Use this window to add a new policy mapping or edit an existing policy mapping. A policy mapping specifies a policy role (created in Policy Manager) and/or any additional RADIUS attributes included as part of a RADIUS response to a switch (as defined in the Gateway RADIUS Attributes to Send field configured in the Edit Switch window). For more information on configuring policy mappings, see How to Set Up Access Policies and Policy Mappings.
Access this window by clicking the Add or Edit toolbar buttons in the Edit Policy Mapping Configuration window.
The fields in this window vary depending on whether you are using a basic or advanced policy mapping configuration. For a definition of each field, see below.
Edit Policy Mapping - Advanced
- Policy Role
- Use the drop-down menu to select a policy role, or enter a policy role in the
field. The drop-down list displays
any policy roles you have created and saved in your Policy Manager database
and/or all the policy roles contained in the Extreme Access Control Controller policy
configuration.
Roles from all your policy domains are listed; if there are duplicate
names, only one is listed. The list is not case sensitive, so "Enterprise
User" and "enterprise user" are considered duplicate policy names. All
policy roles used in your mappings must be part of your Access Control
Controller policy configuration and/or defined in Policy Manager and enforced to the
EOS policy-enabled switches in your network.
NOTE: Entering a new policy role does not create a new role in Policy Manager.
- VLAN [ID] Name
- Use the drop-down list to select the appropriate VLAN associated with
the policy. This list displays any VLANs that have been defined in
the following legacy java applications: Console, Policy Manager, and NAC Manager. Click the configuration menu button
to the right of the field to add a VLAN to the list. VLANs that are added remain in the
list only as long as they are being used in a mapping and they are not added to the Console database.
- Map to Location
- Allows you to specify a certain location for the mapping. You should first
configure your locations using the Advanced Configuration view (Tools >
Management and Configuration > Advanced Configurations > NAC Configurations > Rule Components >
Location Group) or you can click the configuration menu button to the right of the field to add a location group to the list. For more information on using the Location option in Policy Mappings, see the Edit Policy Mapping Configuration Window Help topic.
- Filter
- If your network devices require a custom Filter-Id, enter it here. The Filter column typically maps to the Filter-Id RADIUS attribute. This value applies to ExtremeWireless Wireless Controllers and other switches that support the Filter-Id attribute.
- Login-LAT-Port
- If you have ExtremeWireless Wireless Controllers on your network, the Login-LAT-Port is an attribute returned in the default RADIUS response. The Login-LAT-Port value is used by the controller to determine whether the authentication is fully authorized. A value of "1" indicates the authentication is authorized, where a value of "0" indicates that authorization is not complete. The value of "0" is used by the controller to determine that additional authentication is required and is a signal for the controller to engage its external captive portal and use HTTP redirection to force HTTP traffic from the end-system to the defined Extreme Access Control engine. This is used in conjunction with the Registration and Assessment features of NAC Manager.
- Management
- Enter a management attribute used to authenticate requests for administrative access to the selected switches, for example, "mgmt=su:", "mgmt=rw:", or "mgmt=ro:". The management attribute determines the level of access the administrator has to the switch: superuser, read/write, or read-only. Be sure to include the final colon (":") in the attribute, or the management access does not work.
- Custom
- If your network devices require additional RADIUS response attributes in order to provide authorization or define additional parameters for the authenticated session, you can define them in the five available Custom option fields.
For information on related windows:
