The Quarantine role is a highly restrictive role used to isolate users and restrict network access.
The Quarantine role is used in conjunction with the Extreme Networks Intrusion Prevention System (IPS) and the NetSight Automated Security Manager to create an automatic response to threats detected on the network. Once the Quarantine role has been enforced to the network, and both the Extreme Networks IPS and the Automated Security Manager are properly configured, this role can be automatically set as the default role on any port where a threat has been detected. Normally, roles are applied to ports via authentication. In this case however, the Automated Security Manager determines a network threat, identifies the responsible port, and applies the Quarantine role to the port.
The Quarantine role can also be used when configuring Quarantine Authentication in Policy Manager, and by the NetSight NAC Manager assessment functionality. You can also set the Quarantine role as a port's default role through Policy Manager if, for example, you have modified the role to provide some limited access and you want to use it as a "guest" role.
The Policy Manager default domain includes the Quarantine role. However, if you add a new domain, you will need to create the Quarantine role. For information on how to create a role, see How to Create a Role.
After you have created the role, you can modify the role's default class of service and access control settings, and make changes to the role's services and rules using the right-panel tabs, just like any other role. If you make any changes to the Quarantine role, keep in mind that the role may be used by other applications and should remain highly restrictive in nature.
Instructions on:
- Modifying the Quarantine Role: Use the right-panel tabs to modify the Quarantine role's default values and add or remove services.
- Setting the Quarantine Role as the Default Role on a Port: Use the right-panel General tab or the Port Configuration wizard to set the Quarantine role as a default role on a port.
Modifying the Quarantine Role
Once you've created a Quarantine role, you can change its characteristics by selecting the role in the Policy Manager's left panel and using the associated tabs in the right panel.
| NOTE: | Because it is used by the Automated Security Manager, you cannot rename the Quarantine role.
|
|---|
Modifying Default Values
Use the General tab to change the Quarantine role's default class of service and default access control settings, and to add or edit a description.
- Select the Quarantine Role in the left-panel Roles tab.
- In the right-panel General tab, select the desired default class of service and default access control settings.
- If desired, add or edit the role's description.
- Be sure to perform an Enforce to write the new Quarantine role to the devices.
Adding/Removing Services
Use the General tab to add or remove services to the Quarantine role.
- Select the Quarantine Role in the left-panel Roles tab.
- In the right-panel General tab, click Add/Remove Services. This opens the Add/Remove Services window.
- Make sure the Quarantine role is displayed in the Role selection box.
- In the Groups and Services panel, select the
services and/or service groups you wish to add to the role, and click Add.
To remove services, select them in the Selected Services panel and click Remove.
NOTE: Policy Manager checks for rule conflicts when more than one service is added. See Conflict Checking for more information. - Click OK.
- Be sure to perform an Enforce to write the new Quarantine role to the devices.
Setting the Quarantine Role as the Default Role on a Port
When the Automated Security Manager detects a threat on the network, it automatically assigns the Quarantine role as the default role on that port. However, there may be circumstances when you would like to use Policy Manager to assign the Quarantine role as the default role on one or more ports. For example, if you have modified the Quarantine role to provide limited access, you may want to use it as the default role for guest users on your network.
The Quarantine role is assigned as a default role just like any other role. Refer to Assigning Default Roles to Ports for instructions.
For information on related tasks:
For information on related windows:
