Network Access Control

Dear All,

I want to check with you if it is possiable to implement SNAC DHCP enforcer only without having LAN or Gateway enforcer to implement a policy to check if any of AV is installed on the machine before assign an IP address. 

Sort of.

With the DHCP enforcer in place, a client that fail HI will be given a normal IP address in the normal range, but the subnet mask will be amended to 255.255.255.255, effectively placing that client on a subnet all on its own.

This means the client cannot connect to anything else on the network, other than the network resources required for it to be remediated.  This could be a network share with the AV software on it, it could just be somewhere your IT admins store their tools.  Either way, it would have to be administratively identified in SNAC and on the DHCP enforcer as a network resource quarantined clients may access.

http://www.symantec.com/docs/HOWTO81554
http://www.symantec.com/docs/HOWTO81686
http://www.symantec.com/docs/HOWTO81737

Many thanks for the information, 

So what if we don't have SNAC component on the client machine, does DHCP Enforcer still assign 255.255.255.255 as a subnet.

I mean can we apply Symantec DHCP enforcer with have clientless NAC 

This is configurable, but yes.  The DHCP enforcer can quarantine endpoints that don't have SNAC installed:

http://www.symantec.com/docs/HOWTO81798
http://www.symantec.com/docs/HOWTO81798

This of course means that clients without SNAC will never get network access because they cannot pass the HI check.  If you have a requirement to allow guest machines access to the network, then you'd have to introduce the Gateway Enforcer, which can provide a temporary SNAC client:

http://www.symantec.com/docs/HOWTO81738

This temp SNAC client can then perform the HI checks, allowing the DHCP enforcer to assign the guest machine a production address and mask, if the client passes.