Symantec Security Expressions Server Audit on Connect Tracing

SecurityExpressions Server User Guide

A read-only line that reminds you to configure ACS so that NAD redirects users who try to

connect to the network from quarantined systems to the URL listed.

Redirection Web Page Behavior

Select the information and resources the redirection Web page should provide to users on

quarantined systems if URL redirection is configured in ACS. The options are:

• Display a message that the user must contact an administrator for access

and leave in quarantine. To customize this message, modify NAC/NotHealthy.aspx.

• Display the results of the failed audit and a message stating that an

administrator has been notified, then grant access to the network and

remove from quarantine.

Managed Systems - NAC removes the system from quarantine by sending a token of

Healthy to ACS. To customize the message for managed systems, modify

NAC/PermitAccess.aspx.

Unmanaged Systems - The Web page displays instructions on how to perform a self

audit. When users click Next, NAC removes the system from quarantine by sending a

token of Healthy to ACS. To customize the message for unmanaged systems, modify

NAC/UnmanagedSelfAudit.aspx.

• Provide help with remediation. Display the following URL containing

instructions for self-remediation. Allow the user to perform self-service

audits to verify. Type a URL where users can get remediation instructions. After

they remediate, the redirection Web page describes how to perform a self audit. To

customize this message, modify NAC/SelfRemediate.aspx.

Audit on Connect Tracing

Audit on Connect Tracing

Audit on Connect audit events are complex, involving lots of variables. If you suspect Audit on

Connect is not operating as expected, you would have a hard time troubleshooting the problem

on your own. The AOC Tracing page keeps track of any Audit on Connect activity occurring

during a set time period, recording the details of the activity caused by the audit event and listing

the Audit on Connect settings configured for the audit event. This empowers you to troubleshoot

possible problems in Audit on Connect activity or configuration.

AOC tracing shows:

• when a computer listed in a scope connects to the network

• which device type, policies, scope, notifications, exceptions, and connection-monitor type

were involved in the audit event

• if a slow link was detected

• trace-route information, if enabled

• Cisco Network Admissions Control (NAC) activity, if any

• if a cached policy file is used

Tip: AOC tracing is designed to be turned on and off, running for set lengths of time. It does not

record constantly or permanently log tracing data. If you suspect problems, determine when the

suspect activity will occur. Then turn it on and set it to run for the length of time you expect the

activity to take.