Network Access Control

I am already using SEPM 12.1.2 in my Enterprise env.

Can I use SNAC Self Enforcement feature to isolate outbreak systems, and to put them to a quarantine VLAN?

Will this feature work without the real symantec NAC appliance installed?

Plesase explain?

Thanks

In short, no.

The self-enforcement feature of SNAC uses SEP to apply a set of policies to use when HI fails.  These are just the usual AV, IPS, FW, etc type policies so will not be able to swap VLANs for you.  That said, you can get SNAC to run a script, so you may be able to cobble something together that way (though I don't know how)

For Dynamic VLAN allocation and using 802.1x in general, you'll want to look into the LAN Enforcer.

Actually, there is a way how you can achieve it.

Create a Firewall Policy and name it Quarantine Firewall rule. Only allow minimum required services / ports to be allowed.

You need to create a HI policy and assign it to groups. Donot check the option in the HI policy "Pass even if the rule fails".

The group to which this HI policy is applied has a tab "Quarantine Policies when Host Integrity fails". Click on Add policy ---> Select Quarantine Firewall Policy ----> Select Use an existing Firewall policy and select the "Quarantine Firewall policy" created earlier.

So when the HI policy fails, the Quarantine Firewall policy on the client will be activated and only necessary services / ports will be allowed. 

Note: SEP client should be enabled and working properly. NTP to be enabled.

Hope this helps !!!

Actually, there isnt 

What you're describing is the self-enforcement feature, and very clearly does not put the endpoint into a different VLAN.  Dynamic VLAN allocation requires switches that support 802.1x, as well as  means of authenticating the client.  Further adding in the SNAC LAN Enforcer to the authentication process provides the ability to base the switch actions on the SNAC HI results as well.

All self-enforcement does is apply a different Firewall policy when the endpoint fails the HI check (exactly as I explianed earlier).

It depends on how do you understand "Quarantine". As per the Query

Can I use SNAC Self Enforcement feature to isolate outbreak systems, and to put them to a quarantine VLAN?

Will this feature work without the real symantec NAC appliance installed?

Quarantine: means isolation ....if network access is disbled / blocked to the outbreak endpoint, which means the endpoint is in quarantine (isolated) zone.

When the HI compliance policy fails and the Quarantine Firewall blocks the port, the endpoint is unable to access the network, meaning the endpoint is isolated (Quarantine).

Hope this helps

I think I see where the confusion is coming from now, and it seems we have differing interpretations of the question.

As far as the ability to Quarantine an endpoint goes, Robocop is entirely correct that this can be accomplished by all the various SNAC options (including the SEP Firewall for self-enforcement, as well as the DHCP enforcer, Gateway Enforcer and LAN Enforcer).

However, as far as changing the VLAN a client is connected to goes (which is how I interpreted the question), only the LAN enforcer can do this as it's the only one that actively communicates with the switches to perform the VLAN assignment.  The use of the LAN enforcer requires your switches are capable of dynamic VLAN allocation, and that you setup the quarantine environment correctly so that remediation is possible.