Understanding Access Control Policy

Genian NAC 6.0 uses 3 main policies to control network access, IP/MAC Policy, Node Policy, and Enforcement Policy.

IP/MAC Policy

IP and MAC features allow an administrator to manually or automatically control a devices IP address, and to allow / deny network access based off of IP or MAC address.

To use these features in Genian NAC 6.0, you must configure the network sensor(s) in enforcement mode and enable an IP/MAC policy. This section will explain how to enable IPAM policy, enforce Conflict/Change Prevention, and set up time allowances for IP/MAC addresses.

• Preparing Access Control using IPAM
• Changing IPAM Policy
• Configuring IP Change Preventions
• Configuring IP Conflict Prevention
• Allowing IP/MAC Based On Time

Node Policy

Node Policies are mainly used for collecting information from Nodes, and managing their network presence while they are in a compliant state. Node Policies allow you to establish Authentication Policies based on User, Node, and Authentication method, as well as to define the standard operation of the endpoint agent and more.

To configure a Node Policy, create or use existing Node Groups (Managing Node Groups)

Next, navigate to Policy > Node Policy and select Tasks > create.

Follow the Policy creation prompts to apply the policy to groups and configure options.

See:

• Configuring User Authentication Options

• Configuring Agent Settings by Node Policy

• Managing Nodes

Enforcement Policy

While Node Policy collects node information and evaluates status, Enforcement Policy allows/blocks network access based on those results and performs additional actions. Additional actions include redirecting to CWP for policy compliance or controlling endpoints via the Agent.

To apply an Enforcement Policy, create the necessary Node Groups in Managing Node Groups, then assign the Node Group to the Enforcement Policy to apply it to the nodes included in that group.

Enforcement Policy consists of the following two components for Attribute-Based Access Control (ABAC).

Compliance Policy

This defines "what to block when non-compliant". It sequentially checks Compliance that a node accessing the network must comply with.

• Regulations are evaluated from top to bottom, and the first matching Enforcement Policy is applied to the node.

• If no Enforcement Policy matches, the Permission Policy is applied.

• Enforcement Policy and Permission Policy are not applied simultaneously.

Permission Policy

This defines "what can be done". It declaratively grants services/permissions accessible to nodes that have complied with all Enforcement Policies.

• Uses a permission-centric node assignment model. A single node can have multiple permissions simultaneously.

• There is no policy order; the node is granted the union of permissions from all Permission Policies it belongs to.

• Creating Permissions
• Creating and Viewing Enforcement Policy for Nodes
• Configuring Agent Action For Enforcement Policy

RADIUS Policy

RADIUS Policy is used to approve/deny user authentication attempts via RADIUS (wireless and wired) and perform additional actions.

These additional actions include configuring ACL, VLAN, Session timeout, and Filters on the switch port where the allowed node is connected.

To configure the policy, you must use an existing User Group or create a new one.

Next, navigate to Policy > RADIUS Policy > Tasks > Create.

Follow the policy creation procedure to assign a User Group to the policy, add conditions, and configure detailed policy settings.

• RADIUS Policy Settings