Access policies define the appropriate level of access to network resources allocated to a connecting end-system based on the end-system's authentication and/or assessment results. There are four access policies defined in a NAC profile: Accept policy, Quarantine policy, Failsafe policy, and Assessment policy. When an end-system connects to the network, it will be assigned one of these access policies, as determined by the NAC profile assigned to the matching NAC rule and the end-system state.
In your NAC profiles, each access policy is associated to a policy mapping that defines exactly how an end-system's traffic will be handled when the access policy is applied.
A policy mapping specifies the policy role (created in Policy Manager) and other RADIUS attributes that will be included as part of a RADIUS response to a switch. The RADIUS attributes required by the switch are defined in the Gateway RADIUS Attributes to Send field configured in the Edit Switch window. Policy mappings are configured in the Edit Policy Mapping Configuration window.
How you set up your access policies depends on whether your network utilizes NAC Controller appliances and/or NAC Gateway appliances. In addition, if your network utilizes NAC Gateway appliances, your setup depends on whether your network contains EOS switches that support Policy, third-party switches that support RFC 3580, or switches that support RADIUS attributes that are defined manually.
If your network utilizes NAC L2/L3 controller appliances, the access policies specified in NAC profiles are mapped to policy roles that are defined in a default policy configuration already configured on the controller. It is recommended that you review this default policy configuration using the Policy Manager application. To do this, you must create a policy domain in Policy Manager specifically for the NAC Controller, assign the NAC Controller to the domain, then import the policy configuration from the device into Policy Manager (File > Import > Policy Configuration from Device). Review the policy roles and make any rule changes required for your environment. When you have finished modifying the policy configuration, you must enforce it back to the NAC Controller.
For NAC Gateway Appliances:
If your network utilizes NAC Gateway appliances, the access policies specified in NAC profiles are mapped to policy roles that must be created and defined in NetSight Policy Manager and enforced to the policy-enabled switches in your network. If you have RFC 3580-enabled switches in your network, NAC Manager lets you associate your policy roles to a VLAN ID or VLAN Name using the Policy Mappings editor. This allows your NAC Gateway appliances to send the appropriate VLAN attribute instead of a policy role to those switches that are RFC 3580-enabled.
Policy mappings have a Location option that allows different VLAN IDs to be returned for a policy based on the location the authentication request originated from. This is useful in networks that may have a VoIP/voice VLAN that is defined on multiple switches, but that VLAN maps to a unique VLAN ID on each switch. (For more information, see the section on Location in the Edit Policy Mapping Configuration Window Help topic.)
| NOTE: | If you have RFC 3580-enabled switches in your network, be sure to verify
that the DHCP Resolution Delay Time option is set correctly in your Appliance
Settings (Tools > Manage Advanced Configurations> Global and Appliance Settings). This option specifies the number of seconds a NAC appliance will wait after an authentication completes before attempting to resolve the end-system's IP address. When modifying this delay, keep in mind that for RFC 3580 devices, the appliance will link down/up a port to force the end-system to get a new IP address when NAC determines that the VLAN has changed. If the delay time specified is less than the amount of time the end-system needs to renew its IP address, then the NAC appliance may resolve the end-system's IP address incorrectly (to the previously held IP), or additional delay may be introduced as the resolution process attempts to resolve the address based on the configured retry interval. This is a problem when either registration or assessment is enabled: the registration process may never complete or may take an unacceptable amount of time to complete, or the NAC appliance could attempt to scan the incorrect IP address. Be sure to take into account the amount of time required for an end-system to get a new IP address when setting the delay time value. |
|---|
Setting Up Your Access Policies
Before you begin working with NAC Manager, use these steps to define the policy mapping criteria (policy roles, corresponding VLAN IDs, etc.) that will be available for selection for each access policy.
- For each NAC profile, create a worksheet that lists the four NAC Manager access policies. For each access policy, associate a policy role (created in NetSight Policy
Manager), and the policy role's corresponding VLAN ID, if you are using RFC 3580-enabled switches
in your network. For a description of each NAC Manager access
policy, and some guidelines for creating corresponding policy roles in Policy
Manager, see the section on Access Policies in the Concepts file.
NOTE: If your network uses NAC Gateway appliances with only RFC 3580-enabled switches, instead of listing policy roles, simply create a list of policy names that correspond to the VLANs you will be using in your network. One tip is to use policy names that identify the corresponding VLAN name for ease of selection when you are creating your NAC profiles.
Here's an example of a worksheet for a NAC profile that contains both policy-enabled and RFC 3580 switches:Access Policy Policy Role VLAN ID Accept Policy Enterprise User [2] Enterprise User VLAN Quarantine Policy Quarantine [4] Quarantine VLAN Failsafe Policy Failsafe [5] Failsafe VLAN Assessment Policy Assessing - Strict [6] Assessing - Strict VLAN - For NAC Controllers, use Policy Manager to verify that the policy configuration contains the required policy roles, and that the configuration has been enforced to the NAC Controller. See the instructions above.
- For NAC Gateways, verify that each policy role listed on your worksheet has been created in NetSight Policy Manager and enforced to the policy-enabled switches in your network. If you have RFC 3580-enabled switches in your network, verify that your VLANs have been created on the switches in your network.
- Define the policy mappings that map each NAC Manager access policy to the appropriate policy role as specified in your worksheet.
- From the New/Edit NAC Profile window,
click the Manage button in the Policy Mappings section.
- The Edit Policy Mapping Configuration window opens.
- In the Edit Policy Mapping Configuration window, select between a Basic policy mapping and an
Advanced policy mapping, depending on your network needs.
Typically, the Basic policy mapping configuration is used unless your devices require customization or you will be using locations in your mappings.
You will see that NAC Manager provides a list of default policy mappings that you can use. Be aware that if you use one of the default mappings, you still need to verify that the policy role specified in the mapping is part of your NAC Controller policy configuration and/or is created and enforced to the policy-enabled switches in your network via Policy Manager. - To add a new policy mapping, click
the Add new mapping toolbar button to open the Add Policy Mapping window.
For the new policy mapping, enter a mapping name and specify a policy role (created in Policy Manager) and other required RADIUS attributes that will be included in the RADIUS response to a switch. Click OK to add the mapping. Note that the required RADIUS attributes for your switches are defined in the Gateway RADIUS Attributes to Send field configured in the Edit Switch window, as shown below.
You can also use the configuration menu button
to access options for managing the import and export of mappings.- Import from File - Opens a window where you can select a file for importing policy mappings. In the file, policy mappings must be listed one mapping per line
using the following format. (Fields in brackets < > are optional; all other
fields are required.)
Name, PolicyName, Location, VlanName, VlanId, <LoginLATGRoup>, <LoginLATPort>, <Management>, <Filter>, <Custom1>, <Custom2>, <Custom3>, <Custom4>, <Custom5>
For example: Assessing, Assessing, Any, Default VLAN, 1, Assessing, 0 , , Assessing
For an explanation of the different fields, see the Add Policy Mapping window Help topic. - Import from Policy Manager Domains - This operation creates new Policy Mappings in NAC Manager based on policy roles and corresponding VLANs imported from Policy Manager. It also updates VLAN information for the mappings if the mappings already exist in NAC. The import will remove mappings from NAC Manager if the policy no longer exists in Policy Manager and is not being used by NAC Manager (via a NAC profile). If the policy is being used, the policy name will be cleared. This will result in an error notification on enforce of the NAC configuration to the NAC appliance.
This operation should not be used if policy mapping attributes are being managed outside of Policy Manager. An example would be a scenario in which RFC 3580-capable third-party devices participate in NAC, where default policy mapping names (Enterprise User, Accessing, etc.) have been updated to define VLAN information that is not configured in policy roles of the same name that exist in Policy Manager which is used to configure EOS switches. If this scenario exists, and the duplicate-named policy roles are imported, the existing VLAN information will be overwritten by the import. - Export to Policy Manager Domain - This operation will export the selected policy mappings to a policy domain. It will verify that VLANs in the policy mappings exist in the policy domain. You can select an option to set the VLANs to forward as tagged and existing VLANs will be updated. The operation will also verify that policies referenced in NAC exist in the policy domain. Missing policies will be added as roles.
- Clean Up Policies Missing from Policy Manager - Opens a window that lists any policies that are not defined in Policy Manager, allowing you to remove mappings or clear policies from NAC Manager if the policy no longer exists in Policy Manager and is not being used by NAC Manager in a NAC profile. If the policy is being used in a NAC profile, only the policy name will be cleared. Do not select mappings for policies that are being managed outside of Policy Manager, for example, for third-party devices.
- Import from File - Opens a window where you can select a file for importing policy mappings. In the file, policy mappings must be listed one mapping per line
using the following format. (Fields in brackets < > are optional; all other
fields are required.)
- Click OK to close the Edit Policy Mapping Configuration window.
- From the New/Edit NAC Profile window,
click the Manage button in the Policy Mappings section.
- In your NAC profile, you will see your policy mappings available for selection when you define your Accept, Quarantine, Failsafe, or Assessment access policy.
For information on related windows:
