How to Configure Assessment


This Help topic provides step-by-step instructions for configuring assessment using the phased approach described in the NAC Assessment Phased Deployment Guide. The phased approach lets you introduce assessment into your NAC deployment in three distinct phases: Informational, Warning, and Quarantine. Using the phased approach you can minimize disruptions to your enterprise, introduce end users to remediation procedures gradually, and increase your understanding of the strengths and weaknesses in the network.

Instructions are provided for configuring phased assessment using agent-less or agent-based assessment, or a combination of both. You will need to use the instructions appropriate for your NAC deployment.

Before beginning the configuration procedures, you should read through the following information presented in the NAC Manager online Help.

  • Assessment Concepts - A conceptual overview of assessment that introduces the terminology used in NAC assessment.
  • NAC Assessment Phased Deployment Guide - This guide describes in detail the phased approach to introducing assessment into your NAC deployment using Informational, Warning, and Quarantine assessment. The guide also provides information on NAC Manager tools that can be used to monitor and evaluate assessment results, and diagnose and troubleshoot problems.
  • How to Set Up Assessment - Provides information on the steps that must be performed in NAC Manager prior to deploying assessment on your network, including managing your assessment servers and adding external assessment servers. It also includes basic  information on how to use the default assessment configurations provided by NAC Manager and enable assessment for your NAC Configuration.
  • How to Deploy Agent-Based Assessment - If you are deploying agent-based assessment, this Help topic provides the configuration steps specific to deploying agent-based assessment in a Windows and Mac network environment. It includes instructions for configuring agent deployment and provides information about the agent icon and notification messages that appear on the end-user's system. It also includes instructions on performing a managed deployment or installation of the agent.
  • How to Set Up Assessment Remediation - Because Warning and Quarantine assessment provides end-system remediation, you must enable remediation for your NAC Configuration. This Help topic provides the specific steps that must be performed when setting up assisted remediation in your network.

This topic includes information and instructions on:

Agent-less Assessment Configuration

This section presents instructions for creating assessment configurations for each of the three deployment phases, using an agent-less test set. A new assessment configuration is created for each phase, rather than modifying the existing assessment configuration. This allows you to easily revert back to an earlier phase at any time by changing the assessment configuration that your NAC profile is using.

Agent-less Informational Assessment

Use the following steps to create and configure an agent-less Informational assessment configuration. With Informational assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, but no action is taken against end-systems with vulnerabilities. This allows you to use assessment as a data-gathering mechanism without end-systems being quarantined. For more information, see the NAC Assessment Phased Deployment Guide.

When you create an agent-less Informational assessment configuration, all test results are configured with an Informational scoring mode. This means that test results are not counted towards a quarantine decision, and are used to provide information about overall network health.

  1. From the Manage Assessment Settings window, click Add to create a new assessment configuration and name it "Informational Agent-less."

    Manage Assessment Settings

  2. In the Edit Assessment Configuration window, use the Configuration Menu button in the Scoring Override Configuration field to add a new scoring override configuration called "Informational Agent-less."

    Informational Assessment Configuration

  3. Do not add any scoring overrides to the configuration at this time. Click OK.

    Informational Scoring Override Configuration

  4. Back in the Edit Assessment Configuration window, verify that the Informational Agent-less scoring override configuration is selected.

    Informational Assessment Configuration

  5. From the test sets Configuration Menu button Menu Button add a new agent-less test set named "Informational Agent-less." Configure the Informational Agent-less test set as follows:
    1. Select the kinds of tests to perform.
    2. Set the Scoring Mode to Informational.
    3. Verify that the Informational scoring override configuration has no scoring overrides by reading through the Behavior description below the Scoring Mode field.


    Informational Agent-less Test Set

    Click OK to close the window.
  6. Back in the Edit Assessment Configuration window, verify that the Informational Agent-less test set is selected. Click OK.

    Informational Assessment Configuration

  7. Configure the Default NAC Profile to enable assessment and select the Informational Agent-less assessment configuration.

    Default NAC Profile

  8. Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Informational assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.

Agent-less Warning Assessment

Use the following steps to create and configure an agent-less Warning assessment configuration. With Warning assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are notified. End users are provided with the means to remediate their vulnerabilities and achieve compliance, however end-systems which are not compliant can still access the network. For more information, see the NAC Assessment Phased Deployment Guide.

To create an agent-less Warning assessment configuration, the scoring mode in the agent-less test is set to Informational and scoring overrides are added to your scoring override configuration for each test case that should be a warning. Like the Informational assessment configuration, all end-systems will be considered to have no risk, and no end-systems will be quarantined.

Initially, configure Warning scoring overrides for your most frequent and severe vulnerabilities. Add additional scoring overrides for more vulnerabilities over time. You can easily add Warning scoring overrides from the Health Result Details tab, as you view the health results of an end-system.

  1. From the Manage Assessment Settings window, click Add to create a new assessment configuration and name it "Warning Agent-less."

    Manage Assessment Settings

  2. In the Edit Assessment Configuration window, use the Configuration Menu button in the Scoring Override Configuration field to add a new scoring override configuration called "Warning Agent-less."

    Warning Assessment Configuration

  3. Do not add any scoring overrides to the configuration at this time. Click OK.

    Warning Scoring Override Configuration

  4. Back in the Edit Assessment Configuration window, verify that the Warning Agent-less scoring override configuration is selected.

    Warning Assessment Configuration

  5. Click the Advanced button to open the Advanced Assessment Configuration window where you can enable assessment warning periods. Set the number of Grace Period and Probation Period days to the desired values. Click OK to close the window.

    Advanced Assessment Configuration

  6. From the test sets Configuration Menu button Menu Button add a new agent-less test set named "Warning Agent-less." Configure the Warning agent-less test set as follows:
    1. Select the kinds of tests to perform.
    2. Set the Scoring Mode to Informational.


    Warning Agent-less Test Set

    Click OK to close the window.
  7. Back in the Edit Assessment Configuration window, select the Warning Agent-less test set to include in the configuration. Click OK.

    Warning Assessment Configuration

  8. Use the following steps to add Warning scoring overrides from the Health Result Details tab (in the End-Systems tab), as you view the health results of an end-system.
    1. Identify a health detail that represents a vulnerability you would like to add a Warning for.
    2. With the target health detail selected in the Health Result Details tab, select Configure > Add Scoring Override > to Add a Warning.

      Add a Warning

    3. Select the Warning Agent-less scoring override configuration. Click OK.

      Select Configuration

    4. Review the scoring override that will be created. No changes should be necessary. Click OK.

      Scoring Override

    5. Click OK to complete the scoring override. The Warning Agent-less scoring override configuration will be displayed with the new override. Click OK to save the scoring override configuration.

      Scoring Override Configuration

    6. Repeat steps a through e to create additional warning scoring overrides for other vulnerabilities, as needed.
  9. Configure the Default NAC Profile to enable assessment and select the Warning Agent-less assessment configuration.

    Default NAC Profile

  10. Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Warning assessment. You can monitor the assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.

At some point, you may wish to invert your assessment configuration and scoring overrides. Rather than having a base scoring mode of Informational with scoring overrides for Warnings, you can have a base scoring mode of Warning with scoring overrides for Informational. In other words, instead of specifically calling out which tests are warnings, you call out which tests aren't. To do this, you will need to create a new scoring override configuration, and populate it with health result details marked as Informational by selecting the Configure > Add Scoring Override > To Make Informational menu option.

Agent-less Quarantine Assessment

Use the following steps to create and configure an agent-less Quarantine assessment configuration. With Quarantine assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are quarantined. End users are provided with the means to remediate their vulnerabilities and achieve compliance. Only end-systems which are compliant can access the network. For more information, see the NAC Assessment Phased Deployment Guide.

When you create a Quarantine assessment configuration, all health results will be configured with the Apply Score mode. End-systems will be assessed for risk on a scale of High Risk to No Risk, with High Risk end-systems being quarantined. If desired, you can also create scoring overrides for certain health results, configuring some as informational and others as warnings. This way, if there are specific vulnerabilities that you consider to be of no concern or that you wish to consider as warnings, you can still deploy a Quarantine assessment configuration and use scoring overrides to tailor how certain exceptions are handled.

  1. From the Manage Assessment Settings window, click Add to create a new assessment configuration and name it "Quarantine Agent-less."

    Manage Assessment Settings

  2. In the Edit Assessment Configuration window, use the Configuration Menu button in the Scoring Override Configuration field to add a new scoring override configuration called "Quarantine Agent-less."

    Quarantine Assessment Configuration

  3. Do not add any scoring overrides to the configuration at this time. Click OK.

    Quarantine Scoring Override Configuration

  4. Back in the Edit Assessment Configuration window, verify that the Quarantine Agent-less scoring override configuration is selected.

    Quarantine Assessment Configuration

  5. From the test sets Configuration Menu button Menu Button add a new agent-less test set named "Quarantine Agent-less." Configure the Quarantine agent-less test set as follows:
    1. Select the kinds of tests to perform.
    2. Verify that the Scoring Mode is set to Apply Score.

    Quarantine Agent-less Test Set

    Click OK to close the window.
  6. Back in the Edit Assessment Configuration window, select the Quarantine Agent-less test set to include in the configuration. Click OK.

    Quarantine Assessment Configuration

  7. Use the following steps to add scoring overrides from the Health Result Details tab (in the End-Systems tab), as you view the health results of an end-system.
    1. Add scoring overrides for the vulnerabilities that should be informational. These are vulnerabilities that you still want to collect information about, but which should be excluded from risk level assessment. From the Health Result Details table, select Configure > Add Scoring Override > to Make Informational.

      Make Informational

    2. Select the Quarantine Agent-less scoring override configuration. Click OK.

      Select Configuration

    3. Review the scoring override that will be created. No changes should be necessary. Click OK.

      Informational Scoring Override

    4. Add scoring overrides for the vulnerabilities that should be warnings. These are vulnerabilities that you still want to collect information on and warn users about, but which should be excluded from risk level assessment. From the Health Result Details table, select Configure > Add Scoring Override > to Add a Warning.
    5. Add scoring overrides for the vulnerabilities that should be re-scored. These are vulnerabilities that should be included in risk level assessment, but with an altered risk level. From the Health Result Details table, select Configure > Add Scoring Override > to Change Score.
  8. Configure the Default NAC Profile to enable assessment and select the Quarantine Agent-less assessment configuration.

    Default NAC Profile

  9. Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Quarantine assessment. You can monitor the assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.

Agent-Based Assessment Configuration

This section presents instructions for creating assessment configurations for each of the three deployment phases, using an agent-based test set. A new assessment configuration is created for each phase, rather than modifying the existing assessment configuration. This allows you to easily revert back to an earlier phase at any time by changing the assessment configuration that your NAC profile is using.

Agent-Based Informational Assessment

Use the following steps to create and configure an agent-based Informational assessment configuration. With Informational assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, but no action is taken against end-systems with vulnerabilities. This allows you to use assessment as a data-gathering mechanism without end-systems being quarantined. For more information, see the NAC Assessment Phased Deployment Guide.

  1. From the Manage Assessment Settings window, click Add to create a new assessment configuration and name it "Informational Agent-Based."

    Manage Assessment Settings

  2. In the Edit Assessment Configuration window, use the Configuration Menu button in the Scoring Override Configuration field to add a new scoring override configuration called "Informational Agent-Based."

