Quarantined Networks; Endpoint Quarantine Precedence - HP 800 User Manual

Quarantined Networks

Endpoint Quarantine Precedence

NOTE:
7-2

Endpoint Quarantine Precedence

Endpoints are quarantined in the following hierarchical order:
Access mode (normal operation or allow all)
1.
2. Temporarily quarantine for/Temporarily grant access for radio buttons
Endpoint testing exceptions (always grant access, always quarantine)
3.
Post-connect (external quarantine request)
4.
NAC policies
5.
In DHCP mode, if an endpoint with an unsupported OS already has a DHCP-
assigned IP address, NAC 800 cannot affect this endpoint in any way until the
lease on the existing IP address for that endpoint expires. If an endpoint with
an unsupported OS has a static IP address, NAC 800 cannot affect this
endpoint in any way. In both of these cases, the System Monitor window may
show the quarantined icon next to these endpoints; however, if you hover
your mouse over the post-connect service icon, the actual status shows that
the endpoint should be quarantined, but the quarantine action was unsuccess-
ful.
The following describes the process in more detail:
Access mode (1) overrides the items below it in the previous list (2, 3,
■
4, and 5). Use the Access mode radio buttons (System monitor>>select
a cluster>>Quarantining) to act globally on all endpoints in an Enforce-
ment cluster.
The Temporarily quarantine for/Temporarily grant access for radio
■
buttons (Endpoint activity>>select an endpoint check box>>Change
access) override the items below them in the list (3, 4, and 5).
• Use Temporarily quarantine for to temporarily quarantine endpoints
that:
– Have been designated Whitelist (System configuration>>Excep-
tions)
– Are defined in NAC policies and have passed tests
Use Temporarily grant access for to allow temporary access to end-
•
points that:
Have been designated Blacklist (System configuration>>Excep-
–
tions).
– Are defined in NAC policies and have failed tests