As I'm sure we've all seen or experienced, the NAC is in full effect now and blocking lots of people... I figure this thread would be the best way to convey some useful tips to not only our employees, but also the students.

When installing Sophos AntiVirus on Windows, please please please READ the quick start guide (https://sitelicense.arizona.edu/sophos/download/sophos_quickstart.html). Many people who are installing Sophos are missing the most vital part of entering the proper update source. Without the proper update source, Sophos will not be updated and you will not be able to access the network still.
If your operating system is: 2000/XP/2003 type in: http://sophosru.arizona.edu/esxp
If your operating system is NT type in: http://sophosru.arizona.edu/esnt
If your operating system is Win95/98 type in: http://sophosru.arizona.edu/es9x


At this time, OSCR does not recommend installing anti-virus of any kind for Macintosh OS X at this time. (Thanks Tom!)

As noted by Tajan and Dan, students in the dorms do not need to add their mac address through student link. However, they will need their mac address added through student link in order to use their computer anywhere else on campus (I.E. OSCR Labs). Consultants, take note of this bullet if you are helping someone with their computer and it will not get an IP address.

Instructions on installing and setting up the NAC can be found here (https://www.sirt.arizona.edu/nac/Network%20Access%20Control%20Step%20by%20Step.pdf)
What is the current NAC ruleset for students in the dorms?
Authentication: Required Once every 48 Hours.
Policy Key: If on Windows and does not have policy key installed, Immediate Quarantine.
NAT Policy: 2 Warnings 24 hours apart, then Quarantine if present.
Anti-Virus Policy: Immediate Quarantine if not Installed, Running, and Up-To-Date.
Anti-Spyware: Warning/Informational every 2 Weeks if not installed and running.
Operating System Updates: 2 Warnings 3 days apart, a third warning 24 hours later, then Quarantine if not set to automatically download.
Firewall: Warning/Informational page every 2 Weeks if not running.


The NAC at this time is not enforced while on UAWiFi. SIRT's webpage has not been updated to reflect this change. (Thanks Tom!)

You can find SIRT's FAQ regarding the NAC here (https://www.sirt.arizona.edu/nac/faq.htm)

You can check if a computer has been blocked by SIRT for being infected here (https://www.sirt.arizona.edu/gotblocked/index.php). You will need to login to check a MAC Address.
If you are looking for UAWiFi help, OSCR has a help page here (http://www.oscr.arizona.edu/computer_help/wireless).

Great overall info, James! Particularly the correct paths for getting Sophos autoupdate to work.
But I would add that OSCR does not recommend installing anti-virus of any kind for Macintosh OS X at this time. There are various reasons for this, but the best one is that there is nothing presently worth protecting against.
Also, I know that the information about NAC on wireless (UAWIFI) is still listed on the SIRT page, but I'm pretty sure that it was never implemented. So, there is no NAC (at the moment and in the foreseeable future) on the UA wireless networks. That could change of course. Apparently there were too many complications and the wireless NAC has been dropped for now. I guess they have never updateded their page.

Thanks for the info Tom! I've updated my original post to reflect your additions/changes.

Tom, I was always under the impression that Apple users should install Sophos so they do not help spread Windows viruses?

It would be nice if Mac users could have an impact on improving the lot of Windows users, but in reality it won't have much effect. With overall percentage numbers of around 5 percent, and maybe as high as 10-15 percent in the student campus population, and given how virus typically spread, expecting the Macs act as a virus filters for Windows machines is futile. Add to that, that in reality, installing AV on a Mac does nothing for the user or machine other than complicate their life and OS, and that the only bad consequence of the Mac virus business on campus we have seen was caused not by a piece of malware, but the AV itself. The net result is a thumbs down for Mac AV software.
It is possible that the NAC will be extended to linux and/or Mac. If SIRT erroneously decides that AV on these boxes will be enforced, we will, unfortunately, have to support that. Or, if/when viruses finally appear for OS X, we would certainly support Mac AV.
It boils down to: Mac users don't need it, and it wouldn't help the Windows majority anyway.

It has blocked my computer for not configuring automatic updates, but they are set to automatically download/install on my computer. It still won't allow me access. What should I do?

It has blocked my computer for not configuring automatic updates, but they are set to automatically download/install on my computer. It still won't allow me access. What should I do?
You may have done this already, but the best way to fix something wrong in Windows (many things for that matter) is to reboot the computer. I'd try downloading any available Windows Updates as well before getting an appointment or walk-in with the OSCR techs

I emailed CCIT weeks ago about this and have not heard back about it. Rebooting my computer doesn't alleviate the problem. The problem is that PolicyKey is wrong, and I've seen this on two other computers in my hall.

Now I'm restricted to arizona.edu sites and hoping someone will wise up and take care of this soon as now I'm unable to utilize my own computer to do any work.

netid: javeryt

You may have done this already, but the best way to fix something wrong in Windows (many things for that matter) is to reboot the computer. I'd try downloading any available Windows Updates as well before getting an appointment or walk-in with the OSCR techs

Yeah, the problem I've seen w/ this is that while Auto-Updating is turned on, nobody's got their comp on @ 3am (the default time in Windows), so the updates never get installed.

I suggest going to Windows Update manually and downloading every update -- that includes the optional ones.

PolicyKey is not perfect, but the folks at Impulse are working with us to fix issues. The launch of a project on this scale is bound to hit some hiccups. You just have to learn to roll with them for the time being until it gets smoothed out.

Err very few people should need the optional updates. The KB articles related to the optional updates have a description of what hardware/software they are for. You're just cluttering your computer if you don't need them... I certainly hope the policykey is setup much better than as you describe it Dan, but of course we all have doubts. ;)

Yeah, the problem I've seen w/ this is that while Auto-Updating is turned on, nobody's got their comp on @ 3am (the default time in Windows), so the updates never get installed.

When would you recommend to auto update? Can't be when they turn there computer off and can't be while there working on it. Maybe we can ask a friendly question of what time their classes are and set it while there in class...


Also I have seen that when people first start up there computer and rush on to the internet, they don't give there anti-virus time to update. So policykey hits them and says that there anti-virus is out of date. And instead of waiting a couple minutes for there AV to update and refresh, they think there is something wrong with there computer/policykey.

Good point about not waiting for updates, Mike. I've also noticed that.

As for the time it updates (3 am), most people don't check that. I usually ask people if they have their computer on every night at 3 am, and explain why I ask - otherwise, you get some strange looks. If they don't, they usually tell me a good time (most clients say everyday at noon).