    Informational Assessment Configuration

  3. Do not add any scoring overrides to the configuration at this time. Click OK.

    Informational Agent-Based Scoring Override Configuration

  4. Back in the Edit Assessment Configuration window, verify that the Informational Agent-Based scoring override configuration is selected.

    Informational Assessment Configuration

  5. From the test sets Configuration Menu button Menu Button add a new Agent-Based Test Set named "Informational Agent-Based." Configure the test set as follows:
    1. Set up the agent and choose the tests that will be executed.
    2. Configure the test set to run entirely in an informational mode by setting the Test Status of every test case to Informational Informational Status. This is done in the test case Editor, accessed by double-clicking on the test case or when creating a new test.

    Informational Agent-Based Test Set

    Click OK to close the window.
  6. Back in the Edit Assessment Configuration window, verify that the Informational Agent-Based test set is selected. Click OK.

    Informational Assessment Configuration

  7. By default, the No Agent Detected test result score will be applied to risk assessment, and the end-system will be quarantined. If you choose to make this test result informational, you will need to set up a scoring override for Test ID 90000. This will be the only scoring override that will be configured.
    1. Open the Edit Scoring Override Configuration window for the Informational Agent-Based scoring override configuration, using the Configuration Menu button in the Scoring Override Configuration field. Click Add to add the following scoring override to the configuration.

      Add Scoring Override

    2. Click OK. The scoring override will be added to the Informational Agent-Based scoring override configuration. Click OK to close the window.

      Edit Scoring Override Configuration

  8. Configure the Default NAC Profile to enable assessment and select the Informational Agent-Based assessment configuration.

    Default NAC Profile

  9. Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Informational assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.

Agent-Based Warning Assessment

Use the following steps to create and configure an agent-based Warning assessment configuration. With Warning assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are notified. End users are provided with the means to remediate their vulnerabilities and achieve compliance, however end-systems which are not compliant can still access the network. For more information, see the NAC Assessment Phased Deployment Guide.

  1. From the Manage Assessment Settings window, click Add to create a new assessment configuration and name it "Warning Agent-Based."

    Manage Assessment Settings

  2. In the Edit Assessment Configuration window, use the Configuration Menu button in the Scoring Override Configuration field to add a new scoring override configuration called "Warning Agent-Based."

    Warning Assessment Configuration

  3. Do not add any scoring overrides to the configuration at this time. Click OK.

    Warning Scoring Override Configuration

  4. Back in the Edit Assessment Configuration window, verify that the Warning Agent-Based scoring override configuration is selected.

    Warning Assessment Configuration

  5. Click the Advanced button to open the Advanced Assessment Configuration window where you can enable Assessment Warning Periods. Set the number of Grace Period and Probation Period days to the desired values. Click OK.

    Advanced Assessment Configuration

  6. Back in the Edit Assessment Configuration window, from the test sets Configuration Menu button Menu Button add a new agent-based test set named "Warning Agent-Based." Configure the test set as follows:
    1. Set up the agent and choose the tests that will be executed.
    2. To use the agent notification feature (where the agent is used to notify end users of assessment violations), you must have the Display Agent Notification Messages option selected as well as the Advanced Agent Configuration option to Allow Remediation Through Agent selected.
    3. Configure each test case that you want to run in warning mode by setting the Test Status of that test case to Warning Warning Status. This is done in the test case Editor, accessed by double-clicking on the test case or when creating a new test. All other tests should be configured to be Informational.


    Warning Agent-less Test Set

    Click OK to close the window.
  7. Back in the Edit Assessment Configuration window, select the Warning Agent-Based test set to include in the configuration. Click OK.

    Warning Assessment Configuration

  8. By default, the No Agent Detected test result score will be applied to risk assessment, and the end-system will be quarantined. If you choose to make this test result a warning, you will need to set up a scoring override for Test ID 90000. This will be the only scoring override that will be configured.
    1. Open the Edit Scoring Override Configuration window for the Warning Agent-Based scoring override configuration, using the Configuration Menu button in the Scoring Override Configuration field. Click Add to add the following scoring override to the configuration.

