How to Configure Assessment
This Help topic provides step-by-step instructions for configuring assessment using the phased approach described in the NAC Assessment Phased Deployment Guide. The phased approach lets you introduce assessment into your NAC deployment in three distinct phases: Informational, Warning, and Quarantine. Using the phased approach you can minimize disruptions to your enterprise, introduce end users to remediation procedures gradually, and increase your understanding of the strengths and weaknesses in the network.
Instructions are provided for configuring phased assessment using agent-less or agent-based assessment, or a combination of both. You will need to use the instructions appropriate for your NAC deployment.
Before beginning the configuration procedures, you should read through the following information presented in the NAC Manager online Help.
- Assessment Concepts - A conceptual overview of assessment that introduces the terminology used in NAC assessment.
- NAC Assessment Phased Deployment Guide - This guide describes in detail the phased approach to introducing assessment into your NAC deployment using Informational, Warning, and Quarantine assessment. The guide also provides information on NAC Manager tools that can be used to monitor and evaluate assessment results, and diagnose and troubleshoot problems.
- How to Set Up Assessment - Provides information on the steps that must be performed in NAC Manager prior to deploying assessment on your network, including managing your assessment servers and adding external assessment servers. It also includes basic information on how to use the default assessment configurations provided by NAC Manager and enable assessment for your NAC Configuration.
- How to Deploy Agent-Based Assessment - If you are deploying agent-based assessment, this Help topic provides the configuration steps specific to deploying agent-based assessment in a Windows and Mac network environment. It includes instructions for configuring agent deployment and provides information about the agent icon and notification messages that appear on the end-user's system. It also includes instructions on performing a managed deployment or installation of the agent.
- How to Set Up Assessment Remediation - Because Warning and Quarantine assessment provides end-system remediation, you must enable remediation for your NAC Configuration. This Help topic provides the specific steps that must be performed when setting up assisted remediation in your network.
This topic includes information and instructions on:
- Agent-less Assessment Configuration
- Agent-Based Assessment Configuration
- Combined Assessment Configuration
Agent-less Assessment Configuration
This section presents instructions for creating assessment configurations for each of the three deployment phases, using an agent-less test set. A new assessment configuration is created for each phase, rather than modifying the existing assessment configuration. This allows you to easily revert back to an earlier phase at any time by changing the assessment configuration that your NAC profile is using.
Agent-less Informational Assessment
Use the following steps to create and configure an agent-less Informational assessment configuration. With Informational assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, but no action is taken against end-systems with vulnerabilities. This allows you to use assessment as a data-gathering mechanism without end-systems being quarantined. For more information, see the NAC Assessment Phased Deployment Guide.
When you create an agent-less Informational assessment configuration, all test results are configured with an Informational scoring mode. This means that test results are not counted towards a quarantine decision, and are used to provide information about overall network health.
- From the Manage Assessment Settings window,
click Add to create a new assessment
configuration and name it "Informational Agent-less."
- In the Edit Assessment Configuration window, use the Configuration Menu button in
the Scoring Override Configuration field to add a new scoring override
configuration called "Informational Agent-less."
- Do not add any scoring overrides to the configuration at this time. Click OK.
- Back in the Edit Assessment Configuration window, verify that the
Informational Agent-less scoring override configuration is selected.
- From the test sets Configuration Menu button
add a new agent-less test set named "Informational Agent-less." Configure the Informational
Agent-less
test set as follows:
- Select the kinds of tests to perform.
- Set the Scoring Mode to Informational.
- Verify that the Informational scoring override configuration has no scoring overrides by reading through the Behavior description below the Scoring Mode field.
Click OK to close the window. - Back in the Edit Assessment Configuration window, verify that the Informational Agent-less test set
is selected. Click OK.
- Configure the Default NAC Profile to enable assessment and select the
Informational Agent-less assessment configuration.
- Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Informational assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.
Agent-less Warning Assessment
Use the following steps to create and configure an agent-less Warning assessment configuration. With Warning assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are notified. End users are provided with the means to remediate their vulnerabilities and achieve compliance, however end-systems which are not compliant can still access the network. For more information, see the NAC Assessment Phased Deployment Guide.
