Updated on 2nd Nov'12
Hello All,
First go through System requirements for SNAC 12.1
New features about SNAC 12.1
SNAC 12.1 Includes two new features for LAN Enforcers:
• MAC Authentication Bypass (MAB): Used for LAN Enforcers running as a RADIUS proxy.
• Ignore Symantec NAC Client Check: Used for LAN Enforcers running in either mode.
The option to bypass RADIUS authentication is applicable only if the LAN Enforcer is running with a RADIUS server configured. The Ignore Symantec NAC Check option applies in either RADIUS or transparent mode.Both settings are used to whitelist a client’s MAC address to prevent enforcement of certain criteria.
MAC authentication bypass
MAC Authentication Bypass (MAB) informs an 802.1x switch to allow a client to be Radius-authenticated by its MAC address and is not using the usual user-name and password. This feature’s intended purpose is to allow devices that do not or cannot run an 802.1x supplicant, but do have an IP and MAC address. For example, a network printer or Voice over IP (VoIP) phone that is not 802.1x compatible.The optional VLAN field is used to assign a client with a MAC address that is defined to a specific VLAN, which overrides the switch’s VLAN assignment.
Ignore Symantec NAC client check
The option to Ignore Symantec NAC Client Check is for devices expected to have an 802.1x supplicant running on them but cannot run the SNAC agent. It is typically for devices like 802.1x compatible VoIP phones. In this case, the LAN enforcer bypasses host integrity (HI) checks always treating HI as passing when the client’s MAC address matches a MAC address in the list of addresses for this feature. If the LAN Enforcer is running in RADIUS mode, the client is still processed for RADIUS authentication.
Management changes
The Enforcer client log view includes:
•Enforcer compliance log events description
•Client Compliance log events description
The enforcer client logs are enhanced to provide more descriptive content.This helps an administrator match the enforcer events with client events.
|
SNAC 11.x
|
SNAC 12.1
|
|
SNAC 11.x logs displayed the status that a clients HI failed, but provided no further details.
|
In SNAC 12.1, logs that show client HI failures contain information as to the reasons why HI fails on a client.
|
|
SNAC 11.x exported compliance events in a paragraph format.
|
SNAC 12.1 exports the events in a more organized format that enables an administrator to easily manipulate the data. Enforcer log exports also contain additional data depending on what logs are exported. In addition, this data is presented in the enhanced format to allow easier data manipulation.
|
The Host Compliance log exports include additional details in the enhanced format including details, such as the Computer ID, OS Language, Service Pack, Agent version, Profile serial number, free disk space, and more. In SNAC 11.x, an administrator must go multiple reports and logs to collect this same information. To view the full details available, use the Monitors page on the SEPM console to access the Host Compliance logs.
SNAC 12.1 exports the events in a more organized format that enables an administrator to easily manipulate the data. Enforcer log exports also contain additional data depending on what logs are exported. In addition, this data is presented in the enhanced format to allow easier data manipulation.
Configure the network time protocol from SEPM console
|
SNAC 11.x
|
SNAC 12.1
|
|
In SNAC 11.x, the network time protocol (NTP) feature is only configurable from the enforcer command-line interface (CLI)
|
SNAC 12.1 added this feature to the all enforcer group properties under the Advanced tab. The CLI configuration method is still supported. If both the enforcer group NTP and CLI NTP methods are used, whichever method is configured most recently, define the NTP settings. NTP is disabled by default and only one NTP server at a time is supported.
|
|
In SNAC 11.x, the SEPM does not allow an enforcer to register without the encryption key defined by the administrator during the SEPM installation.
|
In SNAC 12.1, the SEPM can accept registration using the preshared key hash from the SEPM
|
The preshared key hash is found in any sylink.xml under the SEPM’s installation sub-folder, “data\outbox\agent”. Open the Sylink.xml in Notepad or a browser, and look for the XML attribute “Kcs”. The alpha numerical string of thirty-two characters within the quotes after Kcs is the preshared key hash. Do not include quotes when typing the hash into the enforcer CLI.
Cross site client UID validation
|
SNAC 11.x
|
SNAC 12.1
|
|
In SNAC 11.x, the SEPM fails to validate a client’s UID with a LAN Enforcer when the SNAC client is from a different site than the LAN Enforcer, and UID replication across the sites is not complete
|
In SNAC 12.1, the LAN Enforcer supports cross site UID validation. As long as a client’s SEPM is known by the enforcer and has a health status of ONLINE, the enforcer sends UID validation to the client’s SEPM directly
|
Windows 2008 network policy server (NPS)
In SNAC 11.x, Windows Vista, and Windows 7 clients fail authentication against a Windows 2008 network policy server (NPS) without the SNAC client running. The Windows 802.1x supplicant does not recognize the SNAC 11.x enforcer credentials challenge. This results in all Windows Vista and Windows 7 failing the RADIUS authentication. SNAC 12.1 resolves this issue by providing the option to allow NPS based authentication. This places the authentication challenge in the correct format for an NPS environment.
DHCP scope based enforcement
|
SNAC 11.x
|
SNAC 12.1
|
|
In SNAC 11.x ,there is no option to exempt some DHCP scopes from enforcement. It is an all or nothing configuration
|
In SNAC 12.1, all DHCP scopes are enforced by default, but the administrator can choose to disable enforcement for specific DHCP scopes by unmarking the check box next to the applicable scope.
|
Gateway Enforcer: ODC support for 802.1Q trunking
In SNAC 11.x, the Gateway Enforcer could perform trunking for multiple VLANs, however; if the on-demand client (ODC) were enabled for the enforcer, the ODC would only be hosted on the management VLAN. In SNAC 12.1, this issue is resolved and the ODC may be used for other VLANs.
Gateway Enforcer: Guest enforcement mode
|
SNAC 11.x
|
SNAC 12.1
|
|
In SNAC 11.x, a Gateway Enforcer in guest enforcement mode is connected to the network, but an external NIC must be connected to a dummy port. The SNAC 11.x Gateway Enforcer also needs a separate DNS spoofing server redirecting HTTP requests from clients to the enforcer.
|
Gateway Enforcers running guest enforcement in SNAC 12.1 act as their own DNS spoofing server. The network needs to have the enforcer’s IP address as the DNS server, and the enforcer handles the DNS spoofing. The external NIC drops all traffic on the external network rather than requiring a dummy link
|
|
Log message post at one second interval
|
Log message post at one millisecond interval, new HI templates are added for variety of Symantec and third party applications
|
|
In SNAC 11.x, the HI content engines were not updatable except through an upgrade
|
In SNAC 12.1, the SNAC client content is available to the SEPM through LiveUpdate. After the SEPM retrieves the HI updates, the SEPM distributes the HI updates to the clients as content updates. A single HI content update is available for all localized Windows product versions (English, French, and more)
|
Symantec™ Network Access Control