End-system zones allow you to limit an Extreme Management Center user's access to end-system information and configuration based on end-system zone membership. Users are only authorized to view or control a subset of end-systems, delimited by zones.
End-system zones are configured and managed in NAC Manager, and are enforced for Management Center end-system information and configuration.
When an end-system authenticates to the network, NAC rules are used to assign a NAC profile and a zone to the end-system. This allows you to use a variety of rule components (such as End-System Groups, Location Groups, and User Groups) to determine the zone to which an end-system should be assigned.
A user's zone access is determined by the authorized zones that are assigned to the user group of which they are a member. User groups are created and configured in the Authorization/Device Access Tool (accessed from the Tool menu), and authorized zones are assigned to each user group in NAC Manager.
When end-systems are filtered by zone, only authorized end-systems appear on the Control tab end-system views. Management Center users must have the appropriate capabilities to view end-system information or perform end-system operations, and then zone authorization lets them view and configure only a subset of end-systems based on zone.
NAC Manager also lets you use rule groups as a way to limit a Management Center user’s access to rule group configuration operations in Management Center. Users are only authorized to view or make changes to a subset of rule groups. Whenever a user initiates a change to a rule group, such as adding or removing an end-system to or from a group, a check is performed to verify that the user is authorized to change that rule group.
| NOTE: | If you want to deny user access to Management Center end-system information (versus just limiting access), you must utilize authorization group capabilities (configured in the Authorization/Device Access Tool), independent of the zone configuration. For more information on configuring access to end-system information based on capabilities, see Management Center Access Requirements, specifically Use Case 4 and Use Case 5. |
Preliminary Steps
Before you configure your end-system zones in NAC Manager, you should plan the authorized end-system zones and authorized rule groups for each of your Management Center user groups.
Plan Your End-System Zones
Create a worksheet that lists your end-system zones, the rules they will be associated with, and the NAC profile that will be assigned.
For example, the following table outlines the zones for an enterprise based on various business departments and their location.
| Rule Name | Rule Summary | NAC Profile | Zone |
|---|---|---|---|
| Salem Sales | End-systems in Salem Sales | Sales Profile | Salem Zone |
| Salem Engineering | End-systems in Salem Engineering | Engineering Profile | Salem Zone |
| Salem Test Lab | End-systems in Salem Test Lab | Lab Profile | Salem Zone |
| New York Sales | End-systems in New York Sales | Sales Profile | New York Zone |
| New York Engineering | End-systems in New York Engineering | Engineering Profile | New York Zone |
| New York Test Lab | End-systems in New York Test Lab | Lab Profile | New York Zone |
| Registered Guests | End-Systems in Registered Guests | Guest Access | Guest Zone |
| Default Catch-all | End-systems in catch-all | Quarantine Access |
Determine User Group Zone Authorization
Create a worksheet that lists your user groups and their authorized zones and rule groups. Management Center users are assigned end-system zone and rule group authorization based on their user group membership. Before executing any end-system operation available in Management Center, the user's authorization to manage that end-system must be validated. Whenever a user initiates a change to a rule group, a check must be performed to determine if the user is authorized to change that rule group.
| NOTES: | Some operations modify several rule groups. For example, adding an end-system to one rule group may delete that end-system from another group. In this case, the user must be authorized to change both groups. If an end-system has no zone, only unrestricted users can view it. |
Continuing the example above, the user group authorization worksheet might look like this:
| User Group | Authorized Zones | Authorized Rule Groups |
|---|---|---|
| Management Center Administrator | [unrestricted] | [unrestricted] |
| Salem Help Desk | Salem Zone, Guest Zone | Salem Sales, Salem Engineering, Salem Lab |
| New York Help Desk | New York Zone, Guest Zone | New York Sales, New York Engineering, New York Lab |
Configuring Zones in NAC Manager
Use the following steps to configure your end-system zones in NAC Manager:
- Configure the end-system zones for your Management Center user groups:
- In NAC Manager, select Tools > Management and Configuration > End-System Zones.
- In the Manage End-System Zones window, select a Management Center user group in the list and then click the Edit button.
- In the Edit User Group window, use the Select buttons to configure the end-system zones that users in the group will be authorized to manage and the rule groups that they will be allowed to modify. You can also enter a list of end-system zones, if desired, instead of using the Select buttons.
- Close the Edit User Group window to return to the Manage End-System Zones window.
- Repeat these steps to configure all your user groups. Any changes made to a user group's capabilities do not take effect for the user until the next time they log in.
- Associate your zones with the appropriate NAC rule.
- In NAC Manager, use the
toolbar button to open the NAC
Configuration window or use the Edit button in the
Configuration tab. - Click on the Rules icon in the left-panel tree.
- In the right panel, click the
button and select Show Columns > Zone Column checkbox to add a Zone column to the rule list. - In the rule list, select one or more rules that you want to associate with a zone.
- Click the
button to open the Configure Rule Zone window. - Select a zone to associate with the rules. You may need to first add your zones using the New Zone button.
- Click OK. The zone name appears in the Zone column in the rule list.
- Perform these steps until all of your zones are associated with the appropriate rules.
- In NAC Manager, use the
For information on concepts:
For information on related windows:
