed system can be subject to multiple system health policies.

Policy activation is unique to managed system health policies, and is specified from the PolicyActivation page of the policy builder. Whether a policy is active is determined by a system's networkconnection (see How policies are activated). Policy activation does not determine whether a policy isdownloaded to the McAfee NAC client, but does determine whether the McAfee NAC client, in its roleas an assessor, uses the policy.

All other McAfee NAC policy types, except the unmanaged system policy, are assigned to systemsthrough the System Tree. Managed system health policies are the only type that are activated bynetwork connection conditions.

For an assessor to use a policy to determine system health on a specific managed system, the policymust be assigned to that system and the policy must be active for the system's network connection.

Once you create or edit a system health policy, it is downloaded to the McAfee NAC client:

• The next time the McAfee NAC performs an agent-to-server communication

• When a manual or scheduled agent wake-up call occurs

• When a system is scanned with an older policy

The primary tasks to perform with a managed system health policy are:

1 Add or configure the benchmarks you want to use.

2 Set each benchmark's enforcement mode.

3 Enable or disable automatic remediation for each benchmark.

4 Specify which systems need to use the policy.

5 Specify the network conditions that activate the policy (for example, assess the policy when thesystem is on any network, or only on a specific network).

McAfee NAC includes a default managed system health policy you can use as the basis for constructingyour own.

McAfee NAC policiesHealth policies of managed systems 4


RecommendationsMcAfee recommends the following for working with managed system health policies:

• Use only a few benchmarks in each managed system health policy. It is better to have manypolicies, each focused on a specific security requirement, than to have a few policies containingmany different and potentially disparate security requirements.

• If possible, test your policies first in a controlled or non-production environment with allbenchmarks set to Audit Only mode, then switch to Enforce mode. See Benchmark enforcementmodes.

• If you plan to use automatic remediation, test your remediation commands in a controlled ornon-production environment to verify they work correctly.

• If you want to gather information from certain security tests (for example, potentially unwantedprograms) but not enforce them, create separate policies for those tests with all benchmarks set toAudit Only mode, rather than mixing them with benchmarks you need to enforce.

System health policy structureA managed system health policy defines the security compliance criteria that are used to assess thehealth of managed systems.

A managed system health policy consists of:

• Unique identifiers (a name and description)

• Noncompliance message that is displayed on a client system when that system is out of compliancewith any benchmark rules

• One or more active benchmarks designated for use with McAfee NAC

• One or more managed system assignments

• Policy activation mode that specifies the condition that makes the policy active

IdentifiersEach managed system health policy must have a name. This name should uniquely identify the policy.A description is optional but helpful, because a system health policy contains several distinct elements.

For example, you might create similar policies with slight differences in option settings. The systemhealth policy naming convention is:

• A combination of alphanumeric characters, whitespace, underscores, and hyphens

• A minimum of one character and a maximum of 64 characters

• Must begin with a letter or number

Noncompliance messageA noncompliance message, though optional, is an important element of a managed system healthpolicy. This message appears on managed systems that fail any of the policy’s benchmark rules.

Administrators can use this message to inform users about compliance issues on their systems thatare specific to each managed system health policy, and how to fix them. With the noncompliancemessage, you can customize information that cannot be generated automatically.

To display the noncompliance message on managed systems, you must enable the option for thesystem tray icon in the McAfee NAC client policy (it is enabled by default). The system tray alsoprovides information about the system’s health level, the assessed benchmarks and rules, andremediation status. The level of benchmark and rule information displayed is determined by the Scanresults option in the McAfee NAC client policy.

4 McAfee NAC policiesHealth policies of managed systems


McAfee recommends that you provide users with as much information as possible. A typical messagemight include:

• Information about the benchmark rule or check that failed during the most recent scan.

• The path, active links to file servers, shared network resources that store updates or other contentneeded to make the system compliant. This is especially helpful for users needing to update theirsystems manually.

Once a system is noncompliant, its access to network resources is controlled by the mapping ofnetwork access zones to health levels in your network access policies. If automatic remediationcommands have been specified, these are run by the McAfee NAC client after all managed systemhealth policies have been assessed. Users can access a remediation status window through the systemtray menu. Some policy violations might require manual remediation. If so, make sure systems canaccess the necessary network resources. See Manual remediation.

Health policies and system assessmentEach managed system health policy and the single unmanaged system policy must have at least onebenchmark to be able to determine a system's health.

Benchmarks are created with the Benchmark Editor, a common component that can be used byproducts other than McAfee NAC. A benchmark specifies your compliance requirements for networkaccess through rule definitions, which are used to assess system health.

Each rule is constructed from security checks that target specific system configurations, securitythreats, the presence or absence of certain software, and more. If you use multiple checks, you canspecify logic conditions. McAfee supplies a set of checks for building your network security rules (seeInstalling content). You can also create custom checks.

Use these tools to create and edit system health policies:

• Managed systems — Managed System Health Policy builder

• Unmanaged systems — Unmanaged System Policy builder

To add, modify, or remove benchmarks, use the appropriate policy builder from the console. Creatingand editing policies requires the proper permissions (see Editing McAfee NAC permission sets).

The Select Benchmarks page of each policy builder lists the benchmarks that have been added to thepolicy. If no benchmarks have been added, a warning appears. Use Add Benchmark to search for andselect benchmarks for the policy.

Benchmarks contain many properties and attributes that are beyond the scope of this document. Formore information about creating and editing benchmarks and creating custom checks, seeBenchmarks for McAfee NAC and the Benchmark Editor documentation.

How system health policies are assignedManaged system health policies must be assigned to systems on your network before your securityrules can be assessed and enforced.

The managed systems you want to assess must have:

• McAfee Agent

• McAfee NAC client

McAfee NAC policiesHealth policies of managed systems 4


Most policy types in the ePolicy Orchestrator environment are assigned to systems through the SystemTree. Managed system health policies, however, are an exception; they are assigned on the SelectSystems page of the Managed System Health Policy builder.

The unmanaged system policy does not need to be assigned to systems specifically because it is part ofthe McAfee NAC guest client installation.

You can assign a managed system health policy to systems by specifying:

• One or more individual systems

• One or more groups of systems

• One or more tags

Assign policyto

Criteria

Individualsystems

Select individual systems to assign the policy using any of these criteria:

• System name

• User name

• IP address (in IPv4 dotted decimal format)

• MAC address (specified without dashes between the hex digit pairs; for example,00123F3871C0 rather than 00-12-3F-38-71-C0)

System groups Select systems based on their assignment to groups in the ePolicy OrchestratorSystem Tree. The policy is assigned to all systems in the group, and in anysubgroups on that branch of the hierarchy.

Tag Select systems based on any tag in the ePolicy Orchestrator Tag Catalog. Forinformation about using tags, see the documentation for your version of ePolicyOrchestrator.

How policies are activatedPolicy activation specifies the conditions under which a managed system health policy is active. Thissetting designates whether a policy is assessed and enforced, based on the managed system’snetwork connection.

A managed system health policy can be made active:

• Always, regardless of whether or not the system is connected to a network

• When the system is connected to a specific network; for example, one of your corporate networks

• When the system is not connected to a specific network

When deciding how to activate your system health policies, remember that a managed system getsevery managed system health policy that has been assigned to it using Select Systems. For example,you define ten managed system health policies and you want five active for corporate networkconnections, three active for non-corporate network connections, and two always active. If you assignall ten policies to every managed system, the only policies that are assessed and enforced are thosethat match the activation criteria for the system’s network connection.

If you are going to use policy activation based on connection to, or not to, a specific network, it isrecommended you always use one mode or the other. Systems that have more than one networkinterface card might experience conflicts if some policies activate based on a specific networkconnection, and others activate based on not being connected to a specific network.

4 McAfee NAC policiesHealth policies of managed systems


Table 4-3 Policy activation

Policy activationstatus

Use this setting

Always active For managed system health policies you always want applied to your corporatesystems, regardless of which network a system is connected to or whether it isconnected at all.

Active whenconnected to aspecific network

When you want a managed system health policy assessed and enforcedwhenever a system is connected to a specific network. Because you mustidentify a network for this mode, the most common use is for activatingpolicies that you always want assessed and enforced when systems areconnected to one of your corporate networks.

See Network identification criteria for information about specifying a network.

Active when notconnected to aspecific network

When you want a managed system health policy assessed and enforcedwhenever a system is not connected to a specific network. Because you mustidentify a network for this mode, the most common use is for activatingpolicies that you always want assessed and enforced when systems are notconnected to one of your corporate networks.

See Network identification criteria for information about specifying a network.

Network identification criteria

A connection to a specific network can be determined by specifying one or more network identificationcriteria:

• The system can successfully connect to a domain controller for the Windows domain it belongs to.

• The system’s IP address is within a range you specify.

• The system is connected to a network with a DNS suffix you specify.

If both network identification types are selected (domain controller and network property), a logicalAND is performed. For example, the managed system health policy is active only if a systemsuccessfully connects to any domain controller “and” it matches a specific IP address range or DNS suffix.

If you specify both types of network identification property (IP address range and DNS suffix), or morethan one of each, the evaluation rules are:

• A logical OR is used for multiple entries of an IP address range or a DNS suffix.

• A logical OR is used when both an IP address range and DNS suffix are specified.

Using the network identification properties (IP address ranges and DNS suffixes) allows you to bespecific. For instance, you might have several network domains, and want some system health policiesactive on one but not on others.

Work with managed system health policiesYou can perform a number of tasks with managed system health policies.

Create a McAfee NAC benchmarkCreate a benchmark that can be used within your managed system health policies or unmanagedsystem policy. This task prepares and sets the benchmark options necessary for using a benchmark inMcAfee NAC policies.

Make sure to activate your benchmarks after you create or edit them.

McAfee NAC policiesWork with managed system health policies 4


Creating benchmarks and using the McAfee Benchmark Editor is beyond the scope of this guide. For acomplete description of creating benchmarks and compliance rules, see the McAfee Benchmark Editordocumentation.

Task


1 In ePolicy Orchestrator, go to Menu | Risk & Compliance | Benchmarks, then select Actions | New Benchmark.

2 In the Add Benchmark dialog box:

a In the New Benchmark Title field, type a name for the benchmark.

b Click in the New Benchmark Id field. The name you entered in the Title field is copied, but withspaces removed. Edit this identifier, as needed, then click OK.

The next page is titled with the name you specified, and includes three areas:

• Edit panel at the top

• Benchmark Tree pane at the left

• Benchmark Content pane at the right

3 In the Edit panel, select a benchmark option, then select the language you want for content.

4 (Optional) Add groups for organizing your rules: in the Benchmark Tree pane, click New Group. Typea descriptive name for the Group Title, such as VirusScan (when you click in the Group Id field, thetitle is copied). Edit this information as needed, then click OK.

5 In the Benchmark Tree pane, select the benchmark name, then in the Benchmark Content pane,select the Properties page. The Benchmark ID and Title fields are automatically populated.

6 Enter a valid text in the Description field.

7 For the McAfee NAC property, make sure Make benchmark available to NAC is selected.

In ePolicy Orchestrator 4.5, in the Benchmark Tree pane, select the benchmark name. In theBenchmark Content pane, select the Properties page, and select Enabled or Disabled for Status.

8 Click Apply Properties, then click Close.

9 Add rules to the benchmark: In the Benchmarks page, click Actions | New Benchmark from Checks. Seethe McAfee Benchmark Editor documentation for details about creating and structuring rules.

a For the McAfee NAC Health Level option, select the health level to assign to a system that failsthe rule. The value, Use default, means that the value specified by the Default rule health level option inthe McAfee NAC server settings is assigned to systems that fail the rule.

b To use automatic remediation, type the remediation command and any command parameters.For information on using automatic remediation, see Automatic remediation of unhealthysystems.

10 From the Rules list, verify that each rule you added has the desired Status (Enabled or Disabled), andthe desired McAfee NAC Health Level, then click Close to return to the main Benchmarks page.

11 Select the benchmark you created from the list and click Actions | Activate.

You can now use this benchmark when you create managed system health policies or edit theunmanaged system policy.

4 McAfee NAC policiesWork with managed system health policies


Create a McAfee NAC benchmark from checksCreate a new benchmark quickly by selecting one or more existing checks. A separate rule is createdfor each check you select.

Task


1 Go to Menu | Risk & Compliance | Benchmarks, then select Actions | New Benchmark from Checks.

2 On the New Benchmark from Checks page, type a name for the benchmark in the New Benchmark Titlefield, then click in the New Benchmark Id field.

The name you entered in the Title field is copied, but with spaces removed. You can edit thisidentifier if you want.

3 In the Check Filter area, limit the displayed list of checks by operating system platform and bykeywords, then click Apply.

4 For more control when filtering the list of checks:

a Click Advanced Filter to open the Check Filter Criteria Builder.

b Select properties and comparison operators, and apply boolean logic as needed, then click OK.

5 Select the checkbox for the check you want to use. If the Actions column for a check contains a SetParameters option, click it to open a dialog box where you specify values for the check, such as aminimum DAT age. After setting any required check parameters, click Add Check(s).

You can continue to add checks by using the Next/Previous page buttons, or by clearing theexisting filter and entering new filter options.

6 Click Next when you have finished adding checks, then click Save on the summary page.

The main Benchmarks page is displayed. The benchmark you created is listed with its status set toEdit.

7 Select the benchmark with the status set to Edit, then click Actions | Edit.

Benchmarks with McAfee as the source are not editable. Only user-created benchmarks are editable.If you select a user-created benchmark with the status Received or Active and click Actions | Edit, awarning message appears: Editing/Tailoring this benchmark will create anotherversion. Do you want to continue? Click OK or Cancel.

8 Click the Properties tab and verify that the McAfee NAC property is enabled. If not, select thecheckbox, then click Apply Properties if you made changes to any benchmark properties.

9 Click the Rules tab. For each rule, select it and click Edit Rule.a For the McAfee NAC Health Level option, select the health level to assign a system that fails the

rule. The Use default value means that the value specified by the Default rule health level option inthe McAfee NAC server settings is assigned to systems that fail the rule.

b To use automatic remediation, type the remediation command and any command parameters.For information on using automatic remediation, see Automatic remediation of unhealthysystems.

10 After editing all the rules, click Close to return to the main Benchmarks page.

11 Select the benchmark you created from the list and click Activate.

You can now use this benchmark when you create managed system health policies, or when you editthe unmanaged system policy.

McAfee NAC policiesWork with managed system health policies 4


Create and modify managed system health policiesCreate or edit a managed system health policy to add, edit or remove a benchmark setting.

You can also add or remove systems from the managed system health policy.

Task


1 Go to Menu | Risk & Compliance | Network Access Control, then select Managed System Health Policies from theleft column.

2 Click New to open the Managed System Health Policy Builder, or click Edit in the Action column of anexisting policy.

3 On the Description page:

a Type a name and description to label and identify the policy.

b In the Noncompliance message for client field, add details about why the system is not in compliance,and what to do to correct the situation. You can include links to systems that contain theappropriate remediation resources.

c Click Next.

4 On the Select Benchmarks page, click Actions | Add Benchmark to create a new policy, or to add morebenchmarks to an existing policy.

5 On the Add Benchmarks page, use the filters to display a list of available benchmarks, then clickAdd.

You can filter using a label, a name or part of a name, or a value of the Source field. From the list,select one or more benchmarks to include in the policy.

6 On the Select Benchmarks page, use the Actions menu to set each benchmark’s enforcement mode,enable or disable automatic remediation, or remove a benchmark, then click Next.

7 On the Select Systems page, specify the systems you want the policy assigned to by using AddSystem, Add Group, and Add Tag. You can use any combination of these options.

a Click Add System, then specify individual systems by system name, user name, IP address, orMAC address. Do not use dashes in a MAC address.

b Click Add Group, then add one group at a time by selecting from the displayed System Tree.

c Click Add Tag, then add one system tag at a time by selecting from the drop-down list.

To view details about the systems you selected, or the groups and tags you used, click Summaryin the Actions column.

d Click Next.

8 On the Policy Activation page:

a Select an Activation mode to specify the network connection condition that makes the policyactive. Selecting a mode that activates the policy only when connected to or not connected to aspecific network makes the Network Identification option available.

b If activating the policy based on connecting to (or not connecting to) a specific network, selecthow you want to verify the connection, then click Next. If you select Network Identificationproperties, you can add, edit, or delete one or more IP address ranges and DNS suffixes.

9 On the Summary page, review the policy information, then click Save.

4 McAfee NAC policiesWork with managed system health policies


Export managed system health policiesSave managed system health policies by exporting them to disk.

The default file name is NAC_Managed_System_Health_Policies.zip.

Task


1 Go to Menu | Risk & Compliance | Network Access Control, select Managed System Health Policies from the leftcolumn, then click Export.

2 From the list, select the managed system health policies to export, then click OK.

3 On the Download File page, right-click the file name link and select Save Target As from the menu.

4 Browse to the location where you want to save the file, rename the file as needed, then click Save.

5 Click Close.

Import managed system health policiesImport system health policies that you have stored on disk.

Import the Managed_System_Health_Policies.zip file in which you have the backed up policies.

Task


1 Go to Menu | Risk & Compliance | Network Access Control, then select Managed System Health Policies from theleft column.

2 Click Import.

3 In the Import System Health Policy dialog box, click Browse, navigate to and select the .zip file thatcontains managed system health policies, then click Open.

4 Click OK to load the file or Cancel.

Unmanaged system policyThe unmanaged system policy defines the security compliance criteria used to assess the health ofunmanaged systems. Only the McAfee NAC guest client uses this policy, which is automaticallyincluded as part of the guest client installation package.

Though similar, the unmanaged system policy differs from managed system health policies in theseways:

• A single policy applies to all unmanaged systems on your network.

• The unmanaged system policy is assessed by the McAfee NAC guest client, which can assess asystem's health but cannot enforce the system.

• The McAfee NAC guest client does not support automatic remediation.

• You do not select the systems that are assigned the policy. Any unmanaged systems that install theMcAfee NAC guest client are assessed using this single policy.

• You do not specify network conditions for activating the policy.

McAfee NAC policiesUnmanaged system policy 4


• You specify a time interval for how long an unmanaged system’s health level is valid before a newscan is required.

• You specify whether you want a periodic identification message sent out to the network to identifythe system to a McAfee® Network Security Sensor when using McAfee Network Security Platform.

The primary task to perform with the unmanaged system policy is to add the benchmarks you want touse, and set their configuration options as needed. Once you add benchmarks, McAfee recommendsthat you first test this policy with the benchmarks set to Audit Only, then set all benchmarks to Enforce.

McAfee NAC includes a default unmanaged system policy to which you add benchmarks. This policycannot be renamed or have its description modified.

Benchmarks for the unmanaged system policy

McAfee recommends that you use separate benchmarks for the unmanaged system policy; that is, notthe same ones you use in your managed system health policies. The guest client does not supportautomatic remediation, and you must use a different method for giving users remediation instructions.

Remediation instructions in the unmanaged system policy

All unmanaged systems are assessed using a single policy. In most circumstances you would configureyour unmanaged system policy with multiple benchmarks. Each benchmark can contain any number ofrules and checks, but benchmarks are easier to manage when they are configured to check for specificnetwork access rules, such as having an anti-virus product installed.

The unmanaged system policy includes an option where you can specify a non-compliance message,but this one message is not sufficient for providing users with specific remediation instructions whentheir systems are unhealthy. Rather, you can use the non-compliance message to provide generalinformation about compliance with your network security policy, and where to get help fixing anunhealthy system.

McAfee recommends that you provide remediation instructions in each benchmark by using the RuleDescription field. By using this field, you can write benchmarks with multiple rules, with each ruledescription providing the appropriate remediation information.

For example, if you write a benchmark to check for an anti-virus product, you can have separate rulesfor specific products. In each rule description, you can provide information about where to find thatproduct's installer.

Edit the unmanaged system policyUse this task to edit the unmanaged system policy. The default policy for unmanaged systemscontains no benchmarks. You must add at least one benchmark for any health assessment to occur.

Task


1 Go to Menu | Risk & Compliance | Network Access Control, then select Unmanaged System Policy from the leftcolumn.

2 Click Edit in the Action column of the existing policy.

3 On the Description page in the field Noncompliance message for client, enter the noncompliance messagethat will be displayed, then click Next.

4 If you are editing the policy for the first time, you must add at least one benchmark. If the policyalready has benchmarks specified, you can set their enforcement mode, or delete them.

4 McAfee NAC policiesUnmanaged system policy


5 On the Select Benchmarks page, click Actions | Add Benchmark.

6 Select one or more benchmarks to include in the policy, then click Add.

You can filter the list using a label, a name or part of a name, or a value of the Source field.

7 To change the enforcement mode, click Actions | Set Mode, select an option from the drop-down list,then click OK. When finished adding benchmarks, click Next.

8 On the Configuration page, set these options, then click Next:

• For Scan interval, specify how often (in minutes) you want a scan to occur on detected unmanagedsystems. The McAfee NAC guest client performs the scan.

• For Periodic identification, determine whether you want this enabled. If so, an identification messageis sent at an interval you specify, between 1 and 10 minutes.

• For Scan results, set the level of detail you want reported to the McAfee NAC manager for eachunmanaged system assessment.

9 On the Summary page, review the policy information, then click Save.

Network access policiesA network access policy specifies which network resources a managed system can access for eachhealth state.

The policy maps each system health level to a network access zone. The mapping is one-to-one;however, you can map the same network access zone to more than one health level.

Network access policies are created and edited using the Policy Catalog (Menu | Policy | Policy Catalog).

Unlike system health policies, a managed system can be assigned only one network access policy. Youcan create multiple network access policies, then assign a specific policy to specific systems.

The primary task you perform with network access policies is mapping a network access zone to eachsystem health level.

If you modify a network access policy (including modification to network access zones), the updatedpolicy is downloaded to the McAfee NAC client the next time:

• The next time the McAfee Agent performs an agent-to-server communication



Use the System Tree (Menu | Systems | System Tree) to assign and set the inheritance rules for a networkaccess policy.

