Endpoints are quarantined in the following hierarchical order:
Access mode (normal operation or allow all)
Temporarily quarantine for/Temporarily grant access for radio buttons
Endpoint testing exceptions (always grant access, always quarantine)
Post-connect (external quarantine request)
NAC policies
NOTE:In DHCP mode, if an endpoint with an unsupported OS already has a DHCP-assigned IP address, Novell ZENworks Network Access Control cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with an unsupported OS has a static IP address, Novell ZENworks Network Access Control cannot affect this endpoint in any way. In both of these cases, the System Monitor window may show the quarantined icon next to these endpoints; however, if you hover your mouse over the post-connect service icon, the actual status shows that the endpoint should be quarantined, but the quarantine action was unsuccessful.
The following describes the process in more detail:
Access mode (1) overrides the items below it in the previous list (2, 3, 4, and 5). Use the Access mode radio buttons (System monitor>>select a cluster>>Quarantining) to act globally on all endpoints in an Enforcement cluster.
The Temporarily quarantine for/Temporarily grant access for radio buttons (Endpoint activity>>select an endpoint check box>>Change access) override the items below them in the list (3, 4, and 5).
Use Temporarily quarantine for to temporarily quarantine endpoints that:
Have been designated Whitelist (System configuration>>Exceptions)
Are defined in NAC policies and have passed tests
Use Temporarily grant access for to allow temporary access to endpoints that:
Have been designated Blacklist (System configuration>>Exceptions).
Are defined in NAC policies and have failed tests
HINT:Use the Clear temporary access control status radio button to remove the temporary access or temporary quarantine state enabled by the Temporarily quarantine for/Temporarily grant access for radio buttons.
Endpoint testing exceptions overrides items following it in the list (4, and 5). Use Endpoint testing exceptions (System configuration>>Exceptions) to always allow or always quarantine endpoints that are defined in NAC policies. For example, a NAC policy might have a range of IP addresses defined for testing, but you want to exclude specific IP addresses within that range from the tests, so you could specify them here as Whitelist or Blacklist.
Post-connect overrides the item following it in the list (5).
HINT:The change access button on the System Configuration>>Endpoint activity window is enabled only when the action is possible; for example, when an endpoint or endpoints are selected.