To create an agent-less Warning assessment configuration, the scoring mode in the agent-less test is set to Informational and scoring overrides are added to your scoring override configuration for each test case that should be a warning. Like the Informational assessment configuration, all end-systems will be considered to have no risk, and no end-systems will be quarantined.
Initially, configure Warning scoring overrides for your most frequent and severe vulnerabilities. Add additional scoring overrides for more vulnerabilities over time. You can easily add Warning scoring overrides from the Health Result Details tab, as you view the health results of an end-system.
- From the Manage Assessment Settings window,
click Add to create a new assessment
configuration and name it "Warning Agent-less."
- In the Edit Assessment Configuration window, use the Configuration Menu button in
the Scoring Override Configuration field to add a new scoring override
configuration called "Warning Agent-less."
- Do not add any
scoring overrides to the configuration at this time. Click OK.
- Back in the Edit Assessment Configuration window, verify that the
Warning Agent-less scoring override configuration is selected.
- Click the Advanced button to open the
Advanced Assessment Configuration window
where you can enable assessment warning periods. Set the number of Grace Period
and Probation Period days to the desired values.
Click OK to close the window.
- From the test sets Configuration Menu button
add a new agent-less test set named "Warning Agent-less." Configure the Warning
agent-less
test set as follows:
- Select the kinds of tests to perform.
- Set the Scoring Mode to Informational.
Click OK to close the window. - Back in the Edit Assessment Configuration window, select the Warning Agent-less test set
to include in the configuration.
Click OK.
- Use the following steps to add Warning scoring overrides from the
Health
Result Details tab (in the End-Systems tab), as you view the health results of
an end-system.
- Identify a health detail that represents a vulnerability you would like to add a Warning for.
- With the target health detail selected in the Health Result Details tab, select
Configure
> Add Scoring Override > to Add a Warning.
- Select the Warning Agent-less scoring override
configuration. Click OK.
- Review the scoring override that will be created. No changes should be necessary.
Click OK.
- Click OK to complete the scoring override. The Warning Agent-less scoring override
configuration will be displayed with the new override.
Click OK to save the scoring override configuration.
- Repeat steps a through e to create additional warning scoring overrides for other vulnerabilities, as needed.
- Configure the Default NAC Profile to enable assessment and select the
Warning Agent-less assessment configuration.
- Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Warning assessment. You can monitor the assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.
At some point, you may wish to invert your assessment configuration and scoring overrides. Rather than having a base scoring mode of Informational with scoring overrides for Warnings, you can have a base scoring mode of Warning with scoring overrides for Informational. In other words, instead of specifically calling out which tests are warnings, you call out which tests aren't. To do this, you will need to create a new scoring override configuration, and populate it with health result details marked as Informational by selecting the Configure > Add Scoring Override > To Make Informational menu option.
Agent-less Quarantine Assessment
Use the following steps to create and configure an agent-less Quarantine assessment configuration. With Quarantine assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are quarantined. End users are provided with the means to remediate their vulnerabilities and achieve compliance. Only end-systems which are compliant can access the network. For more information, see the NAC Assessment Phased Deployment Guide.
When you create a Quarantine assessment configuration, all health results will be configured with the Apply Score mode. End-systems will be assessed for risk on a scale of High Risk to No Risk, with High Risk end-systems being quarantined. If desired, you can also create scoring overrides for certain health results, configuring some as informational and others as warnings. This way, if there are specific vulnerabilities that you consider to be of no concern or that you wish to consider as warnings, you can still deploy a Quarantine assessment configuration and use scoring overrides to tailor how certain exceptions are handled.
- From the Manage Assessment Settings window,
click Add to create a new assessment
configuration and name it "Quarantine Agent-less."
- In the Edit Assessment Configuration window, use the Configuration Menu button in
the Scoring Override Configuration field to add a new scoring override
configuration called "Quarantine Agent-less."
- Do not add any
scoring overrides to the configuration at this time. Click OK.
- Back in the Edit Assessment Configuration window, verify that the
Quarantine Agent-less scoring override configuration is selected.
- From the test sets Configuration Menu button
add a new agent-less test set named "Quarantine Agent-less." Configure the
Quarantine agent-less
test set as follows:
- Select the kinds of tests to perform.
