Configuring Authorization
=========================

Authorization can be completed at the time of initial authentication based on
AD/LDAP group membership or RADIUS attributes included in the authentication
request. Authorization can also be facilitated by RADIUS CoA after
authentication has been completed based on other criteria such as node group,
noncompliance with a policy, change in status, etc.

Configure Initial Authorization
-------------------------------

Genian NAC provides the ability to specify an attribute for a device when
it connects to the network. This can be used for assigning a VLAN, ACL or other
attribute based on an attitribute of the node authenticating, such as
User-Name. Additonally this feature can be used to selectively deny
authentication requests.

#. Go to **Policy** in the top panel.
#. Go to **Policy > RADIUS Policy** in the left panel.
#. Click **Tasks > Create**
#. For **General**, input **Name**, **Priority**, and activation **Status**.
#. For **Conditions**, select **Attribute**.
#. Select **Operator** and **Value**.
#. Click **Add** button.
#. For **Policy**, choose to **ACCEPT** of **REJECT** Authentication Requests
   that match the attribute conditions.

   - If **ACCEPT**, Select **Additional Attributes** to apply to the
     Node / User.
#. Click **Add** button.
#. Click **Create** button.

.. note:: You can use RADIUS attributes such as `User-Name, Calling-Station-Id, Called-Station-Id, Framed-IP-Address, NAS-IP-Address, NAS-Port, Service-Type, Filter-Id, Login-IP-Host, Class, Vendor-Specific, NAS-Port-Type, Connect-Infox, NAS-Port-ID, Aruba-User-Rolex, Aruba-Essid-Name` 

.. attention:: RADIUS client devices must support the `RFC2868`_ IEEE 802.1X standard for client authentication.

.. _RFC2868: https://www.ietf.org/rfc/rfc2868.txt

Enable CoA (Change of Authorization)
------------------------------------

If a device changes status after being authenticated to the network, such as
violating a configured policy, the network access for the device can be
restricted or denied using various RADIUS attributes. This is provided through
a standard called CoA (Change of Authorization, RFC 5176 - Dynamic
Authorization Extensions to RADIUS standard).

The CoA will disconnect the device from the network at which point the device
will attempt to reconnect. The RADIUS server will then return the desired
attribute.

#. Go to **Policy** in the top panel.
#. Go to **Policy > Enforcement Policy** in the left panel.
#. Click name of enforcement policy to disconnect connection.
#. Under **Enforcement Options > RADIUS Control**.
#. For **RADIUS CoA**, select **On**.
#. For **CoA Commands**, select **Terminate Session** for a standard attribute or select another Vendor Specific Attribute (VSA).
#. For **Vendor-Specific-Attribute**, Enter the VSA value (for example, ``Nas-filter-Rule = 'permit in tcp from any to any 23'``).
#. Click **Update** button.
#. Click **Apply** in the right top.