Designing Access Controls
Finalize Security Policies
N o t e | Some directories, such as eDirectory, allow you to extend the schema with |
| RADIUS attributes. You can then assign dynamic settings directly to a user or |
| group object rather than through a RADIUS server policy. See your LDAP |
| server’s documentation to determine whether or not it supports this option. |
|
|
Create the NAC Policies
You have already learned how to quarantine
The NAC 800 tests endpoints against NAC policies. As you learned in Chapter 1: “Access Control Concepts” these consist of a series of tests, the conditions endpoints must meet to pass each test, and the actions the NAC 800 takes if they do not.
NAC policies are divided into groups, and each NAC 800 enforcement cluster (group of ESs that test the same pool of endpoints and enforce the same quarantine method) is assigned a NAC policy group.
Because you can create a variety of NAC policies and policy groups, you have precise control over which tests will be applied to which endpoints.
Design NAC Policy Groups
You will create a policy group and then add policies to the group. You should create one policy for each set of endpoints that you want to test in a different way. If you want all endpoints to meet the same conditions, you can create a single policy.
The NAC 800 matches endpoints to a particular policy by:
■Domain name
■MAC address
■NetBIOS name
■IP address
This means that you can set up different policies for different:
■
■