- Verify that the Scoring Mode is set to Apply Score.
Click OK to close the window. - Back in the Edit Assessment Configuration window, select the Quarantine Agent-less test set
to include in the configuration.
Click OK.
- Use the following steps to add scoring overrides
from the
Health
Result Details tab (in the End-Systems tab), as you view the health results of
an end-system.
- Add scoring overrides for the vulnerabilities that should be informational. These are vulnerabilities that you still
want to collect information about, but which should be excluded from risk level assessment. From the Health Result
Details table,
select Configure > Add Scoring Override > to Make Informational.
- Select the Quarantine Agent-less scoring override
configuration. Click OK.
- Review the scoring override that will be created. No changes should be necessary.
Click OK.
- Add scoring overrides for the vulnerabilities that should be warnings. These are vulnerabilities that you still want to collect information on and warn users about, but which should be excluded from risk level assessment. From the Health Result Details table, select Configure > Add Scoring Override > to Add a Warning.
- Add scoring overrides for the vulnerabilities that should be re-scored. These are vulnerabilities that should be included in risk level assessment, but with an altered risk level. From the Health Result Details table, select Configure > Add Scoring Override > to Change Score.
- Add scoring overrides for the vulnerabilities that should be informational. These are vulnerabilities that you still
want to collect information about, but which should be excluded from risk level assessment. From the Health Result
Details table,
select Configure > Add Scoring Override > to Make Informational.
- Configure the Default NAC Profile to enable assessment and select the
Quarantine Agent-less assessment configuration.
- Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Quarantine assessment. You can monitor the assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.
Agent-Based Assessment Configuration
This section presents instructions for creating assessment configurations for each of the three deployment phases, using an agent-based test set. A new assessment configuration is created for each phase, rather than modifying the existing assessment configuration. This allows you to easily revert back to an earlier phase at any time by changing the assessment configuration that your NAC profile is using.
Agent-Based Informational Assessment
Use the following steps to create and configure an agent-based Informational assessment configuration. With Informational assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, but no action is taken against end-systems with vulnerabilities. This allows you to use assessment as a data-gathering mechanism without end-systems being quarantined. For more information, see the NAC Assessment Phased Deployment Guide.
- From the Manage Assessment Settings window,
click Add to create a new assessment
configuration and name it "Informational Agent-Based."
- In the Edit Assessment Configuration window, use the Configuration Menu button in
the Scoring Override Configuration field to add a new scoring override
configuration called "Informational Agent-Based."
- Do not add any scoring overrides to the configuration at this time. Click OK.
- Back in the Edit Assessment Configuration window, verify that the
Informational Agent-Based scoring override configuration is selected.
- From the test sets Configuration Menu button
add a new Agent-Based Test Set named "Informational Agent-Based." Configure the
test set as follows:
- Set up the agent and choose the tests that will be executed.
- Configure the test set to run entirely in an informational mode by setting the Test Status of every test case to Informational . This is done in the test case Editor, accessed by double-clicking on the test case or when creating a new test.
Click OK to close the window. - Back in the Edit Assessment Configuration window, verify that the Informational Agent-Based test set
is selected.
Click OK.
- By default, the
No Agent Detected
test result score will be applied to risk
assessment, and the end-system will be quarantined. If you choose to make this
test result informational, you will need to set up a scoring override
for Test ID 90000. This will be the only scoring override that will be
configured.
- Open the Edit Scoring
Override Configuration window for the Informational Agent-Based scoring override configuration, using the
Configuration Menu button in the Scoring Override Configuration field. Click Add to add the following scoring override to the configuration.
- Click OK. The scoring override will be added to the Informational Agent-Based scoring override
configuration.
Click OK to close the window.
- Open the Edit Scoring
Override Configuration window for the Informational Agent-Based scoring override configuration, using the
Configuration Menu button in the Scoring Override Configuration field. Click Add to add the following scoring override to the configuration.
- Configure the Default NAC Profile to enable assessment and select the
Informational Agent-Based assessment configuration.
- Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Informational assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.
Agent-Based Warning Assessment
Use the following steps to create and configure an agent-based Warning assessment configuration. With Warning assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are notified. End users are provided with the means to remediate their vulnerabilities and achieve compliance, however end-systems which are not compliant can still access the network. For more information, see the NAC Assessment Phased Deployment Guide.
- From the Manage Assessment Settings window,
click Add to create a new assessment
configuration and name it "Warning Agent-Based."
- In the Edit Assessment Configuration window, use the Configuration Menu button in
the Scoring Override Configuration field to add a new scoring override
configuration called "Warning Agent-Based."
- Do not add any
scoring overrides to the configuration at this time. Click OK.
- Back in the Edit Assessment Configuration window, verify that the
Warning Agent-Based scoring override configuration is selected.
- Click the Advanced button to open the
Advanced Assessment Configuration window
where you can enable Assessment Warning Periods. Set the number of Grace Period
and Probation Period days to the desired values.
Click OK.
- Back in the Edit Assessment Configuration window,
from the test sets Configuration Menu button
add a new agent-based test set named "Warning Agent-Based." Configure the test set as follows:
- Set up the agent and choose the tests that will be executed.
- To use the agent notification feature (where the agent is used to notify end users of assessment violations), you must have the Display Agent Notification Messages option selected as well as the Advanced Agent Configuration option to Allow Remediation Through Agent selected.
- Configure each test case that you want to run in warning mode by setting the Test Status of that test case to Warning . This is done in the test case Editor, accessed by double-clicking on the test case or when creating a new test. All other tests should be configured to be Informational.
Click OK to close the window. - Back in the Edit Assessment Configuration window, select the Warning Agent-Based test set
to include in the configuration.
Click OK.
- By default, the No Agent Detected test result score will be applied to risk assessment, and the end-system will be quarantined. If you choose to make this test result a warning, you will need to set up a scoring override for Test ID 90000. This will be the only scoring override that will be configured.
- Open the Edit Scoring
Override Configuration window for the Warning Agent-Based scoring override configuration, using the
Configuration Menu button in the Scoring Override Configuration field. Click Add to add the following scoring override to the configuration.
- Click OK. The scoring override will be added to the Warning
Agent-Based scoring override
configuration.
Click OK to close the window.
- Configure the Default NAC Profile to enable assessment and select the
Warning Agent-Based assessment configuration.
- Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Warning assessment. You can monitor the assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.
Agent-Based Quarantine Assessment
Use the following steps to create and configure an agent-based Quarantine assessment configuration. With Quarantine assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are quarantined. End users are provided with the means to remediate their vulnerabilities and achieve compliance. Only end-systems which are compliant can access the network. For more information, see the NAC Assessment Phased Deployment Guide.
- From the Manage Assessment Settings window,
click Add to create a new assessment
configuration and name it "Quarantine Agent-Based."
- In the Edit Assessment Configuration window, use the Configuration Menu button in
the Scoring Override Configuration field to add a new scoring override
configuration called "Quarantine Agent-Based."
- Do not add any
scoring overrides to the configuration at this time. Click OK.
- Back in the Edit Assessment Configuration window, verify that the
Quarantine Agent-Based scoring override configuration is selected.
- From the test sets Configuration Menu button
add a new agent-based test set named "Quarantine Agent-Based." Configure the test set as follows:
- Set up the agent and choose the tests that will be executed.
- To use the agent notification feature (where the agent is used to notify end users of assessment violations), you must have the Display Agent Notification Messages option selected as well as the Advanced Agent Configuration option to Allow Remediation Through Agent selected.
- Configure each test case that you want included in the quarantine decision by setting the Test Status of that test case to Mandatory . This is done in the test case Editor, accessed by double-clicking on the test case or when creating a new test. Other tests can be configured as Informational or Warning.
Click OK to close the window. - Back in the Edit Assessment Configuration window, select the Quarantine Agent-Based test set
to include in the configuration.
Click OK.
- Configure the Default NAC Profile to enable assessment and select the
Quarantine Agent-Based assessment configuration.
- Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Quarantine assessment. You can monitor the assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.
Combined Assessment Configuration
This section presents instructions for creating assessment configurations for each of the three deployment phases, using both an agent-less and an agent-based test set. A new assessment configuration is created for each phase, rather than modifying the existing assessment configuration. This allows you to easily revert back to an earlier phase at any time by changing the assessment configuration that your NAC profile is using.
Combined Informational Assessment
Use the following steps to create and configure a combined Informational assessment configuration. With Informational assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, but no action is taken against end-systems with vulnerabilities. This allows you to use assessment as a data-gathering mechanism without end-systems being quarantined. For more information, see the NAC Assessment Phased Deployment Guide.
- From the Manage Assessment Settings window,
click Add to create a new assessment
configuration and name it "Informational Combined."
- Use steps 2 through 4 in the Agent-less Informational Assessment section to create a scoring override configuration to use in your Combined assessment configuration. Name the scoring override configuration "Informational Combined."
- Use step 5 in the Agent-less Informational Assessment section to create an Informational agent-less test set to use in your Combined assessment configuration.
- Use step 5 in the Agent-Based Informational Assessment section to create an Informational agent-based test set to use in your Combined assessment configuration.
- Use step 7 in the Agent-Based Informational Assessment section to create a scoring override for the No Agent Detected health result if you would like the result to be informational. Note that you will need to add the scoring override to the Informational Combined scoring override configuration, instead of the Informational Agent-Based scoring override configuration as described in the step.
- Back in the Edit Assessment Configuration window, select the Informational Agent-less and Agent-Based test sets
to include in the configuration.
Click OK.
- Configure the Default NAC Profile to enable assessment and select the
Informational Combined assessment configuration.
- Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Informational assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.
Combined Warning Assessment
Use the following steps to create and configure a combined Warning assessment configuration. With Warning assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are notified. End users are provided with the means to remediate their vulnerabilities and achieve compliance, however end-systems which are not compliant can still access the network. For more information, see the NAC Assessment Phased Deployment Guide.
- From the Manage Assessment Settings window,
click Add to create a new assessment
configuration and name it "Warning Combined."
- Use steps 2 through 5 in the Agent-less Warning Assessment section above to create a scoring override configuration to use in your Combined assessment configuration. Name the scoring override configuration "Warning Combined."
- Use step 6 in the Agent-less Warning Assessment section above to create a Warning Agent-less test set to use in your Combined Assessment Configuration.
- Use step 6 in the Agent-Based Warning Assessment section above to create a Warning Agent-Based test set to use in your Combined Assessment Configuration.
- Use step 8 in the Agent-Based Warning Assessment section to create a scoring override for the No Agent Detected health result if you would like the result to be a warning. Note that you will need to add the scoring override to the Warning Combined scoring override configuration, instead of the Warning Agent-Based scoring override configuration as described in the step.
- Back in the Edit Assessment Configuration window, select the Warning Agent-less and Agent-Based test sets
to include in the configuration.
Click OK.
- Use step 8 in the Agent-less Warning Assessment section to add Warning scoring overrides to your assessment configuration. Be sure to add the overrides to the Warning Combined scoring override configuration.
- Configure the Default NAC Profile to enable assessment and select the
Warning Combined assessment configuration.
- Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Warning assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.
Combined Quarantine Assessment
Use the following steps to create and configure a combined Quarantine assessment configuration. With Quarantine assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are quarantined. End users are provided with the means to remediate their vulnerabilities and achieve compliance. Only end-systems which are compliant can access the network. For more information, see the NAC Assessment Phased Deployment Guide.
- From the Manage Assessment Settings window,
click Add to create a new assessment
configuration and name it "Quarantine Combined."
- Use steps 2 through 4 in the Agent-less Quarantine Assessment section to create a scoring override configuration to use in your Combined assessment configuration. Name the scoring override configuration "Quarantine Combined."
- Use step 5 in the Agent-less Quarantine Assessment section to create a Quarantine agent-less test set to use in your Combined assessment configuration.
- Use step 5 in the Agent-Based Quarantine Assessment section to create a Quarantine agent-based test set to use in your Combined assessment configuration.
- Back in the Edit Assessment Configuration window, select the Quarantine Agent-less and Agent-Based test sets
to include in the configuration.
Click OK.
- Use step 7 in the Agent-less Quarantine Assessment section to add scoring overrides to your assessment configuration. Be sure to add the overrides to the Quarantine Combined scoring override configuration.
- Configure the Default NAC Profile to enable assessment and select the
Quarantine Combined assessment configuration.
- Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Quarantine assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.