Network Access Control

 

Take a look at this KB - Configuring notifications for Host Integrity checks
http://seer.entsupport.symantec.com/docs/333040.htm

Let me know if this failed to answer your questions.

Thomas

This KB has to do with what the client will see if they fail a notification,  It does not answer my question.  The Alerts I'm referring to are the alert the SEPM will send to me, as the admin of SEPM

My goal is to get alerts everytime someone fails a Compliance check, with or without the agent installed.

THis may or may not be where you went to add your notification, but I figured I'd add my 2 cents. 

Notifications are set on the SEPM via "Monitors" --> "Notifications" Tab.  Here, you can choose add notifications

Once you click on "Client Security Alert", you will have a number of options to choose from.  You can choose to filter whether to monitor by Group, Domain, Server, or even individual computer.

If you check the options "Compliance events" and "Write the notification to the database"  you should be notified if a Client passing through the Enforcer is Allowed or denied.  Another key option to select is report type (Summary Report or Client List).

Excerpt from the Help Article:
COMPLIANCE EVENTS: For Client security alert, specifies that a compliance-related event, such as a Host Integrity failure, should trigger this notification.

REPORT TYPE: Specifies the content of the email notification.
This option is only available for the Client security alert, New risk detected, Risk outbreak, and Virus definitions out-of-date notification conditions.
Note: 
 This option does not apply when the action is to run a batch file or executable file.
 
You can select one of the following to be attached to the email notification as a .mht file:

Summary report
A report that summarizes the activity that triggered the notification

Client list
The event list that triggered the notification



 

The above is what I configured. 


Now to the big question.

Will I get a notification if a new machine comes on the network that isn’t running the NAC agent? I will be using either a DCHP or Lan Enforcer to force the Quarantine. If so what will the notification say.? What information about the client would it show, Or will it just quarantine the machine, without any alert.

It should show in the report "Symantec Agent is not running or running an incompatible version."  This is a generic message that may be seen for other reasons (requiring further investigation), but mostly covers clients that have not had the Agent installed yet. 

You can go a step further and have a message displayed on the client when it has been blocked by the Enforcer.  You do this through the Enforcer Properties, in the Authentication Tab.  You can edit the message to say whatever you would like the user to see.

 Policy manager(10.22.17.178) failed to verify client's UID.                                                                                                                                                     
Symantec Agent is not running or running an incompatible version.

Will the report show the hostname or ip-address of the client without the agent.  If they dont have the agent, how will it get the message displayed on the client.

Would I get an email with this information if I have the Client Security Alert/Compliance events

I am having trouble finding what the report will show, but in the meantime I have found where to locate the IP Address of the rejected clients.

From the SEPM:
Click the "Monitors" Icon
Log Type: Compliance
Log Content: Enforcer Client

Click "View Log"
Sort by "Action"  You will see "Authenticated" , "Passed" , "Rejected"
under the "Remote Host" Column, you will see all of the IP addresses of clients that have been rejected.


I will continue my search....

Will it show the Rejected IP even if the client doesnt have the agent installed.

SNAC clients have to be installed on the computers for new computers coming on to the network you can go for Dissolvable Clients
https://www-secure.symantec.com/connect/forums/snac-agentless-configuration 

I installed a DCHP Enforcer and did a test.

In the Logs I see this from a client without the agent.

Site Name: Sepm Server
Event time: 10/26/2009 11:49:40
Enforcer Name: DHCO Enforcer
Enforcer type: Integrated Enforcer
Remote Host vistahomeSP2VM[from 192.168.1.23]
Action: Rejected
Period: 1256572180
Description: Symantec Agent is not running or running an incompatible version.
Remote MAC: 00-1C-19-15-1C-1E
Remote info: MSFT 5.0

I have tried every possible notification on client security alert to have it send me an email if this occurs. I cant get an email to trigger off.
I am able to get a notification after I install the client and it fails a HI check.

As for the Dissolvable Clients, where is the setting to have the client download this agent. Does the setting exist with just a DHCP Enforcer.
The document and post you mentioned doest give that information. Where is the exe for this agent.  

Can you give me screenshots with how to set it up.

Based on the document and where the setting should be it looks like the DHCP add on Enforcer does not have this option to install the "On-Demand".  

yeah, you're right.  I guess that would be available if you decided to purchase the Appliance in the future. 

Regarding your statement on Notifications:
"I have tried every possible notification on client security alert to have it send me an email if this occurs. I cant get an email to trigger off.
I am able to get a notification after I install the client and it fails a HI check."

It sounds like you may need to open a case with our support team regarding this.  Once you have done this, you can PM me the case number, and I can provide technical assistance, if needed.