6.3 NAC Policy Tasks
The following sections contain more information:
6.3.1 Enabling or Disabling a NAC Policy
Select which NAC polices are enabled or disabled.
To enable/disable a NAC policy:
Click on the enable or disable link. An X indicates disabled.
6.3.2 Selecting the Default NAC Policy
To select the default NAC policy:
Click on the up or down arrow to move the NAC policy. The default NAC policy is the one toward the bottom of the list with the highest selection number as shown in the following figure:
Figure 6-5 Default NAC Policy
6.3.3 Creating a New NAC Policy
Create custom policies that are based on existing policies, or create new policies from scratch.
To create a new NAC policy:
-
Click Add a NAC policy. The Add NAC policy window opens as shown in the following figure:
Figure 6-6 Add a NAC Policy, Basic Settings Area
-
Enter a policy name.
-
Enter a description in the Description text box.
-
Select a NAC policy group.
-
Select either the enabled radio button or the disabled radio button.
-
Select the Operating systems that will not be tested but are allowed network access.
-
Windows ME, Windows 98, Windows 95, Windows NT
-
UNIX
-
All other unsupported OSs
NOTE:In DHCP mode, if an endpoint with an unsupported OS already has a DHCP-assigned IP address, Novell ZENworks Network Access Control cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with an unsupported OS has a static IP address, Novell ZENworks Network Access Control cannot affect this endpoint in any way. In both of these cases, the System Monitor window may show the quarantined icon next to these endpoints; however, if you hover your mouse over the red circle, the actual status shows that the endpoint should be quarantined, but the quarantine action was unsuccessful.
IMPORTANT:Allowing untested endpoints on your network contains risks. See Section 7.7, Untestable Endpoints and DHCP Mode for more information.
NOTE:A security best practice is to not allow unsupported operating systems (untested endpoints) on your network. It is more secure to allow untested endpoints access to your network on a case-by-case basis by adding them to the System configuration>>Exceptions>>Whitelist window.
-
-
In the Retest frequency area, enter how frequently Novell ZENworks Network Access Control should retest a connected machine.
HINT:A lower number ensures higher security, but puts more load on the Novell ZENworks Network Access Control server.
-
In the Inactive endpoints area, enter how long an end-user can be inactive before they are quarantined. To allow end-users to remain connected indefinitely select never quarantine inactive endpoints.
-
Click the Domains and endpoints menu option to open the Domains and endpoints window, shown in the following figure:
Figure 6-7 Add a NAC Policy, Domains and Endpoints
-
Click on a cluster name.
-
Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a carriage return.
-
Enter a single endpoint or list of endpoints separated by a carriage return using the endpoint IP address, MAC address, NetBIOS name, or host name. Enter a range of IPs using a dash (-) between or by using CIDR notation (see Table 16-2).
NOTE:You can leave the Domains and Endpoints areas blank if you do not want to assign domains and endpoints to this policy.
HINT:ove the mouse cursor over the question mark (?) by the word Endpoints, then click on the CIDR notation link to see the CIDR conversion table pop-up window.
-
Click the Tests menu option to open the Tests window:
Figure 6-8 Add NAC Policy, Tests Area
NOTE:The icons to the right of the tests indicate the test failure actions. See Section 6.4.3, Test Icons.
-
Select a test to include in the NAC policy by clicking on the check box next to the test name.
-
Select a test by clicking on the test name to view the properties. For more information about test properties, see Section 6.4.2, Selecting Test Properties.
-
Select the test properties for this test. For more information about the specific tests, see Section B.0, Tests Help.
-
Select an action to take when an endpoint fails this test (see Section 6.3.14, Selecting Action Taken).
-
Click ok.
HINT:Selecting the Send an email notification option sends an email to the address you identified in Novell ZENworks Network Access Control Home window>>System Configuration>>Notifications area. This option is defined per cluster.
6.3.4 Editing a NAC Policy
To edit an existing NAC policy:
-
Click on a NAC policy name.
-
Change any of the options desired. See Section 6.3.3, Creating a New NAC Policy for details on the options available.
-
Click ok.
6.3.5 Copying a NAC Policy
To copy an existing NAC policy:
-
Click the copy link to the right of the NAC policy you want to copy.
-
Enter a new NAC policy name.
-
Change any of the options desired. See Section 6.3.3, Creating a New NAC Policy for details on the options available.
-
Click ok.
6.3.6 Deleting a NAC Policy
To delete an existing NAC policy:
-
Click the delete link to the right of the NAC policy you want to delete. A confirmation window appears.
-
Click yes.
6.3.7 Moving a NAC Policy Between NAC Policy Groups
To move a NAC policy between NAC policy groups:
-
To open the NAC policies window, click a NAC policy name.
-
Select a new NAC policy group from the NAC policy group drop-down list.
-
Click ok.
6.3.8 Assigning Endpoints and Domains to a Policy
Select which endpoints are associated with each policy.
To assign endpoints and domains to a policy:
-
Enter a single endpoint or list of endpoints separated by a carriage return using the endpoint IP address, MAC address, or NetBIOS name. Enter a range of IPs using a dash (-) between them, or by using CIDR notation (see Section 16.6, Entering Networks Using CIDR Format).
-
In the Windows domains area, enter a domain name or list of domain names separated by a carriage return.
-
Click ok.
NOTE:Adding an endpoint or domain to multiple policies results in the endpoint being assigned to the first enabled NAC policy in the list.
6.3.9 NAC Policy Hierarchy
If an endpoint is listed in more than one NAC policy, the order of use is as alphabetical by name of NAC policy (not including the default NAC policy).
6.3.10 Setting Retest Time
Retest endpoints connected to your network frequently to guard against potential changes in the remote endpoint configurations.
To set the time to wait before retesting a connected endpoint:
-
In the Retest frequency area, enter how frequently in minutes, hours, or days Novell ZENworks Network Access Control should retest a connected endpoint.
HINT:A lower number ensures higher security, but puts more load on the Novell ZENworks Network Access Control server.
-
Click ok.
6.3.11 Setting Connection Time
When an endpoint is inactive for a period of time, you can elect to automatically move the endpoint to a quarantined state. Quarantining inactive endpoints guards against unauthorized access to the network. When the endpoint becomes active again, the usual process occurs for moving the endpoint out of quarantine. For example, if the endpoint was in good standing prior to the inactivity quarantine, the end-user may just need to log in again; however, other changes (such as a policy change or new required hotfix) may require the end-user to perform some action before being allowed on the network again.
To set the time an end-user can be inactive:
-
In the Inactive endpoints area, enter how long an end-user can be inactive before they are quarantined.
HINT:A lower number ensures higher security.
-
Click ok.
6.3.12 Defining Non-supported OS Access Settings
To define what actions to take for endpoints with non-supported operating systems:
-
In the Operating systems area, select the check box beside any operating system that you will allow access without being tested.
-
Click ok.
6.3.13 Setting Test Properties
Test properties are specific to the particular test. Select the properties you want applied. Tests are explained in detail in Section B.0, Tests Help.
To set the test properties for a specific test:
-
Click on the name of test to display the test’s options.
NOTE:Click a test name to display the options; select the test check box to enable the test for the policy you are modifying.
-
Select the test failure actions to apply for this test:
-
Send email notification
-
Quarantine access
-
-
Select any test properties if applicable.
-
Click ok.
6.3.14 Selecting Action Taken
Actions can be passive (send an email), active (quarantine) or a combination of both.
To select the action to take:
-
Click on the name of test to display the test’s options.
NOTE:Click a test name to display the options; select the test check box to enable the test for the policy you are modifying.
-
Select one of the following when an endpoint fails this test:
-
Send an email notification — Sends an email to the email address specified (see Section 3.17.5, Notifications).
NOTE:An email is sent for each retest.
-
Quarantine access — Specify when the endpoint should be denied access.
-
immediately
-
grant temporary access
If you select a temporary access period here, the end-users are allowed temporary access for the specified time, after which they are denied access until they pass the test. The temporary access period allowed is shown on the end-user results window (see Section 5.0, End-user Access).
HINT:The minimum amount of time you can grant temporary access is 10 minutes.
-
-
-
To use a patch manager:
-
select the Initiate patch manager to fix the problem and retest the endpoint when it finishes check box.
-
Select a patch manager from the Patch manager drop down list.
-
Enter a number for the times to retest before failing in the Maximum number of retest attempts text box. For example. 10.
-
Enter a number of seconds between retests in the Retest interval text box. For example 30.
-
-
Click ok if you are done in the Tests window, or continue making changes to other tests.