| Designing Access Controls |
| Finalize Security Policies |
| The sections below describe designing policies with IDM. |
|
|
N o t e | You can also define policies by setting up RADIUS attributes manually on |
| RADIUS servers or on directory services that support RADIUS extensions. |
|
|
Access Group Policies with IDM
If you are using IDM to manage policies, you should create one access policy group for each different type of user you expect on your network (students, faculty, guests, and so forth). In addition, you might need to create an access policy group for devices such as IP telephones.
As you make a list of access policy groups, keep the following items in mind:
■Each access policy group contains information on group members, authentication criteria, and policy settings for that group; any member assigned to a group is automatically linked to its authentication criteria and its policies.
■Each user can be assigned to only one access policy group. If you have a user with a particular set of requirements that are not shared by other users, you can assign that user to his or her own access policy group.
■Each access group has its own policies, which consist of a set of rules.
■Inputs to access group policy rules are location, time, system, WLAN, and endpoint integrity posture.
■Output from each rule is the access profile, which is described in the section below.
■Access group policy rules are processed in order. The first rule for which an authentication request matches all the inputs is applied.
Access Profile. An access profile defines the access rights (VLAN, QoS, rate limit, and resources [ACLs]) to be applied by the PEP to the user’s session.
You should generally create at least one access profile for each access policy group. You might then create additional profiles that will apply to the group under different circumstances. For example, you might create an “Employees” profile and an “Employees_weekend” profile. If you are using endpoint integ- rity, you must create at least one “quarantine” profile for users with non- compliant endpoints. You might also create a “test” profile for users that have just connected to the network and have not had their endpoint integrity checked.
You can list the access profiles for your network in Table