When the software is installed, two default network access policies are added to the Policy Catalog:

• Network Access Policy Default, which cannot be edited but can be duplicated to create your own policies

• My Default, which can be edited, duplicated, and renamed

Both policies assign the default Allow Full Access network access zone to all health levels except Critical,which is assigned the default Deny All Access zone.

McAfee NAC policiesNetwork access policies 4


Create network access policiesMcAfee NAC 4.0 includes two default Network Access Control client policies, Network Access PolicyDefault and My Default. The default policy cannot be edited, but it can be duplicated and used as thebasis for creating a new policy.

Task1 Go to Menu | Policy | Policy Catalog.

2 For the Product field, select Network Access Control 4.0.0.

3 For the Category field, select Network Access Policy.

4 Click New Policy to display the New Policy window.

• New policy — Select an existing policy from the drop-down list, and type a name.

• Existing policy — Type a new name in the dialog box, then click OK.

5 For Health level to network access zone mapping, select a network access zone from the associateddrop-down list for each health level, then click Save.

To create one or more new network access zones while creating or editing a policy, click New NetworkAccess Zone. If you do this, you must return manually to the Policy Catalog and begin the policyediting again.

Network access zones and complianceNetwork access zones designate which network resources a managed system can or cannot accesswhen it is not compliant with one or more rules in the applicable system health policies. The networkaccess zones you define in McAfee NAC apply only to managed systems when the McAfee NAC client isthe enforcer.

You can create as many network access zones as you need to ensure network security. Once thesezones are created, you use them when defining a network access policy by associating a specific zonewith each system health level.

The primary tasks to perform with network access zones are to set the access type and add networkresources to the resource list.

Types of network access zones

Two default zones are supplied with the software: Allow Full Access zone and Deny All Access zone.These zones are meant to provide a starting point for defining your own zones, and to allow you toconduct some immediate testing.

A network access zone consists of:

• Name (required) and description (optional)

• Access type setting (Allow or Deny)

• Domain controller setting, automatically enabled when the access type is Allow

• Network resource list

Network access zones should be defined so that noncompliant systems are isolated from networkresources, such as critical servers and sensitive data, depending on the severity of the threat posed byeach benchmark rule violation. However, you can always modify your zone definitions, so adding orremoving a resource can be done at any time. When a network access zone definition is modified, ittriggers an update to any network access policies that use the zone in the health level mapping.

4 McAfee NAC policiesNetwork access zones and compliance


Network access zone names

The naming conventions for network access zones are:

• A combination of alphanumeric characters, whitespace, underscores, and hyphens



When is the policy downloaded to the client

The updated network access zone and network access policies are downloaded to the McAfee NAC client:




Once a managed system receives the updated network access policy, changes to zone definitions areapplied immediately and enforced accordingly.

Network access resources

A network access zone's resource list can specify an internal or external network resource. Internalresources are ones that are not accessible from the Internet, and must be specified by an IP address.External addresses can be either a fully-qualified domain name (FQDN) or an IP address.

No matter how you define a network access zone, systems always have access to a core whitelist ofnetwork resources that consists of:

• DNS servers

• DHCP servers

• The ePolicy Orchestrator server

• The local system

A zone's Resource List does not list or identify the core whitelist resources. For information about whythese resources cannot be blocked, see How host enforcement works. If you define a zone with anaccess type of Allow, systems must be able to authenticate themselves to your domain controllers.The Allow access type automatically enables the Domain controller option, which adds these resources tothe core whitelist. If your zone's access type is Deny, the Domain controller option is not applicable, and isautomatically disabled.

When the McAfee NAC client is the enforcer, it uses a local firewall to block a system’s outboundconnections, and enforce the access restrictions defined by your network access zones. If you use azone that allows all connections and this is the active zone for a system, the firewall is effectivelydisabled. If you use an enforcer other than the McAfee NAC client, the behavior might be different.

Recommendations

For network access zones, McAfee recommends that you:

• Test your network access zones in a non-production environment or a small subset of yourproduction network, if possible, so you can determine whether users can access remediationresources.

• Carefully consider which health level to assign for each benchmark rule failure, and which networkaccess zone you want to associate with each health level.

McAfee NAC policiesNetwork access zones and compliance 4


• Be careful using a zone that allows access to every resource. In a production environment, youmight want to deny access to specific network resources or Internet sites even for healthy systems.

• Do not disable the Domain controller option for zones that have an access type of Allow, unless you arefully aware of the ramifications.

• If you create a zone that denies access, be sure you have made remediation resources availablefrom one of the servers that systems cannot be denied access. The ePolicy Orchestrator server isrecommended.

• Evaluate your organization’s network security policies before creating your network access zones.This can save time later.

Create network access zonesMcAfee NAC includes two default zones. You can use these zones as is, or as a basis for creating newzones.

Task


1 Go to Menu | Risk & Compliance | Network Access Control, then select Managed Network Access Zones from theleft column.

2 Click New Access Zone, or to edit an existing zone, click Edit in the Actions column. The Network AccessZone Builder opens.

3 Type a name and description.

4 Specify the zone’s access type (Allow or Deny).

5 Select Automatically Add To List in Domain Controllers, if you want a domain controller to be listed.

6 Click New Resource to add a network resource to the definition of the zone.

7 In the Add Network Resource dialog box, specify the resource’s destination address, a protocoltype, and destination port, then click OK.

8 To add additional network resources, continue using New Resource. To edit or delete a resource fromthe zone’s resource list, click Edit or Delete in the Action column.

9 Click OK, then click Save.

Import and export network access zonesImport or export your network access zones to restore or save your existing policies. When youexport, all of your defined network access zones are saved in a .zip file.

McAfee NAC sets a default file name, which you can change when you save the file. You cannot exportonly a subset of your zones. You can only import network access zones that you previously saved byexporting them.

If you import a zone that has the same name as an existing network access zone, the existing zone isoverwritten.

4 McAfee NAC policiesNetwork access zones and compliance


Task


1 Go to Menu | Risk & Compliance | Network Access Control, then select Managed Network Access Zones from theleft column.

2 Click Export to save your defined network access zones.

a On the Download File page, click NAC Network Access Zone Policies.

b Click Save in the File Download dialog box, select a location and optionally change the file name,click Save, then click Close.

3 Click Import to load network access zones from a saved .zip file.

a In the Import Network Access Zone page, type a file name or click Browse to locate a previouslyexported network access zone file.

b Click OK in the File Download dialog box.

McAfee NAC client policiesThe McAfee NAC client policy configures how the McAfee NAC client operates. This policy type ismanaged from the ePolicy Orchestrator Policy Catalog, and is assigned to managed systems usingassignment mechanisms such as the System Tree.

Depending on your network structure or organizational needs, you can use more than one McAfee NACclient policy.

You can create a new policy, or edit, view, duplicate, export, rename, and delete an existing policy.You cannot edit, rename, export, or delete the supplied McAfee Default policy.

Configuration options

The primary task to perform with a McAfee NAC client policy is to set the configuration options yourequire. The configuration options are:

• Enforcement method — Sets the type of enforcement to use. The Microsoft Network AccessProtection option is valid only for client systems running Windows operating systems, and does notwork for systems running a supported MAC OS or Linux operating system.

• Delay Remediation And Enforcement Settings — Delays the remediation and enforcementprocess based on the configured interval, to perform any other important activity that mightotherwise affect network access.

• Scan results — Sets how much detail is reported to the McAfee NAC manager for each managedsystem assessment.

• Automatic remediation — Sets whether automatic remediation is enabled and, if so, thecredentials to use for running the remediation commands.

• System tray icon — Sets whether to display the McAfee system tray icon on managed systems.

• Unhealthy host scan setting — Invokes a scan when the host is assessed as unhealthy.

McAfee NAC policiesMcAfee NAC client policies 4


• Periodic identification — Specifies whether you want the McAfee NAC client to send anidentification message out on the network. If enabled, the message is sent every 60 seconds. Thisoption is useful only if you are also using McAfee Network Security Platform, and you havemanaged systems on your network that use firewall software that blocks the communication port(8443 by default) used by a McAfee® Network Security Sensor for client identification requests.

• Sensor settings — Specifies whether to receive sensor details dynamically or statically.

This setting will be effective when scalability is enabled in NACServer.properties file of McAfeeNAC server, with the parameters:

• enable.client.sensor.channel=true

• periodic.message.version=3

When is the policy downloaded to the client

Once you create or edit a McAfee NAC client policy, it is downloaded to the McAfee NAC client:




Default client policies

When the software is installed, two default network access policies are added to the Policy Catalog:

• Network Access Client Policy Default — Cannot be edited but can be duplicated to create yourown policies

• My Default — Can be edited, duplicated, and renamed

The default configuration is to use the McAfee NAC client as the enforcer, report all benchmark andrule information, disable automatic remediation, show the system tray icon on managed systems, anddisable the periodic identification message.

Create and modify McAfee NAC client policiesWhen installed, McAfee NAC includes default McAfee NAC client policies named Network Access ClientPolicy Default and My Default. You can create a new policy or modify the default policies.

Task


1 Go to Menu | Policy | Policy Catalog.

2 For the Product field, select Network Access Control Client 4.0.0, and in the Category field, select General.

3 Click New Policy, or click Duplicate in the Actions column of an existing policy.

4 Type a name for the new policy, then click OK.

a Select an enforcement method and the level of detail you want for scan results.

b Select whether to enable automatic remediation and the type of credentials to use.

For automatic remediation to work, you must also specify a remediation command in abenchmark rule and enable automatic remediation for the benchmark.

4 McAfee NAC policiesMcAfee NAC client policies


c Specify whether to display the McAfee system tray icon on managed systems.

d Specify whether you want to send a periodic identification message. If enabled, the message issent every 60 seconds.

5 Click Save.

McAfee NAC policiesMcAfee NAC client policies 4


4 McAfee NAC policiesMcAfee NAC client policies


5 Using exemptions

Exemptions allow you to exclude specific systems and devices, such as printers, from your overallnetwork security policy. They prevent specified systems and devices from being assessed (scanned) orenforced.

Contents

Types of exemptions Enforcement exemptions Scan exemptions How system classification affects exemptions How exemption rules work Using an imported exemption list How manual exemptions work

Types of exemptions Specifies the types of exemptions and how you can designate an exemption by various methods.

There are two types of exemptions:

• Enforcement exemptions

• Scan (assessment) exemptions

You can designate an exemption by:

• Creating an exemption rule

• Creating a text file of system MAC addresses and importing it (this method can be used only forcreating scan exemptions)

• Marking one or more systems, using Set NAC exempt, from a summary report or system detail page

Exempt systems are always placed in a special Exempt network access zone, which imposes no accessrestrictions.

The McAfee NAC manager stores information about all exempt systems and their status. You can viewthis information using several predefined McAfee NAC dashboard monitors, or by creating your owncustom monitors. From summary reports and system detail pages, you can initiate actions and affectthe status of systems manually.

For information about which monitors display information about exempt systems, and the manualactions that administrators can use, see Dashboards, monitors, and queries.

5


Enforcement exemptionsAn enforcement exemption designates that a system is never enforced, no matter what its assessedhealth level or how many benchmark rules it fails. Systems that have enforcement exemptions areassessed (scanned) and their system health determined according to the applicable system healthpolicies.

The scan results for exempt systems are reported to the McAfee NAC manager, and if a system isunhealthy, no enforcement is applied and the system is not subject to any access restrictionsdesignated by your network access policies.

Enforcement exemptions are typically used on systems or devices that can host the McAfee NAC clientor guest client, but it can be used for any device on your network.

You can view all exempt systems using the NAC: Exemption Status monitor. Exempt systems alsoappear in other NAC monitors, and you can initiate actions on systems manually from various reportpages. See Dashboards, monitors, and queries.

Although you can use the Modify health level action to change the health status of an enforcement exemptsystem, we do not recommend this action because it overrides the system's enforced health level, butdoes not affect the system's network access status or its applied network access zone.

If automatic remediation commands are specified for failed benchmark rules and the feature isenabled (both in the benchmark and the McAfee NAC client policy), the McAfee NAC client, acting asthe remediator, tries to run any designated commands to fix the system.

If you are using an enforcer other than the McAfee NAC client, see Using McAfee NAC with MicrosoftNAP or Using McAfee NAC with McAfee Network Security Platform.

Scan exemptionsA scan exemption designates that a system is never assessed and never enforced (the system isexempt from enforcement).

As a result, the only information the McAfee NAC manager knows about these systems is what adetector provides. See Detectors and how they operate.

You can view all exempt systems using the McAfee NAC Exemption Status monitor. Lists of exemptsystems also appear in other NAC monitors, and you can initiate actions on systems manually fromvarious report pages. See Dashboards, monitors, and queries.

A scan exemption can be assigned to any system or device, regardless of whether it can host theMcAfee NAC client or guest client. Typically, you use scan exemptions for printers, scanners, and othernetwork devices that:

• Cannot host an assessor

• Do not store data

• Pose little or no security risk

The McAfee NAC manager always considers a scan-exempt system or device as healthy. As a result,manual attempts by an administrator to change the health level of such systems are ignored. Also,access restrictions cannot be imposed on scan-exempt systems. For instance, the network access zonemapped to the Healthy health level in your network access policies is never used on these systems.

5 Using exemptionsEnforcement exemptions


How system classification affects exemptionsDepending on the method used to designate exemptions, you can make any of the systemclassifications (managed, unmanaged, unmanageable, and unenforceable) scan- orenforcement-exempt. The usefulness of applying an exemption to various systems often depends onyour knowledge of a specific system, device, or system user.

Systemclassification

Enforcement exemption Scan exemption

Managed Can be used to prevent networkaccess restrictions from being appliedto critical systems, such as servers.

Only recommended for critical systems thatmight be affected by the extra processorload of running a scan.

Unmanaged Only recommended for trusted guestsor visitors whose systems you do notwant to impact by your networksecurity policy.

Not recommended. Unmanaged systemstypically present a security risk to yournetwork. Unmanaged systems can beassessed using the As a result, the onlyinformation the McAfee NAC managerknows about these systems is what adetector provides. guest client.

Unmanageable Not recommended. There is nomethod for assessing the health of anunmanageable system (it cannot hostan assessor). Assigning anenforcement exemption to thesesystems is possible, but not useful.

Recommended. Unmanageable systemscannot be assessed. As a result, the onlyinformation the McAfee NAC managerknows about these systems is what adetector provides. Printers, FAX machines,and similar devices fall into this category.

Unenforceable Not recommended. Typically,unenforceable systems are ones thatcannot be enforced by the McAfeeNAC client or guest client, or for whichMcAfee NAC manager has not receivedan enforcement status. As a result,the only information the McAfee NACmanager knows about these systemsis what a detector provides.

Only recommended for systems or devicesthat:

• Can be guaranteed to pose no security risk

• Cannot host the McAfee NAC client (theMcAfee NAC client cannot be the enforcer)

• You do not want enforced by one of theother supported enforcers

Typically, the classification of a system as unenforceable is rare. You can best deal with such a systemusing methods other than exemptions. The most common use of exemptions is for devices likeprinters that are unmanageable, and for critical managed systems that you cannot afford to haveaffected by network access restrictions.

If you have unmanageable systems on your network, you might want to make these exempt fromassessment; otherwise, the assessed health level of these systems is reported as Unknown.

How exemption rules workAn exemption rule allows you to specify properties that identify systems on your network, anddesignate whether those systems are exempt from scans or from enforcement. The properties allowidentification of single systems or groups of systems with similar attributes, such as printers or servers.

Depending on the properties used to specify an exemption rule, it is possible to make any of the foursystem classifications exempt (managed, unmanaged, unmanageable, and unenforceable). You cancreate as many exemption rules as needed for your environment.

Systems that are marked as exemptions by a rule cannot have their exemption status removedmanually using the Remove NAC exempt action. To remove such a system's exemption status, you mustdelete or modify the rule so that the system is no longer identified by the rule's properties.

Using exemptionsHow system classification affects exemptions 5


If a system is exempt from scans or enforcement by application of a rule, you can change theexemption type using Set NAC exempt. This changes the System Status from "exempt by rule" to "exemptby administrator." To return the system to its "exempt by rule" status, use Remove NAC exempt.

Once an exemption rule is created, it is applied to systems only after they are detected. If you createa rule and it reports zero systems, it might mean that the systems have not yet been detected.

When are systems detected

Systems are detected when:

• The McAfee NAC client reports a managed system to the McAfee NAC manager.

• A Rogue System Sensor identifies a system.

• A McAfee® Network Security Sensor identifies a system.

Scan exemption rules are intended for any system on your network you do not need or want assessedfor compliance with your health policies. Typically, these would be printers, fax machines, and othersimilar devices, but might also include unmanageable systems with unsupported operating systems. Ascan exemption implies that the system is also exempt from enforcement.

Enforcement exemption rules are intended only for managed systems. However, it is possible to createa rule that includes systems that are unmanaged or unmanageable. If this occurs, these systemsmight be difficult to identify. It is also important to consider the implications of enforcementexemptions if you are using McAfee Network Access Control with McAfee Network Security Platform orMicrosoft Network Access Protection. See the appropriate deployment option chapter.

When to create enforcement exception rules

McAfee recommends that you create enforcement exemption rules only after you:

• Allow systems to be detected and known to the McAfee NAC manager

• Test your system health policies in Audit Only mode

Exemption rules can be imported and exported as XML files. When importing exemption rules, youhave the option of overwriting any existing exemption rules in the process. If you overwrite, all theexisting rules are deleted and replaced with the rules you import.

Exemption rule structure

An exemption rule consists of:

• Identifying information (a name and description of the rule)

• An exemption type (scan or enforcement)

• System selection criteria, written as a set of logic rules

The naming convention for an exemption rule is:

• A combination of alpha-numeric characters, whitespace, underscores, and hyphens



Export exemption rulesYou can export (save to disk) all your McAfee NAC exemption rules in an XML file. The default filename is NAC_Exemption_Rules.xml.

5 Using exemptionsHow exemption rules work


Task


1 Go to Menu | Risk & Compliance | Network Access Control, and select Exemption Rules from the left column.

2 Click Export Rules.

3 At the Download File page, right-click the link and select Save Target As.

4 Navigate to the location where you want to save the file, rename the file if desired, then click Save.

5 Click Close.

Import exemption rulesYou can load McAfee NAC exemption rules that were previously saved to disk.

Task


1 Go to Menu | Risk & Compliance | Network Access Control, and select Exemption Rules from the left column.

2 Click Import Rules.

3 In the Import Exemption Rules dialog box, click Browse, navigate to and select the XML filecontaining exemption rules, then click Open.

4 To overwrite the exemption rules stored by the Network Access Control manager, select Overwrite theexemption rules that already exist.

If you are adding more rules to the existing set, do not select the Overwrite option.

5 Click OK to load the file.

Using an imported exemption listAn exemption list allows you to specify systems by MAC address in a text file, then import the file tocreate scan exemptions for those systems or devices. With an exemption list, you can make any of thesystem classifications exempt from scans (managed, unmanaged, unmanageable, and unenforceable).

All systems you import have their System Status set to Scan exemption by administrator. For informationabout administrator interaction with these systems, see Manual control of exemptions.

This feature provides a quick way to create scan exemptions for devices like printers and FAXmachines that cannot host the McAfee Agent or McAfee NAC client. Such a device would beunmanageable, and if you are only using McAfee NAC, would also be unenforceable. If you use thismethod and a device is unmanageable, manually removing or changing the exemption on one of thesesystems might not produce the desired result.

The imported list must be an ANSI encoded text file containing a comma-separated list of MACaddresses. The MAC addresses must be:

• Listed on one line (no carriage returns or line feeds allowed)

• Separated by a comma or a comma then a space

Using exemptionsUsing an imported exemption list 5


• Entered using any of these formats:

• No separator (001122334455)

• Hyphen separator (00-11-22-33-44-55)

• Colon separator (00:11:22:33:44:55)

If your text file contains more than one line, only the MAC addresses listed before the first carriagereturn and/or line feed are imported.

Create an exempt systems listYou can create a text file that contains a list of systems that you want to exempt from scanning.

Task


1 Open a text editor and create a new file.

2 Type the MAC address of a system, using one of these formats:

• No separator (001122334455)

• Hyphen separator (00-11-22-33-44-55)

• Colon separator (00:11:22:33:44:55)

3 Type additional MAC addresses, separating each with a comma. For example:

001122334455, 002244668899, 113355774488

4 Save the file, making sure the extension is .txt and the encoding is ANSI.

5 Import the exempt systems list (see Importing an exempt systems list for instructions).

Create exemption rulesCreate and edit an exemption rule, to exclude critical servers from scan or enforcement.

Task


1 Go to Menu | Risk & Compliance | Network Access Control, then select Exemption Rules from the left column.

2 Click New, or to edit an existing rule, click Edit in the Actions column.

3 On the Description page of the Exemption Rules Builder, type a name and description.

4 For Type, specify whether the rule is a scan exemption (the system is never scanned) or anenforcement exemption (the system is scanned and the results reported, but no enforcementoccurs if it is not compliant), then click Next.

5 On the Select Systems page, select properties from the left column as criteria for selecting systemsto apply the rule, then click Next. You must use at least one, but you can specify as many criteria asneeded.

6 Review the rule definition on the Summary page, then click Save.

Import an exempt systems listYou can import a text file containing a comma-separated list of MAC addresses to systems on yournetwork. A scan exemption is created for each system. This import list is only for scan exemptions.

5 Using exemptionsUsing an imported exemption list


Task


1 Go to Menu | Risk & Compliance | Network Access Control, then select Exemption Rules from the left column.

2 Click Import Exempt Systems.

3 In the Import Exempt Systems dialog box, click Browse, navigate to and select the text filecontaining the list of system MAC addresses, then click Open.

4 Click OK to load the file.

How manual exemptions workMcAfee NAC has two commands that you can use to change the exemption status of systems manually.

Command Description

Set NAC exempt Sets the exemption status of selected systems. You can specify a scanexemption or enforcement exemption. This action changes the value of thesefields: Exemption Status, Network Access Status, Network Access Zone, andSystem Status.

Remove NACexempt

Removes the exemption designation from the selected systems. This commandis ignored for systems that are exempt by rule.

These commands are available when viewing information about one or more systems on summary andsystem detail pages. Typically, you access these pages through McAfee NAC dashboard monitors, or byrunning queries. The command options are listed in a dialog box. Verify that the requested action wassuccessful by checking the ePolicy Orchestrator message window. Also check the data values on thesummary or system detail pages, specifically the System Status and Exemption Status fields.

If you change a system's status from exempt to non-exempt, McAfee recommends that you run a scanof the system as soon as possible. You can do this by using Request scan, which is also available on mostsummary and system detail pages.

Using exemptionsHow manual exemptions work 5


5 Using exemptionsHow manual exemptions work


6 Remediation of unhealthy systems

Remediation is the process of updating a system to make it compliant with your system healthpolicies. A system is assigned a health level depending on whether it passes all applicable systemhealth policies. If a system fails any policy rules, it is assigned the health level associated with thefailed rule.

The network access policy assigned to the system determines which network access zone the systemis restricted to, based on which health level was assigned, until it is brought back into compliance.

Once a user has taken the appropriate steps to remediate a noncompliant system, a rescan can berequested. This can be done through the McAfee system tray. If the rescan assesses the system ascompliant, the system is moved back to the network access zone that is appropriate for healthy systems.

Contents

Types of remediation Automatic remediation Manual remediation

Types of remediationMcAfee NAC provides automatic remediation, and a guest portal that you can use for manualremediation.

Automatic remediation is part of your policy configurations, and allows you to specify commands,batch files, or scripts that run automatically after a system is scanned. and after one or morebenchmark rules have failed.

Manual remediation means that you provide information to users about how to fix their systems,either by setting up your own remediation web page or by modifying the guest portal. The guest portalprovides a location where users of unmanaged systems can download the McAfee NAC guest client.McAfee does not support it as a remediation portal. See Manual remediation.

6


Automatic remediationFor managed systems, you can set automatic remediation options as part of the definition of yourbenchmark rules. When a managed system fails a rule, McAfee NAC attempts to remediate the systemautomatically.

To use automatic remediation, you must:

• Enable automatic remediation and specify the credentials to use in your McAfee NAC client policies.

• Enable automatic remediation for each benchmark that contains remediation commands, scripts, orbatch files you want to run.

• Specify your command, script, or batch file information for each benchmark rule in the NACRemediation Command and NAC Remediation Command Parameters fields. Note that a rule can run only a singlecommand, script, or batch file.

Because remediation commands are specified at the benchmark rule level, you can tailor theremediation action to each rule. Also, enabling the automatic remediation option at the benchmarklevel does not mean you must specify remediation commands for any particular benchmark rule. Youcan have commands for some rules and not others.

A remediation command is specified on the Properties page of the Benchmark Editor’s Rule Builder.Only one remediation command is allowed. If you need to run more than one executable as aremediation response, you can specify a script or a batch file. Type a remediation command as if youwere typing it at a Windows command prompt. A separate field is used to specify commandparameters, also typed as if on a command line.

For example, to run a batch file, you specify the Windows Command executable (cmd.exe) in the NACRemediation Command field, and the full path to the batch file in the NAC Remediation CommandParameters field. The path used for the location of the batch file might be dependent on thecredentials specified for the Automatic remediation option in the McAfee NAC client policy.

Field Name on Properties page of the Rule Builder What to type

NAC Remediation Command %windir%\system32\cmd.exe or %comspec%NAC Remediation Command Parameters <full_pathname>\<name>.bat

If you use these automatic remediation options, you can include information in the noncompliancemessage of the system health policy. This way, you can inform users about the actions that have beentaken, and whether they should attempt a rescan immediately or take further manual remediation steps.

Automatic McAfee Agent update task

One option for automatic remediation is to run a McAfee Agent update task. You do this by specifying$MAUPDATENOW in the NAC Remediation Command field for a benchmark rule. This task updates all productsfor the McAfee Agent, not just McAfee NAC.

Running the agent update task is useful when your benchmark rules have checks that require regularcontent updates for McAfee point-products, such as the detection definition (DAT) files for VirusScanEnterprise.

6 Remediation of unhealthy systemsAutomatic remediation


Common remediation commandsHere are examples of some common remediation commands, which are entered on a per rule basis inyour benchmarks. You must enable automatic remediation for the benchmark, and you must enablethe Auto-remediation option in your McAfee NAC client policies.

To do this... Use thiscommand...

Use these parameters...

Run a McAfee Agent UpdateNow command for DAT updatesand other product contentupdates

$MAUPDATENOW <leave blank>

Execute a file from a remoteshare

%ComSpec% /C "<server>\<share>\<file>"For example: /C "\\172.16.1.50\sharedfolder\bginfo.exe"

Copy a file from a remote share %ComSpec% /C copy "<server>\<share>\<file>" "<Local folder>"For example: /C copy “\\172.16.1.50\sharedfolder\bginfo.exe” “C:\utils\”

Execute group policy typecommands, such as enablingthe Vista firewall

%ComSpec% /C GPUpdate.exe /force

Set a value, such as disablingthe Administrator account

%ComSpec% /C net user Administrator /active:no

Add a registry value, such asRestrict Anonymous to namedpipes and shares

%ComSpec% /C Reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v restrictnullsessaccess /tREG_DWORD /d 1 /f

Launch a browser to a specificpage, such as Windows update

%ComSpec% /C "C:\Program Files\Internet Explorer\iexplore.exe" http://update.microsoft.com

Manual remediationFor manual remediation, you can establish a remediation portal and provide one or more pagescontaining information for users who need to remedy problems with their systems.

Remediation portal

Typically, your managed systems can be remediated using automatic remediation. However, yourcircumstances might require manual remediation for managed systems. Any unmanaged systems onyour network must be remediated manually.

An important aspect of manual remediation is making sure you inform users of the remediationportal's location. Both managed system health policies and the unmanaged system policy have aNoncompliance message option that is displayed through the system tray icon on client systems. Thismessage is the preferred and most reliable method of providing users with your remediation portal'slocation.

Remediation of unhealthy systemsManual remediation 6


A remediation portal should always provide users with this information:

• A description of the corporate network security policy

• Remediation instructions that specify how the user’s system is noncompliant, and the stepsnecessary to correct the problem

• A list of what must be installed for the system to be compliant (for example, resources, patches,and applications)

• Instructions for rescanning the noncompliant system once the user has corrected the problems

• A link to the guest client installer (for unmanaged systems)

Recommendations

McAfee recommends providing information or training to users about the remediation process prior toswitching your system health policies to full enforcement mode.

After users perform the necessary remediation steps, we recommend that they start a scan todetermine whether their system is now healthy. Users can start a scan using the McAfee system tray.

McAfee NAC includes a guest portal that you can install. However, the guest portal, as designed, isintended only for downloading the guest client to unmanaged systems. You can include manualremediation instructions, but you might find it is easier to use your existing internal web server.

Using guest portal for manual remediation

If you decide to use the McAfee guest portal for manual remediation, you must:

• Install the guest portal

• Customize the portal file, and optionally add additional pages as needed for remediationinstructions and links to remediation resources

For information about installing and uninstalling the guest portal, see Installation.

Elements needed for manual remediationTo allow users to fix their systems through use of a remediation portal, you need to set up and makeavailable certain elements.

Remediation element Description

Remediation portal A web server that hosts one or more pages, which provide users withthe resources they need to fix an unhealthy system.

Remediation web pages One or more web pages that provide users with information about yourcorporate security policies, the steps they must take to correct thesituation, and links to resources they must install to correct problems.

Noncompliance message insystem health policies(optional, butrecommended)

A message that displays on a user’s system after a scan determinesthat a rule has failed. A specific message can be written for everysystem health policy.

Access to the McAfee NACguest client (for unmanagedsystems)

One of the pages on your remediation portal should provide a link fordownloading the guest client. This is only important for unmanagedsystems. Managed systems use their installed McAfee NAC client forscanning.

6 Remediation of unhealthy systemsManual remediation


Remediation resources users must accessYour network access zones must provide access to the remediation resources needed by noncompliantsystems.

In the resource list of each "Allow Access" type zone, be sure to include:

• Your default IP gateway

• The web server hosting your remediation portal pages

• All file servers and other systems that have links from your portal

To avoid issues with the availability of remediation resources, McAfee recommends locating theremediation portal on the ePolicy Orchestrator server. Access to the ePolicy Orchestrator server isalways available from any network access zone.

Remediation of unhealthy systemsManual remediation 6


6 Remediation of unhealthy systemsManual remediation


7 Dashboards, monitors, and queries

To monitor network access and security, you use the ePolicy Orchestrator dashboard, monitor, andquery features. Dashboards consist of monitors, and monitors are based on queries. Dashboards havemany options for the display layout.

Dashboards have many options for the display layout. Most default dashboards contain six monitors.For details about these features, see the documentation for your version of ePolicy Orchestrator.

Contents

McAfee NAC dashboards and monitors Queries for network access monitoring Create McAfee NAC monitors Create McAfee NAC monitors with ePolicy Orchestrator Run McAfee NAC queries

McAfee NAC dashboards and monitorsAdministrators use dashboards to monitor network access control information. Dashboards containinformational monitors that show the state or status of systems, and other data stored by the McAfeeNAC manager.

McAfee NAC 4.0 provides:

• A default NAC Summary dashboard

• Predefined queries you can use as monitors for system health, enforcement, benchmarkassessment, exemptions, and more

You can modify the NAC Summary dashboard to suit your needs, or create additional customdashboards. Similarly, custom queries can be created to form monitors for displaying otherinformation stored by the Network Access Control manager (see Useful queries for McAfee NACmonitors).

Monitors are updated based on the refresh interval setting, or manually using the Refresh button.

The predefined NAC Summary dashboard contains six monitors, explained in the following table.

7


Table 7-1 Monitors in the NAC Summary dashboard

Monitor name Description

NAC: System HealthStatus

Presents a pie chart that shows the current health status of every detectedsystem on your network. Systems are identified by their Host ID value. TheSystem Health Status represents the overall assessed health level of thesystem from benchmarks that are set to either Enforce or Audit Only mode. Itreports the system health level of each system on your network, and thenumber of systems in each health level.

NAC: NetworkAccess Status

Presents a pie chart that shows the current network access status of everydetected system on your network. Systems are identified by their Host IDvalue. The Network Access Status represents the current state of accessrestrictions applied to all systems on your network. The values are either anetwork access zone name, or one of the following: None, Exempt,Disconnected, Full Access, NAP Full Access, NAP Limited Access, NAP-Notcapable.

NAC: ExemptionStatus

Presents a pie chart that shows the current exemption status of every detectedsystem on your network. It reports the type of exemption (scan orenforcement) and how many systems are marked with each exemption type.

NAC: ClientEnforcement Method

Presents a pie chart that shows the enforcement method used for everydetected system on your network. It reports the enforcement types being used(host-based, network-based, or NAP-based), and the number of systems usingeach enforcement type.

NAC: Top 5 FailedBenchmarks

Presents a summary table that shows benchmark IDs. It reports the fivebenchmarks in Enforce mode that have failed most often, and the number ofsystems that have failed each benchmark.

NAC: Client VersionSummary

Presents a summary table that shows the version number of all the NACclient’s that have been deployed to systems, and the number of systems witheach version of the client.

For details about the queries used by these monitors, see Queries for network access monitoring.

Queries for network access monitoringQueries allow you to construct a report from information stored by the McAfee NAC manager, such assystem health status and network access status.

McAfee NAC combines its database tables with the ePolicy Orchestrator database tables, therefore, thedata you can query consists of the combined ePolicy Orchestrator, Rogue System Detection, andMcAfee NAC data.

Typically, the data specific to McAfee NAC and Rogue System Detection is of the most interest toadministrators.

Queries are accessed by clicking Menu | Reporting | Queries & Reports. All predefined McAfee NAC queriesbegin with NAC: followed by a descriptive name.

Queries can be run on their own, or used as dashboard monitors. You can use the default queriessupplied with the product, and create your own.

Default McAfee NAC queries

McAfee NAC supplies several default queries you can use as monitors.

7 Dashboards, monitors, and queriesQueries for network access monitoring


Query name Result type Chart label Chartvalues

Description

ClientEnforcementMethod

NACDetectedSystemStatus

EnforcementMethod

Host ID Displays a pie chart that shows the differentenforcement methods (host-based,network-based, or NAP-based) currentlybeing used for all detected managedsystems, and the number of systems usingeach method.

Filter: Detected System field "Ignored" isfalse.

ExemptionStatus


ExemptionStatus

Host ID Displays a pie chart that shows the systemsthat currently have exemptions, and whichexemption type. Only shows systems thathave been detected.


NAC clientversionsummary


Client version Host ID Displays a table that shows the versionnumber of the NAC client installed on alldetected managed systems. Reports theversion numbers of the NAC clients thathave been deployed to systems, and thenumber of systems with each versionnumber.


NetworkAccess Status


NetworkAccess Status

Host ID Displays a pie chart that shows the accessstatus of all detected managed systems.The values are either a network access zonename, or one of the following: None,Exempt, Disconnected, Full Access, NAP FullAccess, NAP Limited Access, NAP-Notcapable.


System HealthStatus


SystemHealth Status

Host ID Displays a pie chart that shows the systemhealth of all detected managed systems andthe number of systems in each health level.


Dashboards, monitors, and queriesQueries for network access monitoring 7


Query name Result type Chart label Chartvalues

Description

Top 5 FailedBenchmarks

NAC CurrentBenchmarkResults

Benchmark ID Host ID Displays a table that shows the IDs of thefive benchmarks that had a rule failure mostoften. This includes benchmarks that are setto either Enforce or Audit mode. The queryapplies to all known systems. Reports thefive benchmarks in Enforce mode that havefailed most often, and the number ofsystems that have failed each benchmark.

Filter: Current Benchmark Results field"Benchmark Error Code" equals 0; ANDCurrent Benchmark Results field "HealthLevel" not equal to Healthy; AND DetectedSystem field "Ignored" is false.

Top 5 FailedBenchmarks inAudit Mode

NAC CurrentBenchmarkResults

Benchmark ID Host ID Displays a table that shows the IDs of thefive benchmarks that had a rule failure mostoften. This query reports only thebenchmarks that are set to Audit mode, andthe number of systems that have failedeach benchmark.

Filter: Current Benchmark Results field"Benchmark Error Code" equals 0; ANDCurrent Benchmark Results field "HealthLevel" not equal to Healthy; AND CurrentBenchmark Results field "EnforcementMode" equals false; AND Detected Systemfield "Ignored" is false.

Building your own queries

McAfee NAC exposes nine database tables you can use for constructing your own custom queries.Each table represents what is called a Result Type in the ePolicy Orchestrator Query Builder.

Most of the data you can access through queries fall into two categories: current and historical.

Result type Description

NAC DetectedSystem Status

A collection of data that describes a single system that has been detected, andits current status. The detected status includes identifying information about thesystem and status details about its health, enforcement, network access,exemptions, applied health policies; that is, its status as a known system toMcAfee NAC.

NAC CurrentEnforcement (themost recentenforcement statusevent applied to asystem)

A collection of data that describes the current (most recent) enforcement statusof a system. Enforcement status indicates whether a system is being enforced,which enforcement method (enforcer) is being used, and whether enforcementwas triggered manually (by an administrator). Other information related toenforcement status are the system's health level and the network access zoneto which the system is restricted.

NAC HistoricalEnforcement (allenforcement statusevents for asystem)

A collection of data that describes any change in the enforcement status of asystem. This includes events such as changes to a system's health level,network access zone, and enforcement method or status (is it being enforced).

NAC Current ScanResults

A collection of data that describes the most recent scan (assessment) results fora system. Assessment results include information such as the scan status, theassessed health level, which system health policies were assessed and whichones failed, and which benchmarks failed. It also includes information about thescan, such as when it occurred and when the next scan will occur.

7 Dashboards, monitors, and queriesQueries for network access monitoring


Result type Description

NAC HistoricalScan Results

A collection of data that describes all assessment results for a system, from anestablished start point up to and including the most recent scan. The originalstart point for this result type is the date and time of product installation.Purging scan results or deleting scan result entries sets a new start point for thescan history.

NAC CurrentBenchmark Results

A collection of data that describes the most recent assessment results for eachbenchmark used to assess any system. Benchmark results include informationsuch as the benchmark ID and profile, which rules failed, the benchmark'senforcement mode, and the health level resulting from assessing thebenchmark. It also includes information about the system that was assessed.

NAC HistoricalBenchmark Results

A collection of data that describes all benchmark assessment results for allsystems, from an established start point up to and including the most recentscan. The original start point for this result type is the date and time of productinstallation. Purging scan results or deleting scan result entries sets a new startpoint for the benchmark history.

NAC Current RuleResults

A collection of data that describes the most recent assessment results for eachbenchmark rule used to assess any system. Rule results include informationsuch as the rule title, the result of assessing the rule, the health level assignedwhen the rule fails, and the message explaining why the rule failed. Rule resultsare collected only when the McAfee NAC client policy is configured to gather ruleinformation.

NAC Historical RuleResults

A collection of data that describes all benchmark rule assessment results for allsystems, from an established start point up to and including the most recentscan. The original start point for this result type is the date and time of productinstallation. Purging scan results or deleting scan result entries sets a new startpoint for the rule history. Rule results are collected only when the McAfee NACclient policy is configured to gather rule information.

Create McAfee NAC monitorsYou can create a monitor that provides network access information.

Task


1 Go to the Dashboards page or click Menu | Reporting | Dashboards.

2 Click Dashboard Actions, then select New.

3 In the New Dashboard window:

a Type a descriptive name in the Dashboard Name field.

b In Dashboard Visibility, select Private or Public, then (optionally) select Shared, with as many of thefollowing permission sets, then click OK.

• Executive Reviewer

• Global Reviewer

• Group Admin

• Group Reviewer

Dashboards, monitors, and queriesCreate McAfee NAC monitors 7


4 Click Add Monitor. In the Monitor Gallery panel, select Queries in the View drop-down.

a In the View drop-down list on Monitor Gallery panel, select Queries.

b Drag the Queries monitor from the Monitor Gallery panel to the dashboard below.

c In the New Monitor window, select a NAC query from the drop-down list against Monitor Content.

All McAfee NAC queries begin with NAC:.

d In Refresh Interval, define the refresh time period for this dashboard, or select Do not refresh, thenclick OK. The monitor created appears.

The newly created monitor appears.

5 To add additional monitors, repeat step 4, click Save, then click Close.

Create McAfee NAC monitors with ePolicy OrchestratorYou can use ePolicy Orchestrator to create an McAfee NAC monitor.

Task


1 Go to the Dashboards page or click Menu | Reporting | Dashboards.

2 Select Options | New Dashboard.

3 In the Name field, type a descriptive name.

4 From the drop-down list, select a dashboard size.

5 Choose a dashboard panel, then click New Monitor.

6 For Category, select Queries.

7 For Monitor, scroll to Shared Groups - Network Access Control, select a NAC query from the list, then clickOK.

8 To add additional monitors, repeat steps 5-7, then click Save.

9 Click Yes when prompted to Make Active.

You can add only active dashboards to the Dashboards page.

10 On the Manage Dashboards page, click Close.

Run McAfee NAC queriesMcAfee NAC includes several predefined queries. You also can construct your own queries using theQuery Builder.

7 Dashboards, monitors, and queriesCreate McAfee NAC monitors with ePolicy Orchestrator


Task


1 Go to Menu | Reporting | Queries.

2 From the Groups list, expand Shared Groups, then select Network Access Control.

3 Select a query from the list, then click Run in the Actions column.

The query results page displays the details.

4 When you are finished viewing the query results, click Close.

Dashboards, monitors, and queriesRun McAfee NAC queries 7


7 Dashboards, monitors, and queriesRun McAfee NAC queries


8 Network access administration andmonitoring

Using McAfee Network Access Control can be viewed as two distinct sets of tasks: setup andday-to-day configuration tasks.

First there is setup and configuration, where you deploy McAfee NAC clients, define how to assesssystems, create and assign policies, and optionally, configure McAfee NAC to work with othersupported products. There are also the infrequent configuration tasks, and the day-to-day tasks ofmonitoring your network security, system maintenance, and responding to access control events orunusual occurrences that a McAfee NAC administrator performs.

Contents

McAfee NAC manager configuration Deployment and configuration tasks Create queries for McAfee NAC monitors Health compliance auditing System health assessment of managed systems System health assessment of unmanaged systems Health level overrides Events and responses Manual control of exemptions Unmanageable devices and what to do with them Post admission control for malicious systems Assessment and enforcement histories

McAfee NAC manager configurationThe McAfee NAC manager's configuration settings have default values that work well in mostcircumstances where McAfee NAC is used by itself for network access security.

Of the available configuration settings, three apply only when you integrate McAfee NAC with anotherproduct, such as McAfee Network Security Platform or Microsoft Network Access Protection.

These are:

• Network Security Manager location

• Client identification request setup

• Trusted communication setup

These configuration settings are discussed in the chapters Integrating McAfee NAC with McAfeeNetwork Security Platform and Integrating McAfee NAC with Microsoft Network Access Protection.

8


The other two configuration settings apply to general McAfee NAC manager operations. The healthgrace period setting allows you to specify how long a system's assessed health level stays valid if thenext scheduled scan does not occur. This option defaults to the maximum value of three days (72 hours).

The default rule health level specifies the health level to assign a system if it fails a benchmark rulethat does not have a value for its NAC Health Level property. The default setting is Critical.

Deployment and configuration tasksYou can deploy the client, configure McAfee NAC manager settings, and edit permission sets. Thesetasks are usually performed infrequently, or only as necessary.

Deploy the McAfee NAC client with ePolicy Orchestrator 4.6Deploy the McAfee NAC client to managed systems, which is required for a system to be classified asmanaged by McAfee NAC.

Task


1 Go to Menu | Systems | System Tree, then click Assigned Client Tasks on the menu bar.

2 Select My Organization in the System Tree.

3 Click one:

• ePolicy Orchestrator 4.6 — Actions | New Client Task Assignment

• ePolicy Orchestrator 4.5 — Actions | New Task

4 On the Client Task Assignment Builder page:

a Select McAfee Agent in the Product pane. For target platforms, select the operating system optionsyou want (Windows, Mac, Linux) for deploying the client.

b Select Product Deployment in the Task Type pane.

c Click the link Create New Task to open the Client Task Catalog:New Task window.

5 Enter a descriptive name in the Task Name field, and a description if required.

6 Select the target operating system where you want to deploy McAfee® Network Access ControlClient 4.0.

7 Define the required parameters for Products and components.

8 (Windows only) In Options, select Run at every policy enforcement if you want this task to run at everypolicy enforcement.

9 Select Allow end users to postpone this deployment if required, define the required parameters, then clickSave. The Client Task Assignment Builder page appears with the newly created task.

10 Select the new task you created, then click Next.

11 On the Schedule page:

a For Schedule status, select Enabled. You can later disable the task if you are not yet ready.

b For Schedule type, select when you want the task to run. The remaining configuration optionsdepend on your selection.

8 Network access administration and monitoringDeployment and configuration tasks


c Set the choices in Options.

d If available for your selected Schedule type, set a start date and an end date for the task. If youset the Run at every policy enforcement option on the Configuration page, we recommend that you usethe No end date option.

e If available, specify whether to use the local system time or Coordinated Universal Time (UTC)for running the task.

f If available, select a Schedule option from the drop-down list for how to run the task, and thedesired time. You can run the task once at a specific time, repeatedly between two times, orrepeatedly starting at a specific time.

g If available, set Daily to how often (number of days) you want the task to run.

12 Click Next to view the task summary, then click Save.

Edit McAfee NAC server settingsOccasionally you might need to change the values of McAfee NAC server configuration options.

Several options are used only when you are integrating McAfee NAC with another product, such asMcAfee Network Security Platform.

Task


1 Go to Menu | Configuration | Server Settings, and in the Setting Categories column, select Network AccessControl.

2 Click Edit.

3 On the Edit page, enter values for the options you want to change.

4 Click Save.

Edit McAfee NAC permission setsSet product permissions for any defined permission set. Any administrator account you want used forMcAfee NAC must have View and change settings permission for these products.

You need to set appropriate options for each permission set for these products:

• Network Access Control

• Network Access Control Client

• Benchmark Editor

• Rogue System Detection

You can also grant reviewers permission to view these settings.

Depending on your security administration structure for ePolicy Orchestrator and McAfee NAC, and thenumber of different permission sets you use, consider also setting permissions for different typesMcAfee NAC users (administrators and reviewers) for these ePolicy Orchestrator features:

• Audit log • Queries

• Automatic Responses • Server tasks

• Dashboards • Systems

Network access administration and monitoringDeployment and configuration tasks 8


• Event notifications • System Tree access

• McAfee Agent

Task


1 Go to Menu | User Management | Permission Sets, then in the Permission Sets column, select thepermission set you want to edit (for example, Group Admin).

2 In the right column, scroll to the product or feature (for example, Network Access Control), then clickEdit.

3 On the Edit page, select the type of permissions to grant for the selected product or feature.

4 Click Save.

Create queries for McAfee NAC monitorsMcAfee NAC includes predefined queries you can use for dashboard monitors. However, the predefinedqueries might not cover all the information you want to monitor as an administrator. This topicdiscusses creating additional McAfee NAC queries you might find useful.

Use these tasks to create your own custom queries.

Create an Enforced Health Level queryAll systems have a System Health Status, an Assessed Health Level, and an Enforced Health Level.The predefined System Health Status monitor is useful when the majority of systems are assessedwith enforced benchmarks, and you have few exemptions or systems enforced manually.

However, the System Health Status monitor becomes increasingly unclear when more systems aresubject to exemptions, manual enforcement requests, and audited benchmarks.

You can create a monitor that shows the Enforced Health Level of systems, to show which systems areenforced differently than their system health status indicates.

Task


1 Go to Menu | Reporting | Queries & Reports and click New, or click Actions | New.

If you are using ePolicy Orchestrator 4.5, go to Menu | Reporting | Queries and click New Query, or clickActions | New Query.

2 On the Result Type page, highlight Network Access Control in the Feature Group list, select NAC: DetectedSystem Status in the Result Types list, then click Next.

3 On the Chart page, complete the following, then click Next:

a From the Display Results As list, select Grouped Bar Chart.

b From the Group labels are drop-down menu, select Enforced Health Level.

c From the Bar labels are drop-down menu, select System Health Status.

d For Bar values, select Number of from the first drop-down menu, then select Host Id from the seconddrop-down menu.

8 Network access administration and monitoringCreate queries for McAfee NAC monitors


4 On the Columns page, accept the default database fields to display on a summary or details page,or modify the data, then click Next.

5 On the Filter page, you can specify criteria for filtering the query results, but this is notrecommended for this query.

6 Click Run, then click Save.

7 On the Save Query page, type a descriptive name and add notes about the query, as needed.

All predefined McAfee NAC queries begin with NAC:, so naming your queries this way groups all NACqueries in the query selection list.

Create a Manual Enforcement Request queryThe only way to reset the system and have it enforced based on assessed health is to use Reset healthlevel.If you enforce a system manually using Modify health level, it can be difficult to identify that system fromthe standard predefined monitors.

Create a monitor for quick access to systems that have been enforced manually.

Task


1 Go to Menu | Reporting | Queries & Reports, then click New.



a From the Display Results As list, select Pie Chart.

b From the Pie slice labels are drop-down menu, select Manual Enforcement Request.

c For Bar values, select Number of from the first drop-down menu, then select Host Id from the seconddrop-down menu.


5 On the Filter page, you can filter the query results if you know there are specific systems youwould never enforce manually.


7 On the Save Query page, type a descriptive name, and add notes about the query, as needed.

All predefined McAfee NAC queries begin with NAC: so naming your queries this way groups all NACqueries in the query selection list.

Create a Malicious System queryIf a system is marked as "malicious," it can be enforced differently than it would otherwise. Use thistask to create a monitor that gives you a quick way to identify malicious systems.

Network access administration and monitoringCreate queries for McAfee NAC monitors 8


Task







b From the Pie slice labels are drop-down menu, select Is Malicious.

c For Pie slice values, select Number of different values of, then select Host Id from the drop-down menu.







Create a Network Access Control Client Started queryFor network security, it is useful to monitor whether the NAC client is running. Such a query can tellyou whether a deployed client has stopped working, and can provide quick access to systems that areunmanageable.

Create a query that shows whether the NAC client is running.

Task







b From the Pie slice labels are drop-down menu, select Client Started.

8 Network access administration and monitoringCreate queries for McAfee NAC monitors


c For Pie slice values, select Number of different values of, then select Host Id from the drop-down menu.






All predefined McAfee NAC queries begin with NAC:, so naming your queries this way groups all NACqueries in the query selection list.

Create a Benchmark Enforcement Mode queryMonitor whether systems are being assessed against audited benchmarks or enforced benchmarks (orif the enforcement mode is disabled). To do this, create a monitor based on querying the NAC CurrentBenchmark Results.

This type of query is useful because you can compare the enforcement mode against the health levelof systems that are assessed against specific benchmarks.

Use this task to create a monitor that shows the enforcement mode setting of your benchmarks.

Task






a From the Display Results As list, select Grouped Bar Chart.

b From the Group labels are drop-down menu, select Enforcement Mode.

c From the Bar labels are drop-down menu, select Health Level.




Network access administration and monitoringCreate queries for McAfee NAC monitors 8





Health compliance auditingBenchmarks have three enforcement modes: Enforce, Audit Only, and Disable.

We recommend that you test benchmarks in Audit Only mode before actively enforcing the benchmarkin your production environment. If you have follow this recommendation, you might also want amonitor that allows you to see how many systems are subject to the different enforcement modes,and what their health levels are.

McAfee NAC does not have a predefined query for this, so you must create your own. See Usefulqueries for McAfee NAC monitors.

System health assessment of managed systemsRegularly assessing a system's health is an important part of maintaining your network security. Theseassessments can be configured according to your needs.

System health assessments for managed systems can be:

• Scheduled and run automatically, using an ePolicy Orchestrator client task

• Initiated manually for one or more systems by an ePolicy Orchestrator or McAfee NAC administrator

• Initiated manually from the system tray icon by users of Windows systems that have the McAfeeNAC client installed

The McAfee system tray is not supported on RedHat Enterprise Linux 4 systems. Users can enter thefollowing commands at the system command line:

To... Type at the command line...

Run a system health scan MNacClient -rhsView the system health status MNacClient -shsView the remediation status MNacClient -shsView the client's About dialog box MNacClient -v

The level of detail reported about a system assessment is controlled by the McAfee NAC client policy.

Assessment results are reported for any benchmarks with the enforcement mode set to Enforce or AuditOnly. If the enforcement mode is Disable, no results are reported.

Any time a system is assessed, the McAfee NAC client uses its current policies. When results arereported to the McAfee NAC manager, it verifies whether the policies used in the assessment are up todate. If they are not, updated policies are sent to the McAfee NAC client, and the assessment isautomatically repeated.

Schedule managed system scans in ePolicy Orchestrator 4.5Create a schedule for running scans on managed systems using ePolicy Orchestrator 4.5.

8 Network access administration and monitoringHealth compliance auditing


Task


1 Go to Menu | Systems | System Tree, then click New Task, or click Actions | New Task.

2 Type a name for the task, then add other information about the task in the Notes option.

3 For Type, select Network Access Control Client Scan Task.

4 Click Next twice to go to the Schedule page of the wizard.

5 Set the scheduling options to specify when and how often to run a scan.

a For Schedule status, set Enabled or Disabled. You can enable the task later if you are not yet ready.


c Set Options choices. If you need help, click ?.

d If available for your selected Schedule type, set a start date and, if available, an end date for thetask. The No end date option is often used for scan tasks.

e If available, set whether to use the local system time or Coordinated Universal Time (UTC) forrunning the task.

f If available, select a Schedule option from the drop-down list for how often to run the task, andthe desired time value or values. You can run the task once at a specific time, repeatedlybetween two times, or repeatedly starting at a specific time.

g If available, set Daily to define how often (number of days) you want the task to run.

h Click Next.


Schedule managed system scans in ePolicy Orchestrator 4.6Create a schedule to run scans on managed systems.

Task


1 Go to Menu | Systems | System Tree, then click Assigned Client Tasks.

2 Click Menu | New Client Task Assignment.

3 Type a name for the task, and add other information about the task in the Notes option.

4 On the Client Task Assignment Builder page:

a In Product, select Network Access Control Client 4.0.

b In Task Type, select Network Access Control Client Scan Task.

c Click Next to go to the Schedule page of the wizard.

Network access administration and monitoringSystem health assessment of managed systems 8


5 Set the scheduling options to specify when and how often to run a scan.

a For Schedule status, set Enabled or Disabled. You can enable the task later if you are not yet ready.


c Set Options choices. If you need help, click ?.

d If available for your selected Schedule type, set a start date and, if available, an end date for thetask. The No end date option is often used for scan tasks.

e If available, set whether to use the local system time or Coordinated Universal Time (UTC) forrunning the task.

f If available, select a Schedule option from the drop-down list for how often to run the task, andthe desired time value or values. You can run the task once at a specific time, repeatedlybetween two times, or repeatedly starting at a specific time.

g If available, set Daily to define how often (number of days) you want the task to run.

h Click Next.


Request an immediate scanUse the ePolicy Orchestrator console to request an immediate scan (health assessment) for one ormore systems.

Task

1 Go to Menu | Reporting | Dashboards, and select NAC Summary, or go to any dashboard containing amonitor that reports McAfee NAC managed systems.

2 Click in the monitor to display a summary page or system details page. For information about usingMcAfee NAC monitors, see Dashboards, monitors, and queries.

3 If you are viewing a system details page, click Actions | Request scan. If you are viewing a summarypage, you must select the systems to assess from the list before Request scan is active.

System health assessment of unmanaged systemsMcAfee NAC is designed to detect, assess, and enforce managed systems on your network. McAfeeNAC, by itself, cannot enforce unmanaged systems, but can detect unmanaged systems through theRogue System Detection service.

It can also assess the health of an unmanaged system using the McAfee NAC guest client, which canbe installed from the Guest Portal.

The McAfee NAC guest client is not the same as the McAfee NAC client, and will not install on a systemthat has the McAfee NAC client. The guest client differs from the McAfee NAC client in these ways:

• The guest client does not require the McAfee Agent.

• The guest client is not configured by a McAfee NAC client policy.

• The guest client is intended to be a temporary executable that is automatically removed after aspecified time, which is set from the Guest Portal.

8 Network access administration and monitoringSystem health assessment of unmanaged systems


• The guest client can assess a system only with the unmanaged system policy.

• The guest client cannot use automatic remediation. Unmanaged systems must be remediatedmanually.

A system with the guest client installed is not a managed system according to the McAfee NAC orePolicy Orchestrator definitions.

The guest client's role is to evaluate system health and report the results to the McAfee NAC manager.The guest client evaluates only the unmanaged system policy, and scans the system according to thepolicy’s scan interval. The McAfee NAC manager reports the system's health level to the McAfee®

Network Security Sensor. All enforcement decisions are under McAfee® Network Security Managercontrol. McAfee NAC does not play a role in unmanaged system enforcement.

The guest client's configuration is set as shown in this table. Most of this configuration is fixed, exceptwhere noted.

Scan interval = Periodic interval during which scan is invoked on guest clients.

Scan results = All benchmark and rule information.

Unhealthy host scan setting = Invokes a scan when the host is assessed as unhealthy.

System tray icon = Enabled.

Periodic identification = Enabled by default. This option is configurable in the unmanagedsystem policy.

Sensor Settings = Enabled by default. Receives sensor details from McAfee NACserver.

For details about setting the health policy for unmanaged systems, see Unmanaged system policy.

Run a scan

How users run a scan manually on an unmanaged system depends on the operating system. ForWindows users, scans can be run, and health status and remediation status checked using the McAfeesystem tray.

The McAfee system tray is not supported on RedHat Enterprise Linux 4 systems. Users can enter thefollowing commands at a system command line:

To... Type at the command line...

Run a system health scan MNacClient -rhsView the system health status MNacClient -shsView the remediation status MNacClient -shsView the client's About dialog box MNacClient -v

Guest portal and guest clientThe Guest Portal provides an access point where you can direct unmanaged systems, so users candownload and install the McAfee NAC guest client. The portal is a preconfigured web page, but you cancustomize it with your company's logo and statement of network security policy.

The Guest Portal is installed as an extension when you install McAfee NAC. All files and executablesare located on the ePolicy Orchestrator server. To verify this, check the ePolicy Orchestrator Extensionspage.

Network access administration and monitoringSystem health assessment of unmanaged systems 8


To configure the Guest Portal, you should:

• Have a written network security policy statement to display on the portal page

• Set portal configuration options on the McAfee NAC Guest Portal server settings page

For details, see Guest portal configuration and the associated task.

Redirecting unmanaged systems that are detected by a Network Security Sensor to the Guest Portal isconfigured using the McAfee® Network Security Manager. For information, see the McAfee® NetworkSecurity Manager documentation.

How users install the guest client

The guest client can be installed only through the Guest Portal. The guest client installer is part of theGuest Portal extension. If you uninstall the Guest Portal extension, the guest client installer is alsoremoved.

When users are redirected to the Guest Portal, they must select values for two options:

• Network access period, which sets how many days the guest client remains installed on their systembefore it is automatically uninstalled.

• Their computer's Operating system. The system tries to automatically detect the operating system anddefaults to that value, but users can choose the correct operating system (Windows, Linux, Mac OS, orOther). If a user selects Other, the operating system is not supported by the guest client.

With these options set, users can install the guest client and have their systems scanned.

Behavior for no guest client installed

The Guest Portal does not force a user to install the guest client. If users click Cancel on the guestportal, they receive a warning that their network access might be restricted or denied. Administratorsshould set the Health level for no guest client option on the McAfee NAC Guest Portal server settings page toan appropriate value for their company security policy. This option defaults to Critical.

Alternately, a user might be running an operating system where the guest client cannot be installed(the Other value). If users selects this value, they receive a warning that their network access might berestricted or denied. Administrators should set the Health level for 'Other' OS option on the McAfee NACGuest Portal server settings page to an appropriate value for their company security policy. This optiondefaults to Unknown.

Guest portal configurationConfiguring the Guest Portal is done by setting option values on the McAfee NAC Guest Portal serversettings page.

The options you can set are listed here.

Option Definition

Guest portal logo Sets the file path to the image file you want to use as the logo displayed on theGuest Portal. This is typically your company logo. Place the logo image fileanywhere on the ePolicy Orchestrator server, and give the absolute path for thisoption. The JPG and GIF file formats are recommended, but you should be ableto use any format supported by Web-standard HTML.

Guest systempolicy statement

Sets the statement you want to display on the Guest Portal describing yourcompany's network security policy for unmanaged, or guest, systems on yournetwork. This is a text field that can contain approximately 10,000 characters.

8 Network access administration and monitoringSystem health assessment of unmanaged systems


Option Definition

Default guest clientauthorization

Sets the default value, in days, for the Network access period option on the GuestPortal page. This setting determines how long the McAfee NAC guest client isactive on a guest system before the client is automatically uninstalled. Theallowed values are 0, 1, 2, 5, 15, 30, and 90. A value of zero means the McAfeeNAC guest client scans the system once, then is immediately uninstalled.

Health level for noguest client

Sets the default health level that is assigned to unmanaged systems on yournetwork that do not have the McAfee NAC guest client installed. One way thiswould happen is if the user cancels out of the Guest Portal.

Health level for'Other' OS

Sets the default health level that is assigned to unmanaged systems on yournetwork when the user of the system selects the value Other for the Operatingsystem option on the Guest Portal page.

Configure the guest portalSet option values that configure the McAfee NAC guest portal. Typically, these settings would changeinfrequently.

Task


1 Go to Menu | Configuration | Server Settings, then in the Setting Categories column, select NAC Guest Portal.

2 Click Edit.

3 On the Edit page, enter values for these options:

• Guest portal logo

• Guest system policy statement

• Default guest client authorization

• Health level for no guest client

• Health level for 'Other' OS

4 Click Save.

Health level overridesUsing the Modify health level action, you can force a managed system to be enforced at a specific healthlevel. You can use this action any time on any managed system, except those that are exempt by ruleor exempt by administrator.

Enforcing systems this way places a managed system in a permanent enforcement state that is nolonger affected by the assessor. That is, if the system is subsequently assessed, the new assessmentresult does not influence the system's enforcement status.

Systems that have been enforced manually must be reset using the Reset health level action. Thisremoves the Manual Enforcement Request flag, and sets the System Health Status to the currentvalue of Enforced Health Level. The system's enforcement status changes accordingly.

Enforcing systems manually can be useful when you are evaluating benchmarks (that is, their mode isAudit Only). For example, when auditing a new benchmark, you discover that several systems have beenassessed as Critical. Though you might still be testing the benchmark, if it tests for a serious securityviolation, you might want to enforce any systems that are not compliant.

Network access administration and monitoringHealth level overrides 8


Modify a system's health levelYou can manually override a system's assessed health level. The effect is to force the system to beenforced at the health level you specify. This action has no effect on systems with exemptions.

Task


1 Go to Menu | Reporting | Dashboards, or any other active dashboard with McAfee NAC monitors.

2 From a McAfee NAC monitor, click an entry to open a summary page or the Network Access ControlDetected System Status Details page.

If a summary page opens, select one or more listed systems.

3 Click Actions | Modify health level.

4 In the Modify health level pane, select a health level from the drop-down list for Set enforced health level.

5 Click OK.

A message in the Actions Taken pane informs you whether the action was successful. The ePOmessage window lists the result of the action.

6 On the Network Access Control Detected System Status Details page for the system, verify that theEnforced Health Level field has changed, and that the Network Access Status and Network Access Zone fieldsindicate that the system is enforced correctly, according to the system's network access policy.

Reset a system's health levelUse Modify health level to remove a manual enforcement override, which was set by an administrator. Thisaction sets the enforced health level of a system to the most recently assessed health level.

Before you begin

Systems that have manual enforcement overrides can be difficult to locate using only thesupplied McAfee NAC queries as monitors. To track manual enforcement overrides moreeasily, create a query that reports the Enforced Health Level or Manual Enforcement Request fields.See Creating an Enforced Health Level query or Creating a Manual Enforcement Requestquery.

Task


1 Go to Menu | Reporting | Dashboards, or click Dashboards or any other active dashboard with McAfee NACmonitors.

2 From a McAfee NAC monitor, click an entry to open a summary page or the NAC Detected SystemStatus Details page.

3 Locate and select a system or systems that have an enforcement override you want to remove.

4 Click Actions | Reset health level to default.

5 Check the Action Taken pane in the ePO message window to verify that the action was successful.

8 Network access administration and monitoringHealth level overrides


Events and responsesEvent reporting is a core feature of ePolicy Orchestrator. McAfee NAC does not use the ePolicyOrchestrator common event format because it is a product for network-based assessment and control,rather than a managed product that is deployed to individual systems.

This means that McAfee NAC events are not reported and used the same way as standard ePolicyOrchestrator events. The McAfee NAC events are reported by the McAfee NAC client directly to theserver; they do not go through the McAfee Agent.

Rogue System Detection events are the same category as McAfee NAC events. It can be useful to set upautomatic responses for events of both types.

McAfee NAC events are used for response generation, and use the automatic response feature (Menu |Automation | Automatic Responses), which is a core feature of ePolicy Orchestrator 4.5 and 4.6. The allowedresponse types, such as sending an email or running a command, depend on the event type. This isalso true of Rogue System Detection.

McAfee NAC generates these events:

• System no longer healthy — Occurs when a system’s health level changes from Healthy to any other value

• Malicious system detected — Occurs when a message is received from a Network Security Sensor that ithas detected behavior that is defined as malicious (see Malicious systems)

• System is not enforceable — Occurs when a system is detected that cannot be enforced (see Systemclassifications)

• Failed to apply network access policy to system — Occurs when a system does not have any applicablesystem health policies that can be assessed by the McAfee NAC client (determined by the policyactivation settings of your system health policies)

These events are reported in the audit log (Menu | User Management | Audit Log).

Create automatic event responsesCreate or edit an automatic event response for predefined McAfee NAC events.