      Add Scoring Override

    2. Click OK. The scoring override will be added to the Warning Agent-Based scoring override configuration. Click OK to close the window.

      Edit Scoring Override Configuration

  9. Configure the Default NAC Profile to enable assessment and select the Warning Agent-Based assessment configuration.

    Default NAC Profile

  10. Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Warning assessment. You can monitor the assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.

Agent-Based Quarantine Assessment

Use the following steps to create and configure an agent-based Quarantine assessment configuration. With Quarantine assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are quarantined. End users are provided with the means to remediate their vulnerabilities and achieve compliance. Only end-systems which are compliant can access the network. For more information, see the NAC Assessment Phased Deployment Guide.

  1. From the Manage Assessment Settings window, click Add to create a new assessment configuration and name it "Quarantine Agent-Based."

    Manage Assessment Settings

  2. In the Edit Assessment Configuration window, use the Configuration Menu button in the Scoring Override Configuration field to add a new scoring override configuration called "Quarantine Agent-Based."

    Quarantine Assessment Configuration

  3. Do not add any scoring overrides to the configuration at this time. Click OK.

    Quarantine Scoring Override Configuration

  4. Back in the Edit Assessment Configuration window, verify that the Quarantine Agent-Based scoring override configuration is selected.

    Quarantine Assessment Configuration

  5. From the test sets Configuration Menu button Menu Button add a new agent-based test set named "Quarantine Agent-Based." Configure the test set as follows:
    1. Set up the agent and choose the tests that will be executed.
    2. To use the agent notification feature (where the agent is used to notify end users of assessment violations), you must have the Display Agent Notification Messages option selected as well as the Advanced Agent Configuration option to Allow Remediation Through Agent selected.
    3. Configure each test case that you want included in the quarantine decision by setting the Test Status of that test case to Mandatory Mandatory Status. This is done in the test case Editor, accessed by double-clicking on the test case or when creating a new test. Other tests can be configured as Informational or Warning.

    Quarantine Agent-Based Test Set

    Click OK to close the window.
  6. Back in the Edit Assessment Configuration window, select the Quarantine Agent-Based test set to include in the configuration. Click OK.

    Quarantine Assessment Configuration

  7. Configure the Default NAC Profile to enable assessment and select the Quarantine Agent-Based assessment configuration.

    Default NAC Profile

  8. Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Quarantine assessment. You can monitor the assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.

Combined Assessment Configuration

This section presents instructions for creating assessment configurations for each of the three deployment phases, using both an agent-less and an agent-based test set. A new assessment configuration is created for each phase, rather than modifying the existing assessment configuration. This allows you to easily revert back to an earlier phase at any time by changing the assessment configuration that your NAC profile is using.

Combined Informational Assessment

Use the following steps to create and configure a combined Informational assessment configuration. With Informational assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, but no action is taken against end-systems with vulnerabilities. This allows you to use assessment as a data-gathering mechanism without end-systems being quarantined. For more information, see the NAC Assessment Phased Deployment Guide.

  1. From the Manage Assessment Settings window, click Add to create a new assessment configuration and name it "Informational Combined."

    Manage Assessment Settings

  2. Use steps 2 through 4 in the Agent-less Informational Assessment section to create a scoring override configuration to use in your Combined assessment configuration. Name the scoring override configuration "Informational Combined."
  3. Use step 5 in the Agent-less Informational Assessment section to create an Informational agent-less test set to use in your Combined assessment configuration.
  4. Use step 5 in the Agent-Based Informational Assessment section to create an Informational agent-based test set to use in your Combined assessment configuration.
  5. Use step 7 in the Agent-Based Informational Assessment section to create a scoring override for the No Agent Detected health result if you would like the result to be informational. Note that you will need to add the scoring override to the Informational Combined scoring override configuration, instead of the Informational Agent-Based scoring override configuration as described in the step.
  6. Back in the Edit Assessment Configuration window, select the Informational Agent-less and Agent-Based test sets to include in the configuration. Click OK.

