MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

About This Document This is a summary of all changes to MetaAccess NAC (formerly SafeConnect NAC) since the 7.0.1 release.

Along with many smaller changes, the main areas of improvements highlighted are:

• MetaAccess NAC Rebranding and Integration

• Reporting Improvements

• Administration Console Improvements

• Policy Improvements

• Network Integration additions and enhancements

• RBE Improvements

• Transitioning to a Virtual Environment

MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

MetaAccess Rebranding and Integration As we hope all SafeConnect customers are aware, Impulse was acquired by OPSWAT in December of

2019. Since that time, we have been working to integrate Impulse’s people, products, and processes

into OPSWAT. As of the 8.0.1 release, that integration is complete.

• SafeConnect NAC is now MetaAccess NAC and the user interface has been rebranded to OPSWATs colors, fonts, and logos.

• Integration with MetaAccess has been completed to support the use of MetaAccess’ Advanced Endpoint Compliance features on top of the Policy Key compliance checks, with a MetaAccess license. You can read more about these features here: https://onlinehelp.opswat.com/metaaccess/1._Getting_Started.html

MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

Reporting Improvements

• The weekly usage report has been significantly reworked to optimize for better performance. If the key administrators in your organization are not receiving this weekly report, please contact OPSWAT Customer Success to learn how to configure it.

• Customers are now able to specify a custom sender email address for reports.

Administration Console General Improvements • Session time-outs will now be based on last activity, not login time.

• Updated MetaAccess NAC to reflect proper browser compatibility changes, for example, the administrative client is not supported on Internet Explorer, and it will clearly state that if you try using it there.

• Custom RADIUS certificates whose private key require a passphrase can now be uploaded via the UI.

• Purchased license count information is now available in the UI. This includes: o The License Key, which is newly introduced in this release as part of merging with

OPSWAT’s internal license management system. o The Tier which is either Essentials or Enterprise. This is dependent on the tier your

organization purchased. o Your organizations Concurrent Devices Allowed. This is the number you are currently

licensed to use. o Near the bottom are actual usage numbers for concurrent devices for three different time

periods to help you gauge potential over-license usage.

• Changing from LDAP to LDAPS on an existing authentication policy will allow testing when using the option for default certificates.

• Added a decline option to the email sent to administrators when Device Enrollment is requested. When the administrator does decline, the user is informed in the email they receive.

• Notification added to Subnet Mappings when a change to a subnet affects a pre-existing group.

MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

Policy Improvements

▪ Added a new generic AV policy based on the Windows APIs.

Through this new policy a device will be considered compliant if, based on Windows Security, they have AV installed, enabled, and up to date. This is only supported for AV and malware vendors that integrate with Microsoft Windows to update the Security Center. This will allow many MetaAccess NAC customers to simplify the message to end users; as end users can be told that if Microsoft Security Center finds them compliant, so will MetaAccess NAC. An example of Windows Security Center reflecting a compliant device:

• Customers are now able to leverage any subdomain of myweblogon.com as their hostname (e.g. customername.myweblogon.com) for improved customer branding.

▪ Added better support for dual-boot devices to ensure they are consistently identified based on the currently active OS. For example, if a user normally boots a device to Windows, but

MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

occasionally boots to Linux, the device will not be prompted to install the Policy Key when booted to Linux.

▪ As always, OPSWAT is working to keep the Policy Key up to date as the operating system vendors release new versions. Keeping with this, the MetaAccess NAC now support for iOS 14 and the Policy Key supports Policy Key macOS Big Sur (macOS 11).

▪ The authorized devices feature now allows enrollment by MAC address OUI. For customers who want to enroll many devices from the same manufacturer, this can greatly simplify the process of setting up and maintaining the list of enrolled devices.

▪ The built-in authentication pages for end users (example below) now support the full set of use cases for SAML as is supported for other authentication methods such as LDAP thereby easing SAML configuration.

Device Identification • Enhanced device identification to allow for better matching of device fingerprints. based on MAC

address patterns. The most common use case is to match on the MAC OUI but, where necessary, more granularity can be leveraged

Console Configuration Utility • The configuration utility will now require an additional prompt when testing and changing network

configurations beyond the initial setup.

• Updating the DNS server(s) inside the console configuration tool will no longer restart networking or any other services.

MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

High Availability Improvements: • HA customers will now be able to view information about the node state. It is shown both in the

Enforcers section of Configuration, for example (where 10.102.20.10 is the VIP) and the enforcer with the Active IP is the current master.

• The HA Master/Backup status of the current enforcer is also shown in the lower-left corner of the Console Networking Configuration screen.

MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

Threat Enforcement

New parser capability added for Palo Alto Threat Prevention Service.

MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

Contextual Publishing The Contextual Intelligence Publisher output now includes the "class" attribute to support tighter integration with firewalls such as FortiGate. This provides enables better support for RADIUS SSO.

Network Integration Improvements

As the screen capture of the MetaAccess NAC NAS Type list below depicts, support for the following network vendors has been added or improved:

• Alcatel Wired: added • Ubiquiti Wireless: added

• Mist-Juniper Wireless: added

• Extreme-Identifi Wireless: added

• Extreme Wireless added

• Extreme Wired (XOS) added

• Dell OS6 Wired: added

• Dell Wired: now supports COA

• Cisco 9800 controller: COA disconnect message is now better supported

• Ubiquiti: COA handling to work better with open network.

MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

Guest The full-featured guest module in MetaAccess NAC has been improved in the following ways:

• MetaAccess NAC now allows for guests to be created more than 30 days in the future

• Limit use of duplicate phone numbers for guest registration

AD Connector

If your organization uses the AD Connector, please contact OPSWAT’s Customer Success team if

you are not sure if you are the most recent version or have questions about how AD Connector

could help you better enforce policy for domain joined devices and users.

RBE – RADIUS-based Enforcement • New RBE roles no longer require VSAs to be populated for the corresponding role there by

permitting them to be omitted.

• The RADIUS Log Viewers have been improved to perform better.

• MetaAccess NAC now supports replicating RADIUS accounting to an upstream RADIUS server. For example, to relay the RADIUS to a SIEM.

MetaAccess NAC 8.0.1 Cumulative Release Notes

398 Kansas Street San Francisco, CA 94103 T 415.590.7300 www.opswat.com

Transitioning to Virtual Appliances

Due to the advantages of server virtualization (e.g. energy savings, improved availability, reduced rack space, and scalability at a lower cost), most MetaAccess NAC customers deploy a virtual appliance. OPSWAT has transitioned to a virtual deployment model. If you are currently running on a hardware platform today, and are ready to make the transition, our Customer Success team will work with you to schedule this migration. Note that MetaAccess NAC’s preferred virtualization platforms: VMWare, Microsoft Hyper-V, and Azure. MetaAccess NAC does support the free version of VMWare ESXi, and this is how many of our customers have MetaAccess NAC deployed today. Learn more here: https://onlinehelp.opswat.com/safeconnect-enforcer/. MetaAccess NAC’s Azure – Azure support was refreshed to ensure better support going forward. Note that an Azure MetaAccess NAC deployment does require a Layer-2 tunnel between Azure and the one or more premises that the NAC appliance(s) controls.

Incremental Release Notes See MetaAccess NAC incremental Release Notes for the longer list of smaller improvements and

issues addressed by minor version.