Task


1 Go to Menu | Automation | Automatic Responses, then click New Response or Actions | New Response to createan event response, or click Edit in the Action column for an existing event response.


a Type a name and description for the response.

b Select the language.

c For Event group, select Network Access Control Events from the drop-down list.

d For Event type, select the type of event you want to generate an automatic response.

e For Status, select whether you want the response Enabled or Disabled.

3 On the Filters page, set one or more properties to use as event filters.

4 On the Aggregation page, specify an aggregation level for the event type. You can specify no eventaggregation, or aggregation based on a time interval or an event count.

Network access administration and monitoringEvents and responses 8


5 On the Actions page, specify the actions to initiate as response to the event.

6 Review the selected parameters on the Summary page, then click Save.

Manual control of exemptionsYou can control the exemption status of systems manually, using Set NAC exempt and Remove NAC exempt.You can set an exemption on any system that has been detected. The Set NAC exempt action works underany circumstances. You can remove an exemption only on systems where the System Status is"exempt by administrator."

If the System Status is "exempt by rule," the Remove NAC exempt action is ignored (see How exemptionrules work).

Imported scan exemptions

Typically, the Import exempt systems action is used to create scan exemptions for devices that areunmanageable, such as printers and FAX machines. These systems report as rogues on the Systems |Detected Systems page. Since these systems are not truly rogues (that is, you know they are legitimatedevices and are inherently unmanageable and unenforceable), McAfee recommends that you markthese systems as exceptions, so that they are not reported as rogues.

If you remove the scan exemption using Remove NAC exempt, the system or device is still reported in theMcAfee NAC monitors with a health level of Unknown, and a network access status of None. If you areusing only McAfee NAC, removing the exemption does not create any problems because these devicescannot be enforced using Host enforcement; that is, the McAfee NAC client as the enforcer.

However, if you are using McAfee NAC with another enforcer (Microsoft Network Access Protection orMcAfee Network Security Platform), you might end up quarantining the device. In the case of a printeror FAX machine, this might not be critical, but certainly not desired.

When removing an exemption, you are notified in the ePolicy Orchestrator message window if theMcAfee NAC manager determines that the system might be unenforceable.

At any time, you can reapply an exemption to these systems manually, using Set NAC exempt.

If you are retiring or replacing a device such as a printer or FAX machine, you might want to clean upthe database by removing the device. See Removing retired or invalid systems.

Set a system's exemption statusYou can set an exemption for a system by administrator status, or remove an exemption from asystem by administrator status.

Exemptions specified by an administrator with Set NAC exempt have different properties than exemptionsthat result from an exemption rule. See Using exemptions.

Task


1 Go to Menu | Reporting | Dashboards, then select NAC Summary or any other active dashboard with McAfeeNAC monitors.

2 From any McAfee NAC monitor, click a chart section to list the systems where you want to set orremove a scan or enforcement exemption.

8 Network access administration and monitoringManual control of exemptions


3 If you are on a summary page listing more than one system, select each system you want toaffect; otherwise, you are on a details page for a single system.

4 To set an exemption, click Actions | Set NAC exempt, select the exemption type, then click OK.

5 To remove an exemption, click Actions | Remove NAC exempt. Be sure that the system's currentexemption status is Exempt by administrator.

If removing an exemption would result in a system or device becoming unenforceable, a messageappears in the Action Taken pane in the ePolicy Orchestrator message window.

Unmanageable devices and what to do with themHandle situations where most networks have legitimate devices connected to it that are inherentlyunmanageable, such as printers and FAX machines that cannot host McAfee NAC.

Since these systems cannot host the McAfee Agent, the McAfee NAC client, or the McAfee NAC guestclient, they:

• Are detected as rogues (by the Rogue System Detection service)

• Cannot be assessed

• Are not subject to enforcement by the McAfee NAC client or guest client

However, if you are also using Microsoft Network Access Protection as an enforcer, or McAfee NetworkSecurity Platform (potentially as both a detector and enforcer), not treating these devices correctlycan result in undesirable consequences, such as a printer being quarantined.

Unmanageable systems initially are reported as rogues by the Rogue System Detection service on theMenu | Systems | Detected Systems page. Since these systems are not truly rogues (you know they arelegitimate devices and are inherently unmanageable and unenforceable), McAfee recommends thatyou mark these systems as exceptions. This way, all your unmanageable systems are identified andgrouped as exceptions. For details, see the information about Rogue System Detection in the ePolicyOrchestrator Product Guide.

However, marking an unmanageable system as an exception from the Rogue System Detectioninterface does not influence how the McAfee NAC manager views it. In McAfee NAC, an unmanageablesystem is always assigned a health level of Unknown, and a network access status of None.

Because an unmanageable system cannot host the McAfee NAC client, the most useful action is tomark these systems as exempt from scans.

McAfee NAC exemptions are not the same as Rogue System Detection exceptions. See Usingexemptions.

How to handle unenforceable systemsTo McAfee NAC, an unenforceable system is one that cannot be enforced by the McAfee NAC client, orits enforcement status has not been or cannot be reported to the McAfee NAC manager.

Managed systems might become temporarily unenforceable if the McAfee NAC client is shut down orstops working. In this case, you can use a query that tests for the McAfee NAC client being started(see Creating a NAC Client Started query).

Unmanaged systems are, by definition, unenforceable if you are using only McAfee NAC: you must useMcAfee Network Security Platform to enforce unmanaged systems. Unmanageable systems are alsounenforceable to McAfee NAC because they cannot host the McAfee NAC client.

Network access administration and monitoringUnmanageable devices and what to do with them 8


A system that is identified as unenforceable does not imply that the system cannot be enforced. TheMcAfee NAC manager can determine only that a system cannot be enforced by the McAfee NAC client.Managed systems that are unenforceable by McAfee NAC might be enforceable by one of the othersupported enforcers, depending on your enforcement configuration. See Enforcers and how theyoperate.

Remove retired or invalid systemsRemove a system from the database that is no longer on your network. This allows you to clean upthe database so that these systems are no longer reported on your monitors.

This task is most commonly used for guest systems that you have allowed to access your network,and for printers and other devices that you replace or retire.

Task


1 Go to Menu | Systems | Detected Systems.

2 In the Overall System Status window, click Rogue or Exceptions. The category you select depends onhow you marked a system when it was detected. See Unmanageable devices and what to do withthem and How to handle unenforceable systems.

3 Identify, then select the systems to remove from the list. To identify the correct systems, youmight need to know a MAC address, canonical name, or the text of a comment you entered for asystem or group of systems.

4 Click Delete or click Actions | Delete.

Post admission control for malicious systemsThe post admission control (PAC) feature allows you to set the health level of managed systems forwhich the McAfee NAC manager has received a malicious system detected event or an administratorrequest. Post admission control is not applicable to unmanaged systems because they cannot beassigned a post admission policy.

One source of events is from a McAfee® Network Security Sensor. For details about using postadmission control with McAfee Network Security Platform, see Malicious system events.

There are two parts to using the PAC feature, both of which must be configured for post admissionenforcement to work:

• An enabled post admission policy that is deployed to managed systems

• An enabled event response to a Malicious system detected event that has the response action set toEnforce malicious system (see Malicious system event responses)

What are malicious systemsMalicious behavior is whatever you define it to be using the tools available in the McAfee NetworkSecurity Manager, or any other software that reports a Malicious system detected event to the NetworkAccess Control manager.

It could be anything from a malware threat to a system trying to access another system it should notbe allowed to access. The McAfee NAC software does not play a role in defining what is or is notmalicious behavior.

8 Network access administration and monitoringPost admission control for malicious systems


Identifying and enforcing systems as malicious automatically depends on two settings:

• A post admission policy

• A response that catches the Malicious system detected event

McAfee Network Access Control also allows you to mark systems as malicious manually using the Setmalicious status action. You can use this action as a precaution if a system demonstrates unusualbehavior. Under these circumstances, you are bypassing any rules you established for identifyingmalicious behavior. You then need to determine whether a system is a real security threat or isinfected by some other method.

Malicious systems are enforced using a different methodology than systems that are unhealthyaccording to your system health policies. See How post admission control works and Post admissioncontrol enforcement.

How post admission control worksThe McAfee NAC manager listens for messages from a Network Security Sensor that it has establishedtrusted communications with, or other supported products. When the McAfee NAC manager receivesthe message, it ascertains the current status of each system the message identifies, then sets eachsystem's Is Malicious flag to true.

The McAfee NAC manager changes the Is Malicious flag to true even if a system is exempt. For exemptsystems, the post admission policy and malicious system event response are ignored.

Whether other actions like enforcement occur, depends on the actions specified in the response to aMalicious system detected event and how your post admission policies are configured.

This table describes the result of different configurations of your post admission policies, and yourresponse settings for the malicious system detected event.

Postadmissionpolicysettings

Response settings Result

Admissioncontrol optionset to Disable.

No response configured,response is disabled, orresponse is enabled, theEvent type is set toMalicious system detected, andthe Action is set to Enforcemalicious system.

No change in health level and no enforcement occurs as aresult of a system being identified as displaying maliciousbehavior. All systems identified by the incoming "malicioussystem" message have their Is Malicious flag set to true.

Response enabled. Eventtype is set to Malicioussystem detected. Action isany value other thanEnforce malicious system.

No change in health level and no enforcement occurs as aresult of a system being identified as displaying maliciousbehavior. All systems identified by the incoming "malicioussystem" message have their Is Malicious flag set to true.Depending on the action specified in the response, anemail notification can be sent or an external command canbe run.

Admissioncontrol optionset to Enforce

No response configured,or response is disabled.

No change in health level and no enforcement occurs as aresult of a system being identified as displaying maliciousbehavior. All systems identified by the incoming "malicioussystem" message have their Is Malicious flag set to true.

Network access administration and monitoringPost admission control for malicious systems 8


Postadmissionpolicysettings

Response settings Result

Event type is set toMalicious system detected, andthe Action is set to Enforcemalicious system.

The health level changes to the value specified by theMalicious system health level option in the post admission policyonly if that value is more severe than a system's currenthealth status. If the value is less severe or the same, nochange in health level occurs. All systems identified by theincoming "malicious system" message have their Is Maliciousflag set to true. Enforcement occurs, but is dependent onwhich enforcer is configured in the McAfee NAC clientpolicy assigned to a system (see Post admission controlenforcement).

Response enabled. Eventtype is set to Malicioussystem detected. Action isany value other thanEnforce malicious system.

No change in health level and no enforcement occurs as aresult of a system being identified as displaying maliciousbehavior. All systems identified by the incoming "malicioussystem" message have their Is Malicious flag set to true.Depending on the action specified in the response, anemail notification can be sent or an external command canbe run.

McAfee NAC does not include a predefined query or monitor that specifically shows systems whose IsMalicious is set to true. To identify malicious systems, you must look at the Network Access ControlDetected System Status Details page. The boolean data field Is Malicious allows you to determine if thesystem is unhealthy due to potentially malicious behavior. This page also contains Actions that allowyou to set or remove the malicious status of a system manually.

To determine whether a system is marked as malicious, you can:

• Check the Network Access Control Network Access Status monitor for systems that are restricted tothe network access zone you mapped to the health level specified in the post admission policy.

• Check the Network Access Control System Health Status monitor for systems with the health levelspecified in the post admission policy.

• Create a query to use as a monitor that tests the Is Malicious flag. See Create a Malicious Systemquery.

Once a system is marked as malicious, the only way to remove this status is for the administrator touse the Remove malicious status action from a Network Access Control Detected System Status page(either summary or details). If the system has been enforced as malicious (its health level waschanged), removing the malicious status also resets the system's health to its last known value. Fordetails, see Reset the malicious status flag.

An administrator can manually mark a system as malicious using the Set malicious status action on aNetwork Access Control Detected System Status summary or details page. Whether enforcementoccurs as a result of this action is subject to the same configuration rules involving the malicioussystem event response and post admission policy. The same behavior occurs regardless of whether asystem is marked as malicious due to a "malicious system" message (for instance, from a NetworkSecurity Sensor), or an administrator action.

Post admission control enforcementPost admission control enforcement of managed systems depends on which enforcer is configured in asystem's network access policy. Like any enforcement request, malicious systems are allowed ordenied network access based on a health level.

Normally, the health level is derived from a system's applicable health policies. However, if a system ismarked as malicious, the post admission policy allows for the potential of a health level override.



If post admission control is configured so that enforcement occurs, the health level sent to theenforcer comes from one of these sources:

• The current value of the enforced health level resulting from the latest scan

• The value of the Malicious system health level option in the post admission policy

Whichever health level value is the most severe is the one that is sent to the enforcer, and set as theenforced health level. For example, if a system with a health level of Poor is identified as malicious,and the post admission policy sets the health level at Critical, the configured enforcer is sent a valueof Critical. If a system with a health level of Critical is identified as malicious, and the post admissionpolicy sets the health level at Serious, the configured enforcer is still sent a value of Critical, eventhough that value did not come from the post admission policy.

Whether enforcement occurs, and the end result of any enforcement action, depends on whichenforcer is configured for a managed system.

Enforcer Post admission control enforcement

McAfee® NetworkAccess Controlclient

Enforcement is based on the mapping of network access zones to health levels inthe network access policy that is assigned to a managed system.

Microsoft NetworkAccess Protection

The McAfee NAC client, acting as the Network Access Protection System HealthAgent (SHA), passes the health level to the McAfee System Health Validator(SHV), which then forwards it to the Microsoft Network Policy Server.Enforcement is based on your Network Access Protection policies. SeeIntegrating McAfee NAC with Microsoft Network Access Protection.

McAfee® NetworkSecurity Sensor

The McAfee NAC manager passes the health level to the Network SecuritySensor. This health level can be used by the Sensor if health-based policies areconfigured in McAfee® Network Security Manager.

Depending on your Network Security Sensor configurations, it is possible for them to overrideenforcement by other enforcers. See Integrating McAfee NAC with McAfee Network Security Platform.

When you are using post admission control, McAfee recommends that you define a suitable networkaccess zone for restricting malicious systems. Both McAfee NAC and McAfee® Network SecurityManager use the concept of network access zones. If you are using Microsoft Network AccessProtection for enforcement, you might want to configure your health and network policy rules suchthat the health level used for malicious systems is a special case and is associated specifically withyour organization's definition of a malicious system.

Post admission policiesA post admission policy is required for assigning a health level to managed systems that have beenidentified or marked as malicious.

The policy contains two options: one that enforces the policy, and one that sets the system's healthlevel if malicious behavior is detected.

How these options affect a system depends on several factors. For details, see How post admissioncontrol works. Like other McAfee Network Access Control policies, a post admission policy must beassigned to your managed systems for it to have an effect. You cannot assign a post admission policyto unmanaged systems.



Configure a post admission policyYou can specify whether to enforce managed systems that are identified as displaying maliciousbehavior and reported to the McAfee NAC manager, and which health level to assign to those systems.

Enforcement only occurs if you have also created and enabled an event response. For details, seeMalicious system event responses.

After you configure a post admission policy, you must assign it to your managed systems using thestandard ePolicy Orchestrator policy assignment features.

Task


1 Go to Menu | Policy | Policy Catalog, then from the Product drop-down list, select Network Access Control4.0.0.

2 From the Category drop-down list, select Post Admission Policy.

3 To create a new policy, click Actions | New Policy or click Duplicate in the Actions column of an existingpolicy.

4 Type a name for the new policy. If you use New Policy, you also select an existing policy as a basisfor the new one. Click OK.

5 Set the Admission control option to Enforce (required for the policy to have an effect on systemenforcement).

6 Set Malicious system health level to the health level value you want assigned if the system displaysmalicious behavior.

For a post admission policy to have an effect, the health level you select must be more severe thana system's enforced health level. For this reason, the Healthy and Unknown health levels are notlisted.

7 Click Save.

Malicious system event responsesA malicious system event response informs the McAfee NAC manager that you want to take aparticular action or set of actions when a Network Security Sensor or other supported product sends aMalicious system detected message.

To create a response to the Malicious system detected event, you use the Responses feature in the ePolicyOrchestrator interface (Menu | Automation | Automatic Responses). If you don't create and enable this eventresponse, the only action that occurs due to a Malicious system detected message is the McAfee NACmanager sets each identified system's Is Malicious flag to true.

To enforce the "malicious" health level set in your post admission policies, at least one of the actionsyou specify for the Malicious system detected event must be Enforce malicious system, and the response mustbe enabled (see Configuring a malicious system event response). Other actions, such as sending anemail notification, also can be specified as part of an event response.

Responses can also contain filters, which allow you to identify systems according to various properties.Using filters is one way to limit or restrict which systems are subject to the actions you specify. Forexample, you might want to enforce one set of systems when detected as malicious, but only receiveemail notification for a different set.



Configure a malicious system event responseYou must configure and enable an event response to enforce the health level specified in the postadmission policy.

For enforcement to occur, the Admission control option of the post admission policy must be set to Enforce.For details, see How post admission control works.

Task


1 Click Menu | Automation | Automatic Responses, then click Actions | New Response, or for an existing eventresponse, click Edit in the Action column.


a Type a name and description that indicates the type of response or type of event.

b Select a language.

c For Event, set Event group to Network Access Control Events, and Event type to Malicious system detected.

d Set Status to Enabled.

3 On the Filter page, from the list of Available Properties, select properties you want to use to filterevent reporting, then click Next.

Using filters is not recommended for the Malicious system detected event.

4 On the Aggregation page, set Aggregation to Trigger the response for every event, then click Next.

Aggregating on multiple events over a time period is not recommended.

5 On the Actions page, select Enforce malicious system from the drop-down list, then click Next.

6 On the Summary page, review the settings, then click Save.

Set a system's malicious statusUse this task when you need to manually designate a system as malicious.

Task


1 Click Menu | Reporting | Dashboards (or click Dashboards on the toolbar), then select NAC Summary from thedrop-down list, or any other active dashboard with McAfee NAC monitors.

2 From any monitor that includes the system you want to mark as malicious, click a chart section.

3 If there are multiple systems in the chart section, select the checkbox of the system(s) from thesummary page. If there is only one system for the chart section, the NAC Detected System StatusDetails page opens.

4 Click Set malicious status.

5 Click Actions | Set malicious status.



Remove a system's malicious statusRemove a system's malicious status once you have determined that there is no longer a threat. This isthe only method to reset a system's Is Malicious status flag.

Before you begin

Make sure you have an active dashboard that contains the NAC: System Health Statusmonitor so that you can access the NAC Detected System Status Details page.

If the system has been enforced by a post admission policy, removing the malicious status also resetsthe system's enforced health level to the last value it had before being changed. If no enforcementresulted from the malicious system event, removing the malicious status does not change thesystem's current enforced health level.

Task


1 Click Menu | Reporting | Dashboards or click Dashboards on the menu bar, then select NAC Summary fromthe drop-down list, or any other active dashboard with Set malicious status monitors.

2 From any monitor that includes one or more malicious systems, click the appropriate chart section.

3 If there are multiple systems in the chart section, select the system(s) from the summary page. Ifthere is only one system for the chart section, the NAC Detected System Status Details page opens.

4 Check that the Is Malicious field is set to true.

5 Click Remove malicious status.

6 Click Actions | Remove malicious status.

7 Check the Action Taken pane in the ePolicy Orchestrator message window to verify that the action was successful.

Assessment and enforcement historiesMcAfee NAC stores information every time a system is assessed, and every time an enforcementaction occurs. You can view an assessment or enforcement history through specific McAfee NACmonitors. These histories allow you to track a sequence of actions, and can be useful for testing policies.

When you view an individual assessment (scan) result, you can then access the benchmark results forthat scan. This allows you to find out which rules passed and which failed.

You can also delete the historical assessment and enforcement results if or when you no longer needthem. Assessment results can be deleted for individual systems from the Scan History for Host page.You can also delete all scan results for all systems using an ePolicy Orchestrator server task (seePurging scan results automatically). Enforcement results can be deleted for individual systems fromthe Enforcement History for Host page.

Purge scan results automaticallyCreate or edit a server task to purge all McAfee NAC scan results from the database. You can schedulethis task to run at an interval you define.

This task relies on the ePolicy Orchestrator Server Tasks feature, and assumes you understand theprocess of working with server tasks.

8 Network access administration and monitoringAssessment and enforcement histories


Task


1 Click Menu | Automation | Server Tasks, then click Actions | New Task, or click New Task, or click Edit in theAction column for an existing task.

2 On the Actions page of the Server Task Builder, select McAfee NAC: Purge Scan Results from thedrop-down list.

3 For Purge records older than, set the number of days, weeks, months, or years.

4 On the Schedule page, set how often you want to run the task.

5 When you are done setting values, go to the Summary page and click Save.

Delete scan or enforcement results manuallyRemove scan or enforcement results for an individual system.

This task relies on accessing the Scan History for Host page and the Enforcement History for Hostpage through McAfee NAC monitors or queries.

Task


1 Click Menu | Reporting | Dashboards (or click Dashboards on the menu bar), then select NAC Summary fromthe drop-down list, or any other active dashboard with McAfee NAC monitors.

2 From any McAfee NAC monitor, click a chart section to list the systems where you want to removeall or part of the scan or enforcement history.

3 If you are on a summary page that lists more than one system, select the checkbox next to asystem; otherwise, you are at a details page for a single system.

• To list the system's scan history, click Actions | Show scan history. This displays the Scan History forHost page.

• To list the system's enforcement history, click Actions | Show enforcement history. This displays theEnforcement History for Host page.

4 Select one or more entries.

5 Click Actions | Delete scan history or Actions | Delete enforcement history, depending on the page you are viewing.

Network access administration and monitoringAssessment and enforcement histories 8


8 Network access administration and monitoringAssessment and enforcement histories


9 Integrating McAfee NAC with McAfeeNetwork Security Platform

McAfee NAC 4.0 supports McAfee Network Security Platform, specifically the McAfee® Network SecuritySensor, as a detector and an enforcer. The two products can work together to provide network accesscontrol for both managed and unmanaged systems.

In this release of McAfee NAC, both managed and guest clients can communicate health-levelinformation directly to the McAfee Network Security Platform sensors. To achieve this, enable theclient sensor channel in the NACServer.properties file.

