In your NAC profiles, each access policy (Accept, Quarantine, Failsafe, and Assessment) is associated to a policy mapping that defines exactly how NAC Manager handles end-system traffic on the network. Each mapping specifies a policy role (created in Policy Manager) and/or any additional RADIUS attributes included as part of a RADIUS response to a switch.
The RADIUS attributes required by a switch are specified in the Gateway RADIUS Attributes to Send field configured in the Edit Switch window. The actual switch RADIUS attribute values (Login-LAT-Port, Custom 1, etc.) are defined within each policy mapping configured in this window. Each policy mapping is associated with the access policy selected in your NAC profiles.
When an end-system authenticates to the network, the NAC profile is applied and the appropriate RADIUS response attributes are extracted from the mapping based on the switch the authentication request originated from. The attributes are returned to the switch in the RADIUS Access-Accept response.
For more information on configuring policy mappings, see How to Set Up Access Policies and Policy Mappings. For a description of each NAC Manager access policy, and some guidelines for creating corresponding policy roles in Policy Manager, see the section on Access Policies in the Concepts file.
To access this window, click on the Manage button in the Policy Mappings section in the New/Edit NAC Profile window. (You can also access your policy mappings in the Advanced Configuration tool by selecting Tools > Management and Configuration > Advanced Configurations from the menu bar. In the left-panel tree, expand the NAC Profiles folder and click on the Policy Mappings folder.)
The columns displayed in this window vary depending on whether you are using a Basic or Advanced policy mapping configuration. For a definition of each column, see below.
Advanced Policy Mapping Configuration
NAC Manager provides a list of default policy mappings that you can use, or you can create your own policy mappings, if desired. Use the
toolbar buttons 
at the top of the window to add, edit, or delete mappings.
Use the configuration menu button 
to access options for managing the import and export of mappings.
- Import from File - Opens a window where you can select a file for importing policy mappings. In the file, policy mappings must be listed one mapping per line
using the following format. (Fields in brackets < > are optional; all other
fields are required.)
Name, PolicyName, Location, VlanName, VlanId, <LoginLATGRoup>, <LoginLATPort>, <Management>, <Filter>, <Custom1>, <Custom2>, <Custom3>, <Custom4>, <Custom5>
For example: Assessing, Assessing, Any, Default VLAN, 1, Assessing, 0 , , Assessing
For an explanation of the different fields, see the Add Policy Mapping window Help topic. - Import from Policy Manager Domains - This operation creates new Policy Mappings in NAC Manager based on policy roles and corresponding VLANs imported from Policy Manager. The import also updates VLAN information for existing policy mappings already in the table. The import removes mappings from NAC Manager if the policy no longer exists in Policy Manager and is not being used by NAC Manager (via a NAC profile). If the policy is being used, the policy name is cleared. This results in an error notification on enforce of the NAC configuration to the Extreme Access Controlengine.
This operation should not be used if policy mapping attributes are being managed outside of Policy Manager. An example would be a scenario in which RFC 3580-capable third-party devices participate in NAC Manager, where default policy mapping names (Enterprise User, Accessing, etc.) have been updated to define VLAN information that is not configured in policy roles of the same name that exist in Policy Manager which is used to configure EOS switches. If this scenario exists, and the duplicate-named policy roles are imported, the imported VLAN information overwrites the existing VLAN information. - Export to Policy Manager Domain - This operation exports the selected policy mappings to a policy domain. It verifies that VLANs in the policy mappings exist in the policy domain. You can select an option to set the VLANs to forward as tagged and existing VLANs are updated. The operation also verifies that policies referenced in NAC Manager exist in the policy domain. Missing policies are added as roles.
- Clean Up Policies Missing from Policy Manager - Opens a window that lists any policies not defined in Policy Manager, allowing you to remove mappings or clear policies from NAC Manager if the policy no longer exists in Policy Manager and is not being used by NAC Manager in a NAC profile. If the policy is being used in a NAC profile, only the policy name is cleared. Do not select mappings for policies that are being managed outside of Policy Manager, for example, for third-party devices.
Column Definitions
- Name
- The policy mapping name.
- Policy Role
- The policy role assigned to this mapping. All policy roles used in your mappings must be part of your Extreme Access Control Controller policy configuration and/or defined in Policy Manager and enforced to the policy-enabled switches in your network.
- Location
- Policy mapping locations allow authentication requests that match the same NAC rule and corresponding NAC profile to be authorized to different accept attributes (policy/VLAN/Custom Attribute) based on the location the request originated from. For example, in the Policy Mapping Configuration screenshot above, the Administration policy mapping has five entries, with each entry assigning a different VLAN (for RFC 3580-enabled switches) for authentication requests matching the specified location. Requests originating from the 1st floor South location are authorized to VLAN 100, and requests originating from the 2nd floor North location (matching the same NAC rule) are authorized to VLAN 220. Using locations in this manner lets you authorize end-systems to different access criteria using a single NAC rule, whereas the alternative is to create multiple location-based NAC rules each with a NAC Profile that corresponds with the desired access value.
When policy mapping locations are used in this manner, it is important to include a catch-all policy mapping (the fifth Administration mapping in the example above) that has a location of "any" and sets the access behavior for an authorization originating from any other location. The access behavior could be a policy/VLAN/Custom Attribute that grants some form of restricted access, or denies access altogether. If a catch-all mapping is not included, a warning message may appear on enforce indicating that there is no catch-all mapping configured, and authorizations that match the policy but do not originate from a defined location, may result in errors or unpredictable behavior.
- VLAN Name
- If you have RFC 3580-enabled switches in your network, this column displays the VLAN name assigned to this mapping.
- VLAN ID
- If you have RFC 3580-enabled switches in your network, this column displays the VLAN ID assigned to this mapping.
- Filter
- This value is only displayed in Basic mode if ExtremeWireless Controllers have been added to NAC Manager. The Filter column typically maps to the Filter-Id RADIUS attribute. This value applies to ExtremeWireless Controllers and other switches that support the Filter-Id attribute.
- Login-LAT-Port
- If you have ExtremeWireless Controllers on your network, the Login-LAT-Port is an attribute returned in the default RADIUS response. The Login-LAT-Port value is used by the controller to determine whether the authentication is fully authorized. A value of "1" indicates the authentication is authorized, where a value of "0" indicates that authorization is not complete. The value of "0" is used by the controller to determine that additional authentication is required and is a signal for the controller to engage its external captive portal and use HTTP redirection to force HTTP traffic from the end-system to the defined Extreme Access Control engine. This is used in conjunction with the Registration and Assessment features of NAC Manager.
- Management
- The authorization attribute returned for successful administrative access authentication requests that originate from network equipment configured to use RADIUS as the authentication mechanism for remote management of switches, routers, VPN concentrators, etc. Examples of management values for EOS devices are: "mgmt=su:", "mgmt=rw:", or "mgmt=ro:". The management attribute determines the level of access the administrator is granted when authorized to access the device: superuser, read/write, or read-only.
- Custom
- Some network devices require additional RADIUS response attributes in order to provide authorization or define additional parameters for the authenticated session. These additional attributes can be defined in the five available Custom option fields.
For information on related windows:
