Network Access Control

Expand all | Collapse all

No Antivirus software with SNAC DHCP

Jump to Best Answer
  • 1.  No Antivirus software with SNAC DHCP

    Posted 07-17-2013 08:53 PM

    Dear All,

    I want to check with you if it is possiable to implement SNAC DHCP enforcer only without having LAN or Gateway enforcer to implement a policy to check if any of AV is installed on the machine before assign an IP address. 

     



  • 2.  RE: No Antivirus software with SNAC DHCP

    Posted 07-18-2013 04:16 AM

    Sort of.

    With the DHCP enforcer in place, a client that fail HI will be given a normal IP address in the normal range, but the subnet mask will be amended to 255.255.255.255, effectively placing that client on a subnet all on its own.

    This means the client cannot connect to anything else on the network, other than the network resources required for it to be remediated.  This could be a network share with the AV software on it, it could just be somewhere your IT admins store their tools.  Either way, it would have to be administratively identified in SNAC and on the DHCP enforcer as a network resource quarantined clients may access.

    http://www.symantec.com/docs/HOWTO81554
    http://www.symantec.com/docs/HOWTO81686
    http://www.symantec.com/docs/HOWTO81737



  • 3.  RE: No Antivirus software with SNAC DHCP

    Posted 07-18-2013 06:00 AM

    Many thanks for the information, 

    So what if we don't have SNAC component on the client machine, does DHCP Enforcer still assign 255.255.255.255 as a subnet.

    I mean can we apply Symantec DHCP enforcer with have clientless NAC 



  • 4.  RE: No Antivirus software with SNAC DHCP
    Best Answer

    Posted 07-18-2013 06:24 AM

    This is configurable, but yes.  The DHCP enforcer can quarantine endpoints that don't have SNAC installed:

    http://www.symantec.com/docs/HOWTO81798
    http://www.symantec.com/docs/HOWTO81798

    This of course means that clients without SNAC will never get network access because they cannot pass the HI check.  If you have a requirement to allow guest machines access to the network, then you'd have to introduce the Gateway Enforcer, which can provide a temporary SNAC client:

    http://www.symantec.com/docs/HOWTO81738

    This temp SNAC client can then perform the HI checks, allowing the DHCP enforcer to assign the guest machine a production address and mask, if the client passes.