Contents

Configuration requirements Operations when combined with McAfee Network Security Platform McAfee® Network Security Sensor as a detector McAfee® Network Security Sensor as an enforcer Health-based access control Identity-based access control McAfee NAC manager configuration Assessment of unmanaged systems

Configuration requirementsTo operate correctly with McAfee Network Security Platform, you need to configure severalcommunication channels, and let the McAfee NAC manager know the location of your McAfee® NetworkSecurity Manager server.

How components communicate

McAfee Network Security Platform can handle both unmanaged and managed systems in the networkfor health-based and identity-based access control, when configured. McAfee NAC handles onlymanaged system enforcement.

To use McAfee Network Security Platform for detection and enforcement, these components mustcommunicate with each other:

• The ePolicy Orchestrator server that hosts McAfee NAC

• Your Network Security Sensors

• The McAfee NAC client

• Guest client

9


When McAfee Network Security Platform is configured to use health-based access control, the primaryinformation communicated from McAfee NAC to a Network Security Sensor is a system health level.Once communicated, enforcement decisions for unmanaged systems are controlled by your NetworkSecurity Manager policies. Also, your Network Security Sensors must establish trustedcommunications with the McAfee NAC manager.

Assumptions

The information presented here assumes that you are familiar with McAfee Network Security Platform,its requirements, its operation, and its user interface.

In McAfee NAC, the configuration for using both products involves:

• Setting the port for communication between Network Security Sensors and McAfee NAC clients

• Specifying the location of the McAfee® Network Security Manager server

• Setting a shared secret for trusted communication between the McAfee NAC manager and NetworkSecurity Sensors

• (Optional) Specifying that the McAfee NAC client send out a periodic identification message for theNetwork Security Sensors

• (Optional) Configuring a McAfee NAC client policy if you are going to use McAfee Network SecurityPlatform as an identity-based enforcer (see Identity-based access control)

Installation requirements

During installation, you are asked to specify a Network Security Sensor to McAfee NAC clientcommunication port. This corresponds to the Client identification request setup option in the McAfee NACserver settings. The default port listed in the installer is the same port which ePolicy Orchestrator usesfor the Server-to-sensor communication port. The port was chosen because ePolicy Orchestrator already opensit. If you want to use a different port, enter that port number in the installer.

However, you cannot change the port number after McAfee NAC is installed unless you uninstall theMcAfee NAC application and re-install it. You must also make sure that this new port is open, and notblocked by any firewalls in between your sensors and the ePolicy Orchestrator server. Communicationbetween sensors and McAfee NAC clients is over an unsecured channel.

How sensors communicate with McAfee NAC

Sensors communicate with the McAfee NAC manager using a secure communication channel. Thissecure, trusted communication uses port 8443, and can be configured to use a shared secret. WhenMcAfee NAC is installed, the Trusted communications setup shared secret is blank (no value). This setting isvalid, but you can also type a text string of your choice. You then use this string when you configureyour Network Security Sensors. If communication is not working, check that your shared secret valuesare identical.

The periodic identification message setting in the McAfee NAC client policy is needed only if amanaged system has a firewall that blocks the configured Network Security Sensor to McAfee NACclient communication port. This is the port listed for Client identification request setup in the McAfee NACserver settings. Enabling this option causes the McAfee NAC client to initiate identification messages tothe Network Security Sensors. For unmanaged systems, this option is configured in the UnmanagedSystem Policy, and applies only to the McAfee NAC guest client.

Types of configuration

If you are using McAfee Network Security Platform as a health-based enforcer, no special configurationis needed for the McAfee NAC client policy.

9 Integrating McAfee NAC with McAfee Network Security PlatformConfiguration requirements


If you are using McAfee Network Security Platform as an identity-based enforcer for both managedand unmanaged systems, you also need to configure a McAfee NAC client policy with the EnforcementMethod set to None.

All other configuration to make McAfee NAC work with McAfee Network Security Platform is donethrough the Network Security Manager and Network Security Sensor interfaces. For details, see theMcAfee Network Security Platform documentation.

Operations when combined with McAfee Network SecurityPlatform

When setting up an environment where McAfee NAC and McAfee Network Security Platform are usedtogether, the McAfee® Network Security Sensor can perform both system detection and enforcement.

A Network Security Sensor is an appliance that monitors network traffic and manages pre-admissionand post-admission access. The Sensor can:

• Uniquely identify systems as part of an IP stream

• Send detection messages for systems it detects to the McAfee NAC manager

• Respond to enforcement requests (status messages) from the McAfee NAC manager

• Enforce ACLs on the IP streams of these systems

Detection

When setting up Network Security Sensors for detection, the primary consideration is to make surethat you cover all parts of the network you want to protect, and that each Network Security Sensor iscommunicating with the McAfee NAC client or guest client, and with the McAfee NAC manager. Use theinformation provided in the McAfee Network Security Platform documentation.

Enforcement

When using Network Security Sensors for enforcement, the primary consideration is that clientsystems in your production and quarantine networks must be able to communicate with the ePolicyOrchestrator server. Other considerations might be involved depending on the McAfee NetworkSecurity Platform access control type you use. For instance, if you use identity-based access control,you must configure and deploy a McAfee NAC client policy that has the Enforcement method option setto None. See Network Security Sensor as an enforcer, and McAfee Network Security Platform accesscontrol types.

Automatic remediation

Integrating McAfee NAC with McAfee Network Security Platform has no effect on automaticremediation because all automatic remediation commands are always run by the McAfee NAC client.Therefore, which enforcer you configure is irrelevant. You only need to be sure that unhealthy systemscan access remediation resources, such as required applications and operating system patches, fromyour quarantine networks.

Operations unaffected by the McAfee® Network SecurityManager access control modeWhether you are using health-based or identity-based access control in McAfee Network SecurityPlatform, the way that McAfee NAC detects systems and assesses system health are unaffected.

However, the access control mode does determine whether, and how, the detection and assessmentinformation is used.

Integrating McAfee NAC with McAfee Network Security PlatformOperations when combined with McAfee Network Security Platform 9


Scan results for managed and unmanaged systems (presuming the guest client has been installed) arereported to the McAfee NAC manager, allowing you to access or generate reports. The McAfee NACclient scans systems at whatever interval you have specified using the features available throughePolicy Orchestrator and McAfee NAC. The guest client scans systems according to the scan intervalsetting in the unmanaged system policy.

Automatic remediation of managed systems is unaffected by McAfee Network Security Platform,regardless of the access control mode. You only need to be sure that an unhealthy managed systemcan access remediation resources, such as required applications and operating system patches, fromyour quarantine networks. For information about McAfee® Network Security Manager operations whena system is unhealthy, refer to its documentation set.

Client systems that use firewall softwareIf firewall software is running on a client system, regardless of whether it is managed or unmanaged,and the firewall is blocking the communication port used by a Network Security Sensor for clientidentification requests, this can affect the detection and enforcement behavior, especially for managedsystems.

To ensure that your Network Security Sensors always can get client identification information, makesure the Periodic identification option is enabled in both your McAfee NAC client policies, and in yourunmanaged system policy. This option causes the client to send an identification message onto thenetwork every 60 seconds, but the timing can be configured. By default, this option is enabled in theunmanaged system policy and disabled in the McAfee NAC client policy.

McAfee® Network Security Sensor as a detectorA detector identifies systems that are connected to your network, and reports these systems to theMcAfee NAC manager. To qualify as a detector, the component must report at least one form ofidentifying information about a system or device to the McAfee NAC manager.

McAfee NAC can use McAfee® Network Security Sensor detection information, and combine it withinformation it receives from other supported detectors (see Detectors and how they work). Any RogueSystem Sensor on your network still functions normally and reports detections.

A Network Security Sensor can be configured for different detection types. The following table lists thedetection information that a Network Security Sensor reports to the McAfee NAC manager based on itsconfiguration. The specific deployment and configuration determines whether a Network SecuritySensor reports some or all of the identifying information listed.

Table 9-1 Network Security Sensor detector configuration

In-line detection DHCP detection VPN detection


• IP address

• MAC address

• Host name

• McAfee Agent GUID


• IP address

• MAC address


• IP address

• Host name

• McAfee Agent GUID

Multiple detectors do not interfere with each other. The most recent detection information receivedthat includes an IP address is considered valid for the detected host, independent of the detector. Thisis because the IP address of a system is the one piece of information that might change under normalcircumstances. All other information from multiple detectors is combined for the same detected host.

9 Integrating McAfee NAC with McAfee Network Security PlatformMcAfee® Network Security Sensor as a detector


For example, if one detector reports a MAC address, and a different detector reports a MAC addressand host name, the McAfee NAC manager combines this information with existing detection resultsthat match; otherwise, the system is new, and previously unknown to the McAfee NAC manager.

McAfee® Network Security Sensor as an enforcerAn enforcer is responsible for restricting the network access of systems on your network. A NetworkSecurity Sensor can use health-based or identity-based access control enforcement depending on yourNetwork Security Manager configuration.

No matter which Network Security Manager access control configuration you use, network accessrestrictions are based on your definitions of network access zones. Both McAfee NAC and McAfeeNetwork Security Platform use network access zones, so McAfee recommends you name these suchthat the product they are associated with is easily identifiable.

When configured for health-based access control, a Network Security Sensor enforces network accessrestrictions for unmanaged systems based on the health level it is sent from McAfee NAC or receivedfrom the client, provided the client sensor channel is enabled. For an unmanaged system, this can bethe enforced health level, an administrator-specified health level, or the post-admission policy healthlevel.

Other information regarding a system's status — such as whether it has an exemption, has a manualenforcement request, or has been marked as malicious — is communicated to the Network SecuritySensor by the McAfee NAC manager or McAfee NAC client.

When configured for identity-based access control (IBAC), a Network Security Sensor enforcesnetwork access restrictions for managed and unmanaged systems based on system properties or useridentity credentials. The McAfee NAC architecture is not involved when using McAfee Network SecurityPlatform in IBAC mode. When you configure the McAfee NAC client to support IBAC, it no longerfunctions as an enforcer. The enforcement of unhealthy systems becomes solely the responsibility ofthe Network Security Sensor.

The determination of whether a system is healthy, whether it is enforced, and how it is enforced, iscontrolled by your policy Network Security Manager configuration.

To enable scalability, edit the NACServer.properties file of McAfee NAC server, with the parameters:

• enable.client.sensor.channel=true

• periodic.message.version=3

Make sure that you also enable scalability in the Network Security Sensor.

For details about the input used by and output supplied by a Network Security Sensor, see Enforcersand how they work. For information about Network Security Manager policies and the operation ofcomponents, see the McAfee Network Security Platform documentation.

Health-based access controlIf you are using health-based access control in McAfee Network Security Platform, then McAfee NACenforces managed systems using the McAfee NAC client, and McAfee® Network Security Managerenforces unmanaged systems using Network Security Sensors. Managed systems can also be enforcedby Network Security Sensors, if configured to do so.

Most of the behavioral differences that occur when you use McAfee Network Security Platform incombination with McAfee NAC involve enforcement, and to a lesser degree, detection.

Integrating McAfee NAC with McAfee Network Security PlatformMcAfee® Network Security Sensor as an enforcer 9


When a system’s health status changes, the McAfee NAC manager or McAfee NAC client sends amessage containing the new health level to the Network Security Sensor. If the system is managed,the Network Security Sensor does not take any enforcement action. If the system is unmanaged, theNetwork Security Sensor is responsible for restricting network access of the system using the networkaccess restrictions configured by the network access zones in Network Security Manager.

For easier identification of network access zones in monitors and reports, McAfee recommends that youuse a prefix for all network access zone names created in Network Security Manager. This way, you canavoid conflicts and confusion trying to determine whether a system is affected by a McAfee NACnetwork access zone or a Network Security Manager network access zone.

Configuration changes

When using Network Security Manager for health-based access control, make these configurationchanges in McAfee NAC:

• Specify the location of your Network Security Manager (recommended) in the McAfee NAC serversettings.

• Set all benchmarks in the unmanaged system policy to Enforce mode.

• (Optional) Set a Trusted communications shared secret in the McAfee NAC server settings.

System detection

When you use McAfee Network Security Platform with McAfee NAC, the Network Security Sensor addsanother detection service. Nothing changes regarding detections performed by the Rogue SystemDetection service and the McAfee NAC client. In other words, a Network Security Sensor can be addedwhen using health-based access control without requiring changes to the detection aspects of anexisting McAfee NAC deployment.

System assessment

The McAfee NAC client assesses managed systems using your managed system health policies andyour established scan schedule. The McAfee NAC manager or McAfee NAC client reports any healthstatus changes on managed systems to the Network Security Sensor, provided the client sensorchannel is enabled.

For unmanaged systems, users must download the McAfee NAC guest client. Once installed, the guestclient uses the unmanaged system policy to assess the system. Scans are repeated according to thepolicy’s scan interval setting. Scan results and system health, reported to the McAfee NAC manager,which then sends the health status to Network Security Sensor or when client sensor channel isenabled, McAfee NAC guest client sends the health status to Network Security Sensor directly.

System enforcement

When using health-based access control in McAfee Network Security Platform, enforcement is stillbased on a system's health. As described, the McAfee NAC client and guest client assess systemsaccording to your McAfee NAC policies, and report those results. McAfee Network Security Platformenforcement of unmanaged systems is based on the enforced health level.

Using health-based access control, a Network Security Sensor can enforce managed and unmanagedsystems, and the McAfee NAC client always enforces managed systems.

9 Integrating McAfee NAC with McAfee Network Security PlatformHealth-based access control


Exemptions

When using health-based access control, the McAfee NAC manager reports information aboutexemptions to the Network Security Sensor. Any systems marked as exempt, using any McAfee NACmethod, might or might not be respected by the Network Security Sensor, depending on how itsconfigured. Your exemption rules and any systems manually marked as exemptions can be overriddenby other aspects of an Network Security Manager network policy.

Identity-based access controlIf you are using identity-based access control (IBAC) in McAfee Network Security Platform, allsystems, managed and unmanaged, can be enforced by Network Security Manager using NetworkSecurity Sensors.

If every managed system has a McAfee NAC client policy with the Enforcement method set to None,then McAfee NAC has no control over enforcement in this configuration, and system health is not usedas the basis for enforcement. However, you can combine the solution, and have some managedsystems enforced by the McAfee NAC client, and some enforced by Network Security Sensors.

Configuration changes

To use identity-based access control, you need to make these configuration changes in McAfee NAC:

• Set the Enforcement method option in your McAfee NAC client policies to None.

• Specify the location of Network Security Manager server (recommended) in the McAfee NAC serversettings.

• Optionally set a Trusted communications shared secret in the McAfee NAC server settings.

When a system’s health status changes, the McAfee NAC client sends a message containing the newhealth level to the Network Security Sensor. However, when using identity-based access control, theNetwork Security Sensor ignores this information. The McAfee NAC network access policy thatdesignates network access zones is not used. Instead, the network access restrictions configured bythe network access zones in Network Security Manager are used.

For easier identification of network access zones in monitors and reports, McAfee recommends that youuse a prefix for all network access zone names created using Network Security Manager. This way, youcan avoid conflicts and confusion trying to determine whether a system is affected by a McAfee NACnetwork access zone or a Network Security Manager network access zone.

System detection

When you use McAfee Network Security Platform with McAfee NAC, the Network Security Sensor addsanother detection service. Nothing changes regarding detections performed by the Rogue SystemDetection service and the McAfee NAC client. In other words, a Network Security Sensor can be addedwhen using identity-based access control without requiring changes to the detection aspects of anexisting McAfee NAC deployment.

System assessment

The NAC client assesses managed systems using your managed system health policies and yourestablished scan schedule. The McAfee NAC manager reports any health status changes on managedsystems to the Network Security Sensor.

Integrating McAfee NAC with McAfee Network Security PlatformIdentity-based access control 9


For unmanaged systems, users must download the McAfee NAC guest client. Once installed, the guestclient uses the unmanaged system policy to assess the system. Scans are repeated according to thepolicy’s scan interval setting. Scan results and system health and reported to the McAfee NACmanager, which then sends the health status to the Network Security Sensor.

System enforcement

When using identity-based access control in McAfee Network Security Platform, enforcement is nolonger based on a system's health. Enforcement is based solely on system properties or user identitycredentials, and all managed and unmanaged systems can be enforced by a Network Security Sensor.

To do this, your McAfee NAC client policies must have the Enforcement method option set to None. Inthis configuration, the McAfee NAC client no longer performs enforcement. All enforcement actions arecontrolled by the Network Security Sensor, and configured using the Network Security Manager console.

Exemptions

When using identity-based access control, the McAfee NAC manager reports information aboutexemptions to the Network Security Sensor. Any systems marked as exempt, using any McAfee NACmethod, might or might not be respected by Network Security Manager depending on how itsconfigured. Your exemption rules and any systems manually marked as exemptions can be overriddenby other aspects of an Network Security Manager network policy.

McAfee NAC manager configurationYou must properly configure the McAfee NAC manager so it operates with McAfee Network SecurityPlatform. All components must be able to communicate with each other.

If you want to use the Guest Portal so that unmanaged systems can install the McAfee NAC guestclient, see Guest portal and guest client.

To configure the McAfee NAC manager to operate with McAfee Network Security Platform, set theseoptions in the McAfee NAC server settings:

• Network Security Manager location

• Client identification request setup

• Trusted communications setup

For details about this task, see Editing McAfee NAC server settings.

Network Security Manager location

This configuration option is used to create links within the McAfee NAC interface to the NetworkSecurity Manager console. It informs the Network Access Control manager where the Network SecurityManager server is located. McAfee NAC assumes that the default Network Security Manager consoleport is port 80. If the console uses a different port, you must set it using the optional port specificationformat (<server_name>[<port>]).

Client identification request setup

This configuration option sets an encryption key that is used for communication between a McAfeeNAC client and a Network Security Sensor. The Network Security Sensor must communicate directlywith the McAfee NAC client to uniquely identify the system and determine whether it is managed. TheMcAfee NAC manager distributes this key to a Network Security Sensor when it establishescommunications. The McAfee NAC manager distributes this key to the McAfee NAC client after it sendsits startup message.

9 Integrating McAfee NAC with McAfee Network Security PlatformMcAfee NAC manager configuration


Trusted communications setup

This configuration option sets a shared secret (effectively a password) that establishes trustedcommunications between the McAfee NAC manager and a Network Security Sensor at sensor startup.The value of this option must be used when configuring a Network Security Sensor. If the values donot match, the Network Security Sensor cannot communicate with the McAfee NAC manager. Thedefault value is blank. This can be used, or you can specify your own password.

Configure a McAfee NAC client policyConfigure the McAfee NAC client to work with McAfee Network Security Platform.

Task


1 Click Menu | Policy | Policy Catalog, then select Network Access Control Client 4.0.0 from the Productdrop-down menu. There is only one category value: General.

2 Select an existing policy from the list and click Duplicate to edit, or click Actions | New Policy.

If you are using ePolicy Orchestrator 4.5, then select an existing policy from the list and click EditSettings or Duplicate to edit, or click Actions | New Policy.

3 If creating a new policy, select an existing policy as a template, and type a name for the newpolicy. The name should indicate that the policy is for use in a network enforcement environment.

4 Set the Enforcement method option to:

• NAC client — For health-based access control

• Microsoft Network Access Protection — For integration with Microsoft NAP.

• None — For identity-based access control

5 Set the automatic remediation option to use and specify credentials (managed systems only).

6 Specify whether you want the McAfee NAC client to display the McAfee system tray icon.

7 Specify whether you want the McAfee NAC client to send periodic identification messages out onthe network for a Network Security Sensor to pick up.

8 Deploy this McAfee NAC client policy. McAfee Network Security Platform only enforces unmanagedsystems regardless of whether it is using health-based access control or identity-based accesscontrol.

9 Specify how you want to configure the sensor settings.

Assessment of unmanaged systemsWhen using McAfee Network Security Platform in health-based access control mode, managed systemsare assessed by the McAfee NAC client using your managed system health policies, and unmanagedsystems are assessed by the McAfee NAC guest client using the unmanaged system policy.

Unmanaged systems are detected by your Network Security Sensors. The McAfee NAC guest client isnot the same as the McAfee NAC client, and will not install on a system that has the McAfee NACclient. The guest client differs from the McAfee NAC client in these ways:

• Guest client does not require the McAfee Agent.

• Guest client is not configured by a McAfee NAC client policy.

Integrating McAfee NAC with McAfee Network Security PlatformAssessment of unmanaged systems 9


• Guest client is intended to be a temporary executable that is automatically removed after aspecified time, which is set from the Guest Portal.

• Guest client can assess a system only with the unmanaged system policy.

• Guest client cannot use automatic remediation. Unmanaged systems must be remediated manually.

A system with the guest client installed is not a managed system according to the McAfee NAC orePolicy Orchestrator definitions.

The guest client's role is to evaluate system health and report the results to the McAfee NAC manager.The guest client evaluates only the unmanaged system policy, and scans the system according to thepolicy’s scan interval. The McAfee NAC manager reports the system's health level to the NetworkSecurity Sensor. All enforcement decisions are under Network Security Manager control. McAfee NACdoes not play a role in unmanaged system enforcement.

The guest client's configuration is set as shown in this table. Most of this configuration is fixed, exceptwhere noted.

Scan interval = Periodic interval during which scan is invoked on guest clients.

Scan results = All benchmark and rule information.

Unhealthy host scan setting = Invokes a scan when the host is assessed as unhealthy.

System tray icon = Enabled.

Periodic identification = Enabled by default. This option is configurable in the unmanagedsystem policy.

Sensor Settings = Enabled by default. Receives sensor details from McAfee NACserver.

For details about setting the health policy for unmanaged systems and providing remediationinstructions, see Unmanaged system policy.

Guest portal and guest clientThe Guest Portal provides an access point to which you can direct unmanaged systems so users caninstall the McAfee NAC guest client. The portal is essentially a pre-configured web page, but you cancustomize it with your company's logo and statement of network security policy.

The Guest Portal is installed as an extension when you install McAfee NAC. All files and executablesare located on the ePolicy Orchestrator server. To verify this, check the ePolicy Orchestrator Extensionspage.