    Combined Assessment Configuration

  7. Configure the Default NAC Profile to enable assessment and select the Informational Combined assessment configuration.

    Default NAC Profile

  8. Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Informational assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.

Combined Warning Assessment

Use the following steps to create and configure a combined Warning assessment configuration. With Warning assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are notified. End users are provided with the means to remediate their vulnerabilities and achieve compliance, however end-systems which are not compliant can still access the network. For more information, see the NAC Assessment Phased Deployment Guide.

  1. From the Manage Assessment Settings window, click Add to create a new assessment configuration and name it "Warning Combined."

    Manage Assessment Settings

  2. Use steps 2 through 5 in the Agent-less Warning Assessment section above to create a scoring override configuration to use in your Combined assessment configuration. Name the scoring override configuration "Warning Combined."
  3. Use step 6 in the Agent-less Warning Assessment section above to create a Warning Agent-less test set to use in your Combined Assessment Configuration.
  4. Use step 6 in the Agent-Based Warning Assessment section above to create a Warning Agent-Based test set to use in your Combined Assessment Configuration.
  5. Use step 8 in the Agent-Based Warning Assessment section to create a scoring override for the No Agent Detected health result if you would like the result to be a warning. Note that you will need to add the scoring override to the Warning Combined scoring override configuration, instead of the Warning Agent-Based scoring override configuration as described in the step.
  6. Back in the Edit Assessment Configuration window, select the Warning Agent-less and Agent-Based test sets to include in the configuration. Click OK.

    Combined Assessment Configuration

  7. Use step 8 in the Agent-less Warning Assessment section to add Warning scoring overrides to your assessment configuration. Be sure to add the overrides to the Warning Combined scoring override configuration.
  8. Configure the Default NAC Profile to enable assessment and select the Warning Combined assessment configuration.

    Default NAC Profile

  9. Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Warning assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.

Combined Quarantine Assessment

Use the following steps to create and configure a combined Quarantine assessment configuration. With Quarantine assessment, end-systems connecting to the network are assessed for security compliance. The assessment results are reported, and end-systems with vulnerabilities are quarantined. End users are provided with the means to remediate their vulnerabilities and achieve compliance. Only end-systems which are compliant can access the network. For more information, see the NAC Assessment Phased Deployment Guide.

  1. From the Manage Assessment Settings window, click Add to create a new assessment configuration and name it "Quarantine Combined."

    Manage Assessment Settings

  2. Use steps 2 through 4 in the Agent-less Quarantine Assessment section to create a scoring override configuration to use in your Combined assessment configuration. Name the scoring override configuration "Quarantine Combined."
  3. Use step 5 in the Agent-less Quarantine Assessment section to create a Quarantine agent-less test set to use in your Combined assessment configuration.
  4. Use step 5 in the Agent-Based Quarantine Assessment section to create a Quarantine agent-based test set to use in your Combined assessment configuration.
  5. Back in the Edit Assessment Configuration window, select the Quarantine Agent-less and Agent-Based test sets to include in the configuration. Click OK.

    Combined Assessment Configuration

  6. Use step 7 in the Agent-less Quarantine Assessment section to add scoring overrides to your assessment configuration. Be sure to add the overrides to the Quarantine Combined scoring override configuration.
  7. Configure the Default NAC Profile to enable assessment and select the Quarantine Combined assessment configuration.

    Default NAC Profile

  8. Enforce the new configuration to your appliances. All appliances using the Default NAC Profile will now perform Quarantine assessment. You can see assessment results in the End-Systems tab. For more information, see the Viewing Health Results section of the NAC Assessment Phased Deployment Guide.

Top