To configure the Guest Portal, you should:

• Have a written network security policy statement to display on the portal page

• Set portal configuration options on the McAfee NAC Guest Portal server settings page

For details, see Guest portal configuration and the associated task.

Redirecting unmanaged systems detected by a Network Security Sensor to the Guest Portal isconfigured using the Network Security Manager. For information, see the McAfee® Network SecurityManager documentation.

How users install the guest client

The guest client can be installed only through the Guest Portal. The guest client installer is part of theGuest Portal extension. If you uninstall the Guest Portal extension, the guest client installer is alsoremoved.

9 Integrating McAfee NAC with McAfee Network Security PlatformAssessment of unmanaged systems


When users are redirected to the Guest Portal, they must select values for two options:

• The Network access period, which sets how many days the guest client remains installed on theirsystem before being automatically uninstalled.

• Their computer's Operating system. The system tries to automatically detect the operating system anddefaults to that value, but users can choose the correct operating system (Windows, Linux, MacOS, or other). If a user selects Other, it means they are running an operating system that is notsupported by the guest client.

With these options set, users can install the guest client and have their systems scanned.

Behavior for no guest client installed

The Guest Portal does not force a user to install the guest client. If a user clicks Cancel on the guestportal, they receive a warning that their network access might be restricted or denied. Administratorsshould set the Health level for no guest client option on the McAfee NAC Guest Portal server settings page toan appropriate value for their company security policy. This option defaults to Critical.

Alternately, a user might be running an operating system on which the guest client cannot be installed(the Other value). If a user selects this value, they receive a warning that their network access mightbe restricted or denied. Administrators should set the option Health level for 'Other' OS on the McAfee NACGuest Portal server settings page to an appropriate value for their company security policy. This optiondefaults to Unknown.

Guest portal configurationConfiguring the Guest Portal is done by setting option values on the McAfee NAC Guest Portal serversettings page.

The options you can set are:

Option Definition

Guest portal logo Sets the filepath to the image file you want to use as the logo displayed on theGuest Portal. This is typically your company logo. Place the logo image fileanywhere on the ePolicy Orchestrator server, and give the absolute path for thisoption. The JPG and GIF file formats are recommended, but you should be ableto use any format supported by web-standard HTML.

Guest systempolicy statement

Sets the statement you want to display on the Guest Portal describing yourcompany's network security policy for unmanaged, or guest, systems on yournetwork. This is a text field that can contain approximately 10,000 characters.

Default guest clientauthorization

Sets the default value, in days, for the Network access period option on the GuestPortal page. This setting determines how long the McAfee NAC guest client isactive on a guest system before the client is automatically uninstalled. Theallowed values are 0, 1, 2, 5, 15, 30, and 90. A value of zero means the McAfeeNAC guest client scans the system once, then is immediately uninstalled.

Health level for noguest client

Sets the default health level that is assigned to unmanaged systems on yournetwork that do not have the McAfee NAC guest client installed. One way thiswould happen is if the user cancels out of the Guest Portal.

Health level for'Other' OS

Sets the default health level that is assigned to unmanaged systems on yournetwork when the user of the system selects the value Other for the Operatingsystem option on the Guest Portal page.

Configure the guest portalSet option values that configure the McAfee NAC guest portal. Typically, these settings changeinfrequently.

Integrating McAfee NAC with McAfee Network Security PlatformAssessment of unmanaged systems 9


Task


1 Go to Menu | Configuration | Server Settings, then in the Setting Categories column, select NAC Guest Portal.

2 Click Edit.

3 On the Edit page, enter values for these options:

• Guest portal logo

• Guest system policy statement

• Default guest client authorization

• Health level for no guest client

• Health level for 'Other' OS

4 Click Save.

9 Integrating McAfee NAC with McAfee Network Security PlatformAssessment of unmanaged systems


10 Integrating McAfee NAC with MicrosoftNetwork Access Protection

McAfee NAC 4.0 supports Microsoft Network Access Protection (NAP) as an enforcer. Microsoft NAPenforces network access restrictions for managed systems from a central NPS server.

The McAfee NAC client, acting as a System Health Agent (SHA), passes a Statement of Health to theNPS server, which is validated by the McAfee System Health Validator and the McAfee NAC manager.

Contents

How McAfee NAC communicates with Microsoft NAP Setup requirements ePolicy Orchestrator considerations Microsoft NAP as an enforcer Support for non-native operating systems McAfee System Health Validator operations Failure categories of System Health Validator Error conditions of System Health Validator

How McAfee NAC communicates with Microsoft NAP How the Statement of Health is used to affect enforcement depends on your Microsoft NAP policyconfiguration. To use Microsoft NAP as an enforcer, these components must communicate with eachother:

• ePolicy Orchestrator server that hosts McAfee NAC

• Microsoft 2008 Server that hosts the Network Policy Server (NPS)

• McAfee NAC client

For the McAfee NAC client to communicate with both the NPS and ePolicy Orchestrator servers, bothservers must be deployed in the NAP boundary network.

The McAfee NAC components that support using Microsoft NAP as an enforcer are a custom McAfeeSystem Health Validator (SHV) that is installed on the NPS server, and the McAfee NAC client. TheMcAfee NAC client must be set to NAP enforcement mode in the McAfee NAC client policy. McAfee NAC4.0 also supports NAP enforcement on managed systems with some Microsoft operating systems thatare not natively supported by Microsoft NAP with a DHCP Agent.

You cannot use Microsoft NAP enforcement for client systems running a supported MAC OS or Linuxoperating system.

10


In addition, you must configure the Network Access Control Server Settings using Trustedcommunications setup. The shared secret configured here must be specified in McAfee System HealthValidator UI after installation, so that the McAfee System Health Validator can communicate with theMcAfee NAC manager. Once it is installed on the NPS server, the McAfee System Health Validator isconfigured using the NPS console.

The information presented here assumes that you are familiar with the Microsoft NAP product, itsrequirements, its operation, and its user interface components.

Setup requirementsEach component that supports the use of Microsoft Network Access Protection (NAP) as an enforcerhas specific setup and configuration requirements.

Table 10-1 Setup requirements for using Microsoft NAP as an enforcer

Component Requirements

ePolicy Orchestratorserver

The server machine must be deployed into the Network Access Protectionboundary network. McAfee Network Access Control (McAfee NAC) 4.0 must beinstalled.

Microsoft NetworkPolicy Server

The server machine must use the Windows 2008 Server 32-bit operatingsystem. The Network Policy Server role must be configured and deployed intothe Network Access Protection boundary network. The McAfee System HealthValidator (SHV) must be installed.

McAfee NAC client The McAfee NAC client policy on any managed system you want MicrosoftNetwork Access Protection to enforce must have the Enforcement method setto Microsoft Network Access Protection (NAP).

McAfee SystemHealth Validator

The McAfee System Health Validator must be installed on the MicrosoftNetwork Policy Server, and configured through the Network Policy Serverconsole. In the McAfee System Health Validator Properties interface, theCommunication port number on the Setup tab, 8444 by default, must match thesetting for Server-to-sensor communication port on your ePolicy Orchestrator server.On the Request New Certificate dialog box, the Server UI Port number, 8443 bydefault, must match the setting for Console-to-application server communication port onyour ePolicy Orchestrator server.

McAfee DHCP Agent(optional)

The DHCP Agent must be installed on a DHCP server running the Windows2008 Server 32-bit operating system. You must have Microsoft NAP policiesthat are configured for DHCP-based enforcement.

ePolicy Orchestrator considerationsA typical ePolicy Orchestrator deployment in a Microsoft Network Access Protection environment hasthe ePolicy Orchestrator server in the boundary network. This means it should be able to communicatewith client systems in either the trusted or non-trusted networks.

To be trusted, the ePolicy Orchestrator server must have a valid health certificate.

Typically, a health certificate is obtained manually, using the Certificates MMC snap-in for the localcomputer account. If Active Directory has been configured properly for Network Access Protection, youselect the Personal certificate store, then create a certificate request for a System HealthAuthentication certificate.

A more subtle issue with ePolicy Orchestrator in a Network Access Protection environment is that itmight become impossible for ePolicy Orchestrator to issue agent wake-up calls to client systems. Insome configurations, for example when using IPsec enforcement, the ePolicy Orchestrator server

10 Integrating McAfee NAC with Microsoft Network Access ProtectionSetup requirements


cannot establish communication with a non-trusted client. The client can initialize communication withthe ePolicy Orchestrator server, but not the other way around. When using DHCP and 802.1xenforcement methods, it should be possible to get around this via network configuration.

Microsoft NAP as an enforcerMicrosoft Network Access Protection can enforce network access restrictions for McAfee NAC managedsystems from a central Network Policy Server. When you configure the McAfee NAC client for NetworkAccess Protection mode, it no longer functions as an enforcer. The enforcer role is transferred toMicrosoft Network Access Protection.

The McAfee NAC client continues to function as a detector and assessor, but its assessor role isexpanded so that it also functions as a Microsoft Network Access Protection System Health Agent(SHA). In its role as an System Health Agent, the McAfee NAC client sends a Statement of Health tothe McAfee System Health Validator (SHV) on the Network Policy Server every time the system isassessed. The Statement of Health contains a health level, and other information needed to identifythe system and determine its status.

The determination of whether a system is healthy, whether it is enforced, and how it is enforced, iscontrolled by your Microsoft Network Policy Server policy configuration. Typically, most enforcement inMicrosoft Network Access Protection is controlled by your health and network policies, which receiveinformation from System Health Validators. The McAfee System Health Validator is only one ofpotentially many System Health Validators that can be used by Microsoft Network Access Protection todetermine a system's health, and whether an enforcement action is required. Any enforcementdecision based on information from McAfee NAC depends on the configuration of the McAfee SystemHealth Validator, and how it is evaluated in your Network Access Protection policies.

Other information regarding a managed system's status — such as whether it has an exemption, has amanual enforcement request, or has been marked as malicious — is communicated to the McAfeeSystem Health Validator by the McAfee NAC manager. This communication occurs after the McAfeeSystem Health Validator has received the Statement of Health. See McAfee System Health Validatoroperations.

For information about Microsoft Network Access Protection policies and the operation of itscomponents, see the Microsoft Network Access Protection documentation.

Exemptions and NAP enforcement

A system's exemption status, whether from an exemption rule or set by an administrator, iscommunicated to the Network Policy Server by the McAfee System Health Validator. Your NetworkAccess Protection policies are not required to act on this information, and can choose to respect orignore the McAfee NAC exemption status as is appropriate for your environment. Systems that areconsidered exempt in McAfee NAC can be quarantined if your Network Access Protection networkpolicy configuration determines that the system is unhealthy.

Automatic remediation with NAP enforcement

When using McAfee NAC in a Microsoft Network Access Protection environment, McAfee recommendsthat you configure your system health policies and McAfee NAC client policies according to yourremediation requirements. All McAfee NAC automatic remediation features must be enabled, and yourNetwork Access Protection policies must enable automatic remediation. When configured this way,Microsoft Network Access Protection attempts to run all automatic remediation actions specified inyour McAfee NAC managed system health policies.

Integrating McAfee NAC with Microsoft Network Access ProtectionMicrosoft NAP as an enforcer 10


In addition, for the McAfee NAC automatic remediation feature to work properly, your Network AccessProtection policies for noncompliant systems cannot use the Deny Access option. Instead, use theAllow Limited Access option. You must also configure a Network Access Protection Remediation ServerGroup that allows access to:

• ePolicy Orchestrator server

• Network systems that host or allow access to remediation resources, such as required applicationsand operating system patches

• (Optional) Your DNS server, DHCP server, and domain controllers

McAfee NAC client operations in Network Access ProtectionmodeWhen the McAfee NAC client is configured in Network Access Protection enforcement mode, itsoperation changes.

• It no longer functions as an enforcer. As a result, your McAfee NAC network access policies areinvalid when the McAfee NAC client is in Network Access Protection mode.

• Its assessor role is expanded so that it also functions as a Microsoft System Health Agent (SHA).

There are no changes to the McAfee NAC client's normal operations as an assessor. All applicablesystem health policies are assessed and reported to the McAfee NAC manager.

A managed system in a Microsoft Network Access Protection environment might have several SystemHealth Agents installed.

The McAfee NAC client as a System Health Agent

As an System Health Agent, the McAfee NAC client is responsible for sending a Statement of Health tothe McAfee System Health Validator (SHV) installed on the Network Policy Server. The Statement ofHealth contains a health level and other information the McAfee System Health Validator needs toobtain validation of the managed system from the McAfee NAC manager. The health level contained inthe Statement of Health is always the system's assessed health level.

The McAfee NAC manager attempts to validate the system, and returns that information to the McAfeeSystem Health Validator, along with other information it knows about the system, such as whether ithas an exemption, has an enforced health level override, or is marked as malicious and has anassociated post admission policy health level. The McAfee System Health Validator then reports all theinformation it has to the Network Policy Server, which is acted on according to your configuredNetwork Access Protection health and network policies.

When a system’s enforcement status changes, the Network Access Protection Agent on the managedsystem sends an Isolation State Change event to the McAfee NAC client (and any other System HealthAgents installed on the system). The McAfee NAC client reports these events to the McAfee NACmanager, which updates the system's status. These events can be useful for generating reports aboutenforced systems, because an enforcement change can be caused by an SHA other than the McAfeeNAC client.

Configure a McAfee NAC client policy for Network AccessProtection modeYou can configure the McAfee NAC client to operate in Microsoft Network Access Protectionenforcement mode.

10 Integrating McAfee NAC with Microsoft Network Access ProtectionMicrosoft NAP as an enforcer


Task


1 Click Menu | Policy | Policy Catalog, then select Network Access Control Client 4.0.0 from the Productdrop-down menu. There is only one category value: General.

2 Select an existing policy and click Duplicate, or click Actions | New Policy. You can also click New Policy.

For ePolicy Orchestrator 4.5, select an existing policy, then click Edit Settings or Duplicate to edit anexisting policy.

3 If creating a new policy, select an existing policy as a template, and type a name for the newpolicy. The name should indicate that the policy is for use in a Microsoft Network Access Protectionenvironment.

4 For Enforcement method, select Microsoft Network Access Protection (NAP); for Scan results, select therequired option.

If your Network Access Protection policies allow remediation to be requested from McAfee NAC, seeConfiguring automatic remediation for NAP mode.

5 Specify whether you want the McAfee system tray icon enabled, then save the policy.

6 Enable Periodic identification as needed, select the Sensor Settings, then click Save.

7 Go to Menu | Configuration | Server Settings, then select Network Access Control from the category list. Checkthe value for Default rule health level. This health level is sent in the Statement of Health if a benchmarkrule does not explicitly set a health level to assign when a rule fails. To change the value, click Edit,then select the health level you want reported from the Default rule health level drop-down menu.

8 Deploy this McAfee NAC client policy to all managed systems you want enforced by MicrosoftNetwork Access Protection.

Configure automatic remediation for Network Access ProtectionmodeConfigure your McAfee NAC client policies and managed system health policies so that MicrosoftNetwork Access Protocol can request that McAfee NAC attempt to remediate unhealthy systems.

Before you begin

This task assumes that you have already configured a McAfee NAC client policy to use theMicrosoft Network Access Protocol enforcement method. If not, combine this task withConfigure a McAfee NAC client policy for Network Access Protection mode.

Integrating McAfee NAC with Microsoft Network Access ProtectionMicrosoft NAP as an enforcer 10


TaskFor option definitions, click ? in the interface.

1 Click Menu | Policy | Policy Catalog, then select Network Access Control Client 4.0.0 from the Productdrop-down menu.

2 For an existing McAfee NAC client policy configured for Network Access Protocol enforcement, clickDuplicate.

If you are using ePolicy Orchestrator 4.5, click Edit for an existing NAC client policy configured forNAP enforcement. For Automatic remediation, select Use local system credentials or Use the followingcredentials. Type administrator credentials for Username and Password if you are specifyingcredentials. Click Save.

3 In the Duplicate Existing Policy window, enter a name for the duplicate policy, and click OK toduplicate and edit the last saved version of this policy.

4 Click the created duplicate policy to edit the health level to network access zone mappingparameters and click Save. Click New Network Access Zone to create a new zone.

5 Click Menu | Risk & Compliance | Network Access Control, then select Managed System Health Policies from the leftcolumn.

6 For every system health policy:a Click Edit.

b In the policy builder, click the Select Benchmarks page.

c Select every benchmark that specifies a remediation command, then click Actions | Auto-remediation.

d In the dialog box, select Enable auto-remediation, then click OK.

7 Click Save.

Support for non-native operating systemsMcAfee NAC includes a DHCP Agent that allows you to use Microsoft Network Access Protectionenforcement on managed systems running some operating systems that are not natively supported byNetwork Access Protection. Microsoft refers to these as Down Level Clients or DLCs).

Therefore, you can enforce any system that can host the McAfee NAC client, but cannot host theMicrosoft Network Access Protection System Health Agent. The DHCP Agent allows you to useMicrosoft Network Access Protection enforcement on:

• Windows XP SP2 systems

• All 32-bit versions of Windows 2000 where the McAfee NAC client can be installed

• All 32-bit versions of Windows 2003 where the McAfee NAC client can be installed

The Windows 2008 operating system is not supported by the DHCP Agent as a client system.

In the Microsoft Network Access Protection interface, all Down Level Client systems will look likeWindows wXP SP3 systems. If your Network Access Protection policies evaluate the Windows SystemHealth Validator, DLC systems will always pass. All compliance assessment you need performed onDLC systems must be specified in your McAfee NAC system health policies. Enforcement of thesesystems by Microsoft Network Access Protection is based solely on the Statement of Health receivedfrom the McAfee System Health Validator.

10 Integrating McAfee NAC with Microsoft Network Access ProtectionSupport for non-native operating systems


Install the DHCP AgentUsing Microsoft Network Access Protection, the DHCP agent allows you to enforce systems that runsome operating systems not natively supported by Network Access Protection.

Before you begin

The DHCP Agent can be installed only on a Windows 2008 DHCP server.

The McAfee DHCP Agent is compatible only with 32-bit operating systems. Your DHCPserver must be running a 32-bit version of Windows 2008.

You can also run this installer to modify, repair, or remove the DHCP Agent.

Task


1 From the McAfee product download site, download the DHCPAgent.zip file to your Windows 2008DHCP server. The DHCP Agent installation files are also located on the ePolicy Orchestrator serverat Program Files/McAfee/Network Access Control/Server/DHCP Agent. Copy this folder toyour DHCP server.

2 Unzip the DHCPAgent.zip file, then run the Setup program. If you copied the DHCP Agent folderfrom your ePolicy Orchestrator server, run the Setup program.

3 On the Destination Folder screen, accept the default path (recommended), or click Change to specifyanother location, then click Next.

4 Click Install.

McAfee System Health Validator operationsThe McAfee System Health Validator (SHV) requires secure communications with the McAfee NACmanager to authenticate client systems in a Microsoft Network Access Protection environment.Certificate provisioning is the process of establishing the certificates needed for these activities.

Certificate provisioning is essential for the proper operation of the McAfee System Health Validator.Without it, the System Health Validator cannot retrieve accurate system information from the McAfeeNAC manager, and the full power of McAfee NAC cannot be utilized.

If it cannot communicate with the McAfee NAC manager, the System Health Validator must trust theinformation about a system provided by the McAfee NAC client (in its role as an System Health Agent).Information about the system's policy age and exemption status, for example, could be out-of-date oran approximation.

The McAfee System Health Validator configuration allows you to set compliance values for errorconditions, such as communication problems. Though it is possible to configure the System HealthValidator to ignore communication problems, this should not be considered a normal operatingcondition, and used only as a solution for temporary communication outages. However, the ability toignore communication problems, even though the trust level is reduced, can be useful to customerswho do not want to risk many client systems becoming noncompliant because a communicationchannel was temporarily lost.

The System Health Validator configuration interface opens before the installation finishes, allowing youto perform some initial certificate provisioning as part of the installation process.

Integrating McAfee NAC with Microsoft Network Access ProtectionMcAfee System Health Validator operations 10


Certificate status and the certificate store

The two most common Certificate Status values in the System Health Validator configuration interfaceare:

• PROVISIONED — Indicates that the local system certificate store contains what it considers validcertificates

• NOT PROVISIONED — Indicates that no certificates could be found

The System Health Validator configuration interface does not attempt to validate the certificates in thestore before displaying the status. The displayed status indicates only whether there are certificates inthe store specific to the McAfee System Health Validator. The interface can also show errors that occurduring the provisioning process.

In unusual circumstances, it is possible to have certificates in the store that cannot be used forcommunication. One example is when the System Health Validator is provisioned against one ePolicyOrchestrator server, then later reconfigured to use a second ePolicy Orchestrator server, withoutre-provisioning. This situation can leave certificates in the store that do not work when communicationwith the second ePolicy Orchestrator server is attempted. In this case, you must re-provision thecertificates against the second ePolicy Orchestrator server.

If the McAfee System Health Validator is uninstalled from the Network Policy Server, any certificates ithas provisioned are removed from the system certificate store.

How certificate provisioning is performed

Certificate provisioning configuration is performed by running the McAfee System Health Validatorconfiguration interface from the Network Policy Server console. By default, McAfee NAC and theMcAfee System Health Validator are installed with a blank value for the Trusted communications setupshared secret. The blank value is valid, and allows initial certificate provisioning to occur.

When you request a new certificate from the McAfee System Health Validator configuration, you mustprovide the Trusted communications setup shared secret that is set in the McAfee NAC server settings.Regardless of the actual value, the requirement is that the Trusted communications setup shared secret andthe Shared secret for certificate provisioning must match. If you experience problems, verify these two settings.

Install the McAfee System Health ValidatorInstall the McAfee System Health Validator (SHV) on your Microsoft Network Policy Server.

During installation, the McAfee System Health Validator configuration interface is opened. If you wantto set configuration options at this time, see Configure the McAfee System Health Validator for details.

The McAfee System Health Validator is compatible only with 32-bit operating systems. Your MicrosoftNetwork Policy Server must be running a 32-bit operating system.

Task


1 Download the McAfeeSHV.zip file from the McAfee product download site to your Network PolicyServer.

2 Unzip the file, then run the Setup program.

3 On the Destination Folder screen, accept the default path (recommended), or click Change to specifyanother location, then click Next.

10 Integrating McAfee NAC with Microsoft Network Access ProtectionMcAfee System Health Validator operations


4 Click Install.

5 Click Finish to open the System Health Validator configuration interface. If you want to configure theSystem Health Validator later, click Cancel.

Configure the McAfee System Health ValidatorConfigure the McAfee System Health Validator properties once it is installed on the Microsoft NetworkPolicy Server.

Before you begin

If you want to use a shared secret for trusted communications between your ePolicyOrchestrator server and the McAfee System Health Validator, do the following beforeconfiguring the McAfee System Health Validator:

1 Go to Menu | Configuration | Server Settings, then select Network Access Control from the categorylist.

2 Click Edit.

3 For Trusted communications setup, enable Password required, then type and confirm apassword for Shared secret.

4 Click Save.

Make a note of the string you entered for the Shared secret. You will need it for Step 7 below.

Task


1 Open the Network Policy Server console, and under Network Access Protection, go to System HealthValidators.

2 Select the McAfee System Health Validator to open the Properties interface.

3 On the Settings tab under Error code resolution, set the compliance value to use for SHV unable tocontact required services and SHA not responding to NAP Client.

4 Click Configure. On the Configuration tab:

a Set a minimum health level value. If the Statement of Health from the McAfee NAC clientcontains at least this value, the McAfee System Health Validator reports the system's status ashealthy.

b Enable or disable the quarantine of systems based on the interval between policy updates. Ifenabled, you can set the number of days allowed between updates.

c Enable or disable whether the System Health Validator is allowed to trust the information abouta system it receives in the Statement of Health without validation from the McAfee NAC manager.

5 Click the Setup tab.

6 Under ePolicy Orchestrator server details, type the name or IP address of the ePolicy Orchestratorserver you want the McAfee System Health Validator to communicate with. Do not change theCommunication port.

The communication port number, 8444 by default, must match the setting for Server-to-sensorcommunication port on your ePolicy Orchestrator server.

Integrating McAfee NAC with Microsoft Network Access ProtectionMcAfee System Health Validator operations 10


7 Under System Health Validator authentication certificate, click Request new certificate.

a Type the name or IP address of the ePolicy Orchestrator server you want the McAfee SystemHealth Validator to communicate with.

b Do not change the Communication port. This port number must match the setting forConsole-to-application server communication port on your ePolicy Orchestrator server.

c For Shared secret for certificate provisioning and Shared secret confirmation, type the value ofthe shared secret you set for Trusted communications setup in the McAfee NAC server settings. If theshared secret for Trusted communications setup is blank, then leave these options blank in the SystemHealth Validator.

Failure categories of System Health ValidatorIn certain situations, the McAfee System Health Validator (SHV) might not be able to fully validate aStatement of Health from a McAfee NAC client.

The two situations are:

• When communication with the ePolicy Orchestrator server is lost

• When the McAfee NAC client, functioning as a System Health Agent, stops communicating with thelocal Network Access Protection Agent

In these situations, the McAfee System Health Validator might fall back on compliance settingsconfigured for it in the Network Policy Server console. These settings are sometimes referred to asFailure Category settings.

To establish these failure category settings, you open the McAfee System Health Validator Propertiesinterface in the Network Policy Server console. The “Error code resolution” section defines the failurecategories. Of the five possible failures, the McAfee System Health Validator supports only these:

• System Health Validator unable to contact required services

• System Health Agent not responding to Network Access Protection Client

Changes to the other settings are ignored by the McAfee System Health Validator.

When the McAfee System Health Validator loses contact with the ePolicy Orchestrator server, itimmediately tries to re-establish the connection. By default it tries every ten seconds. If a Statementof Health arrives from a McAfee NAC client during this time, the McAfee System Health Validatorcannot get current configuration data from the McAfee NAC manager for the system. If the SystemHealth Validator has been configured to ignore ePolicy Orchestrator communication problems, after itvalidates the certificate it is forced to trust the information sent by the McAfee NAC client and makethe best compliance decision it can.

If the McAfee System Health Validator is not configured to ignore ePolicy Orchestrator communicationproblems, it defers the compliance decision to the value of the setting System Health Validator unable to contactrequired services.

It is also possible for the Network Access Protection Agent to send a Statement of Health based oncached data for a McAfee NAC client that is no longer responding to it. The McAfee System HealthValidator never accepts this type of Statement of Health and always defers to the failure categorysetting SHA not responding to Network Access Protection Client.

Changes to the failure category settings do not take effect until the IAS service is restarted. This can bedone from the command line by typing net stop ias, followed by net start ias.

10 Integrating McAfee NAC with Microsoft Network Access ProtectionFailure categories of System Health Validator


Error conditions of System Health ValidatorThe McAfee System Health Validator (SHV) uses a set of error codes for conveying information aboutproblematic conditions to a McAfee NAC client in its role as a System Health Agent. The McAfeeSystem Health Validator determines the error condition and reports it to the McAfee NAC client, whereit can be displayed on the client system.

Other errors are possible, such as out-of-memory, but they are not defined here because they aregeneric errors.

The main sources of errors are:

• Certificate provisioning problems, such as an attempt to re-provision but the port and/or sharedsecret is wrong, or an attempt to change ePolicy Orchestrator servers without re-provisioning

• Loss of communication with the ePolicy Orchestrator server

• Loss of communication with the System Health Agent (the McAfee NAC client)

Most of the error codes are condition codes that indicate the reason a system was considerednoncompliant by the McAfee System Health Validator. The condition codes and their meaning are listedin this table.

Condition code Definition

No ePolicy Orchestratorserver communications

The System Health Validator cannot contact the ePolicy Orchestrator server.

No NAC clientcommunications

The Network Access Protection Agent on a system is serving as a proxy forthe McAfee NAC client because communication between them has failed orbeen interrupted.

Invalid Statement ofHealth

The proprietary data structure that contains health information passedbetween the System Health Agent and System Health Validator is not whatthe System Health Validator expected.

Bad certificate The proprietary data structure passed from the System Health Agentcontained a bad certificate. The common causes are that the data structuredidn't exist or was the wrong size.

Bad signature The proprietary data structure that was passed from the System HealthAgent contained a bad signature. The common causes are that the datastructure didn't exist or was the wrong size.

Invalid certificate The proprietary data structured that was passed from the System HealthAgent contained a certificate that was not recognized by the System HealthValidator. The most likely reason is that the certificate was signed by thewrong ePolicy Orchestrator server.

Authentication failed The client could not be authenticated. The most likely reason is that thesignature was created using an unrecognized key (a key different fromwhat was found in the certificate).

Unknown client The client was authenticated but the McAfee NAC manager has noinformation about the system.

Insufficient health The health level provided by the McAfee NAC client was less than therequired level configured in the System Health Validator.

Policy too old The policy provided by the McAfee NAC client was out-of-date.

Unknown status The System Health Validator hasn't responded with a compliance status.The status is used by the System Health Agent to display a message onstartup.

Integrating McAfee NAC with Microsoft Network Access ProtectionError conditions of System Health Validator 10


10 Integrating McAfee NAC with Microsoft Network Access ProtectionError conditions of System Health Validator


Index

A

about this guide 7access control

health-based, in McAfee NSP 121

identity-based, in McAfee NSP 123

access restrictions 11

actionsModify health level 104

remove malicious status 114

Remove NAC exempt 106

Request scan 100

Reset health level 104

Set malicious status 113

Set NAC exempt 106

administration, of McAfee NAC 91

administrator actionsRemove NAC exempt 75

Set NAC exempt 75

architecturecomponents, McAfee NAC 32

McAfee NAC manager 33

assessing system health 10

assessmentby administrator request 100

history, McAfee NAC 114

making systems exempt 70

of an unmanaged system 125

of system health 40, 41, 98

overriding assessed health level 104

policies for compliance 53

system health, scheduling McAfee NAC scans 99

assessorsMcAfee NAC guest client 43

NAC client 41

auditing, system health compliance 98

automatic remediationcommand reference 79

using with Microsoft NAP 133

with McAfee NSP enforcement 121

with Microsoft NAP enforcement 131

B

benchmarksautomatic remediation 49

creating for use with McAfee NAC 55, 57

editing the unmanaged system policy 60

enabling automatic remediation 78

enforcement mode 50

enforcement modes 49

enforcement modes, Audit Only 98

for non-Windows operating systems 49

queries, NAC Benchmark Enforcement Mode 97

rules 53

system health levels 48

using for network access compliance 49

C

certificatesprovisioning, for McAfee System Health Validator 135

used by McAfee System Health Validator 135

client tasks, using ePolicy Orchestrator features 17

complianceassessment, for system health 53

auditing system health 98

network access zones 62

components, McAfee NACfunctional architecture 32

how they work 35

configurationguest portal 102, 103, 127

guest portal, configuring 127

McAfee NAC and Microsoft NAP communication 129

McAfee NAC manager 91, 124

McAfee NAC server settings 93

using McAfee NAC with McAfee NSP 117

using McAfee NAC with Microsoft NAP 130

contact information, for automatic responses 17

controlling exemptions manually 75, 106

conventions and icons used in this guide 7creating

exemption rules 74

exemptions based on an imported list 74

McAfee NAC client deployment task 92

McAfee NAC client policies 66


creating (continued)network access policies 62


creating, in McAfee NACbenchmarks 55

benchmarks from checks 57

managed system health policies 58

D

dashboardsabout 83

using ePolicy Orchestrator features 17

viewing exempt systems 69

deletingMcAfee NAC enforcement results 115

McAfee NAC scan results 115

deploymentsupported configurations 13

task, creating for McAfee NAC client 92

detected systemsdetections 10, 17

detecting systemsdetections 10, 17

detectorshow they work 36

McAfee NAC guest client 39

NAC client 38

Network Security Sensor 120

Rogue System Detection service 37

devices, unmanageable 107

DHCP Agentfor Microsoft NAP enforcement 134

installing, repairing, and removing 135

documentationaudience for this guide 7product-specific, finding 8typographical conventions and icons 7

E

enforced health leveladministrator overrides 103

removing a manual override 104

setting manually 104

enforcementmodes, for benchmarks 49, 50

deleting results for a single system 115

enforcing systems manually 103

history, McAfee NAC 114

making systems exempt 70

manual, creating queries 95

modes, for benchmarks 49, 50

NAC, with Microsoft NAP 131

of access restrictions 11

using McAfee NSP 121

enforcershow they work 43

McAfee NAC client 45

McAfee NSP 121

Microsoft Network Access Protection 131

ePolicy Orchestratorconsiderations when using Microsoft NAP 130

creating McAfee NAC monitors 88

deploying the McAfee NAC client 92

features used by McAfee NAC 17

scheduling McAfee NAC scans 99

error conditions, See McAfee System Health Validatorevent log, in ePolicy Orchestrator 17

eventscannot apply policy 105

McAfee NAC events 105, 113

exempt systems list, creating 74

exemption rules 71

exemptionsby imported list 73

controlling manually 75, 106

creating by imported list 74

creating with rules 74

effect on McAfee NSP enforcement 121

effect on Microsoft NAP enforcement 131

exporting rules 72

for identity-based access control 123

from assessment 70

from enforcement 70

importing a list of systems 74

importing rules 73

setting and removing 106

system classification 71

types of 69

when using health-based access control 121

exportingexemption rules 72


systems health policies 59

F

failure categories, See McAfee System Health ValidatorFAQ, non-Windows McAfee NAC client 28

fixing unhealthy systems 11

G

guest clientabout 101

as assessor 43

as detector 39

configuration 126

health-based access control 125

unmanaged system policy 59

Index


guest portalabout 101

configuration 102, 126, 127

installing 21

H

hardware requirements, installing McAfee NAC 22

health assessmentof a managed system 98

of an unmanaged system 100, 125

health compliance, auditing 98

health levelsenforced, administrator overrides 103

in benchmarks and policies 48

health of McAfee NAC-managed systems 98

health-based access controleffect on exemptions 121

in McAfee NSP 121

historical NAC information 114

I

IBAC, See identity-based access controlidentity-based access control

effect on exemptions 123

in McAfee NSP 123

imported scan exemptions 106

importingan exempt systems list 73

exemption rules 73


systems health policies 59

installationguidelines 21

McAfee DHCP Agent 135

installation requirementsintegrating with McAfee NSP 117

integrating with Microsoft NAP 130

McAfee NAC 22

installingMcAfee DHCP Agent 135

McAfee Network Access Control 24

NAC guest portal 21

post-installation tasks 27

the McAfee NAC client manually 25

the McAfee NAC client manually on Linux 26

the McAfee NAC client manually on Mac 26

the McAfee NAC client manually on Windows 25

integrationePO considerations for Microsoft NAP 130

with McAfee Network Security Platform 117

with Microsoft NAP 129

L

logs, notification 17

M

malicious behavior, definition 108

malicious statusremoving 114

setting 113

malicious systemsevents, configuring a response 113

about 108

configuring an event response 113

creating queries 95

events 105

post admission control 108

resetting the status 114

setting the status 113

managed system health policies, See system health policiesmanaged systems

creating system health policies 58

description 12

health level override 103

health policies 51

scheduling McAfee NAC scans 99

manual control of exemptions 75, 106

manual enforcement of managed systems 103

manual remediation 79

manual remediation, required elements 80

McAfee Agentupdate using automatic remediation 78

use by McAfee NAC 18

McAfee DHCP Agentfor Microsoft NAP enforcement 134

installing, repairing, and removing 135

McAfee NACmonitors and queries 94

administration 91

architecture 32

assessment history 114

assessors 40

combining with Microsoft NAP 129

communication with Microsoft NAP 129

configuration requirements, for use with McAfee NSP 117

creating benchmarks 55

creating benchmarks from checks 57

detectors 36, 120

distributed components 35

editing permission sets 93

enforcement history 114

enforcers 43

events and responses 105

functional architecture 31

functional description 9hardware and software requirements 22

installation 21

installing the guest portal 21

integrating with McAfee Network Security Platform 117

operations, with McAfee NSP 119

Index


McAfee NAC (continued)policies 47

queries, network access monitoring 84

remediation commands 79

remediators 45

running queries 88

use of ePolicy Orchestrator features 17

use of McAfee Agent 18

use of Rogue System Detection 18

McAfee NAC administrator actionspurging scan results 114

remove malicious status 114

Remove NAC exempt 71, 106

removing enforcement results 115

removing scan results 115

Request scan 100

scheduling scans 99

Set malicious status 113

Set NAC exempt 71, 106

McAfee NAC clientas a detector 38

as an enforcer 45

deploying 92

installing manually 25

installing manually on Linux 26

installing manually on Mac 26

installing manually on Windows 25

operations in Microsoft NAP mode 132

system health assessment 40

uninstalling manually on Linux 26

used as assessor 41

McAfee NAC client policiesconfiguring for Microsoft NAP enforcement 132

configuring for use with McAfee NSP 125

creating and modifying 66

description 65

enabling automatic remediation 78

McAfee NAC client, non-Windowsdifferences 27

FAQ and useful commands 28

McAfee NAC deploymentsupported configurations 13

with ePolicy Orchestrator 13

with McAfee NSP 15

with McAfee NSP and Microsoft NAP 16


McAfee NAC detectorsMcAfee NAC guest client 39

NAC client 38

Rogue System Detection service 37

McAfee NAC enforcementusing McAfee NSP 121

with McAfee Network Security Platform 117


McAfee NAC enforcersMcAfee NAC client 45

McAfee Network Security Platform 117

Microsoft NAP 129

McAfee NAC eventscannot apply policy 105

creating responses 105

malicious system 105

Malicious System Detected 113

system not enforceable 105

system not healthy 105

McAfee NAC guest clientas a detector 39

as assessor 43

McAfee NAC managerarchitecture, how it works 33

configuration 91

configuring, for use with McAfee NSP 124

McAfee NAC serverediting configuration settings 93

guest portal configuration 103, 127

McAfee Network Access Controlinstalling 24

McAfee Network Security Platformas a NAC enforcer 121

configuration requirements in McAfee NAC 117

configuring, McAfee NAC client 125

configuring, McAfee NAC manager 124

effect of firewall on client systems 120

integrating with McAfee NAC 117

McAfee ServicePortal, accessing 8McAfee System Health Validator

certificate provisioning 135

configuring 137

error conditions 139

failure categories 138

installing 136

operations 135

McAfee system trayicon, non-Windows systems 27

notifications for system health 41

Microsoft Network Access Protectionas a NAC enforcer 131

combining with McAfee NAC 129

configuring the McAfee NAC client 132

ePolicy Orchestrator considerations 130

installing, repairing, and removing the McAfee DHCP Agent135

NAC automatic remediation 131

NAC exemptions 131

setup requirements 130

trusted communications setup 137

using NAC automatic remediation 133

using the McAfee DHCP Agent 134

Modify health level action 104

Index


monitoringnetwork access 91

network security 83

system health compliance 98

monitorsabout 83

creating 87

creating, with ePolicy Orchestrator 88

Exemption Status 70

for McAfee NAC 83


viewing exempt systems 69

N

NAC Benchmark Enforcement Mode query 97

NAC clientas an assessor 41

queries, NAC Client Started 96

system health assessment 41

NAC enforcementquery, NAC Enforced Health Level 94

using Microsoft NAP 131

NAC guest portal, installing 21

NAC Malicious Systems query 95

NAC Manual Enforcement Request query 95

NAC Remediation Command option 78

NAC Remediation Command Parameters option 78

NAP, See Microsoft Network Access Protectionnetwork access

compliance, and benchmarks 49

controlling 9enforcement 11

information, creating monitors 87

monitoring 91

monitoring, queries for 84

policy, enforcing 45

network access policiesabout 61, 62

creating 62

network access zonesabout 62

creating 64

importing and exporting 64

Network Security Sensorand McAfee NAC automatic remediation 121

and McAfee NAC exemptions 121

as a detector 120

as a McAfee NAC enforcer 121

network security, monitoring 83

non-Windows clientFAQ and useful commands 28

requirements 22

non-Windows systemsbenchmark recommendations 49

non-Windows systems (continued)differences from Windows systems 27

FAQ and useful commands 28

noncompliance message 52

notificationslogs 17

system health 41

NSP, See McAfee Network Security Platform

O

overriding the assessed health level 104

overriding the enforced health level 103

P

PAC, See post admission controlperiodic identification message 120

permission setsediting McAfee NAC permissions 93


policiesactivation 54

assigning, for system health 53

configuring for Microsoft NAP enforcement 132

creating, for network access 62

for system assessment 53

McAfee NAC client 65

network access 61

network access, enforcing 45

overview 47

system health 51

system health, structure 52

updates, non-Windows McAfee NAC client 27

policy assignment, using ePolicy Orchestrator features 17

policy catalog, in ePolicy Orchestrator 17

post admission controlcreating an event response 113

enforcement 110

for malicious systems 108

how it works 109

post admission policyabout 108, 111

configuring 112

post-installation tasks 27

purging scan results 114

Q

queriesfor use as McAfee NAC monitors 94

reports, network access monitoring 84

running 88


queries, for McAfee NACNAC Benchmark Enforcement Mode 97

NAC Client Started 96

Index


queries, for McAfee NAC (continued)NAC Enforced Health Level 94

NAC Malicious System 95

NAC Manual Enforcement Request 95

R

remediationand network access zones 81

automatic 78

automatic, and benchmarks 49

common commands 79

elements for manual remediation 80

manual 79

portal 79

remediators, how they work 45

required network resources 81

types of 77

Remove NAC exempt 71, 75, 106

removingexemptions, McAfee NAC 106

malicious status from system 114

McAfee DHCP Agent 135

retired or invalid systems 108

repairing McAfee DHCP AgentMcAfee DHCP Agent 135

reporting 41

reports, See queriesrequirements

installing McAfee NAC 22

integrating with McAfee NSP 117

integrating with Microsoft NAP 130

Reset health level action 104

responsesconfiguring for malicious system event 113

creating for McAfee NAC events 105

malicious system detected events 112

to events 105


Rogue System Detectionas a McAfee NAC detector 37

use in McAfee NAC 18

rulesfor exemptions 71

in benchmarks 53, 55, 57

notifications 17

S

scan exemptionsfrom an import list 106

systems not assessed 70

scan resultsdeleting for a single system 115

purging 114

scansfor McAfee NAC system health 100

request immediate scan 100

scheduling 99

server tasks, using ePolicy Orchestrator features 17

ServicePortal, finding product documentation 8Set NAC exempt 71, 75, 106

setting a system's malicious status 113

setting an exemption, McAfee NAC 106

setup requirementsinstalling McAfee NAC 22

Microsoft Network Access Protection 130

SHV, See McAfee System Health Validatorsoftware requirements, installing McAfee NAC 22

system classificationseffect on exemptions 71

managed 12

unenforceable 13

unmanageable 12

unmanaged 12

system detection 10

system healthassessment 10, 98

assessment by McAfee NAC client 40

assessment by NAC client 41

auditing for compliance 98

levels, in benchmarks and policies 48

setting 41

system health policiesabout 51

assigning to systems 53

compliance assessment 53

creating and modifying 58

exporting 59

identifiers 52

importing 59

noncompliance message 80

noncompliance messages 52

policy activation 54

structure 52

System Health Validator for McAfee NAC 135

system tray, See McAfee system traysystems

marking as exempt 69

removing from the database 108

unmanageable, handling 107

T

tag catalog, in ePolicy Orchestrator 17

Technical Support, finding product information 8

U

unenforceable systemsand devices 107

Index


unenforceable systems (continued)description 13

events 105

unhealthy systemsevents 105

remediating 11, 77

uninstallingthe McAfee NAC client manually on Linux 26

unmanageable systems and devicesdescription 12

handling 107

unmanaged system policyediting 60

for guest client 59

unmanaged systemschecking health of 100

unmanaged systems (continued)description 12

using the guest client 125

users, in ePolicy Orchestrator 17

using this guide 8

W

Windows systemsbenchmark recommendations 49

requirements 22

Z

zones, for network access 62

Index


Network Access Control 4.0 Product Guide for use with - McAfee

Documents

Transcript of Network Access Control 4.0 Product Guide for use with - McAfee