Understanding Access Control Policy
===================================

Genian NAC uses 3 main policies to control network access,
**IP/MAC Policy**, **Node Policy**, and **Enforcement Policy**.

IP/MAC Policy
-------------

IP and MAC features allow an administrator to manually or automatically control
a devices IP address, and to allow / deny network access based off of IP or MAC
address.

To use these features in Genian NAC, you must configure the network sensor(s)
in enforcement mode and enable an IP/MAC policy. This section will explain how to
enable IPAM policy, enforce Conflict/Change Prevention, and set up time allowances
for IP/MAC addresses.

.. toctree::
   :maxdepth: 1

   ipmac-control/preparing-accesscontrol
   ipmac-control/changing-ipam
   ipmac-control/change-prevention
   ipmac-control/conflict-prevention
   ipmac-control/time-allowed

Node Policy
-----------

**Node Policies** are mainly used for collecting information from Nodes,
and managing their network presence while they are in a compliant state.
**Node Policies** allow you to establish **Authentication Policies** based on
User, Node, and Authentication method, as well as to define the standard
operation of the endpoint agent and more.

To configure a Node Policy, create or use existing **Node Groups**
(:doc:`/monitoring/network-nodes/managing-nodegroups`)

Next, navigate to **Policy > Node Policy** and select **Tasks > create**.

Follow the Policy creation prompts to apply the policy to groups and configure
options.

**See:**

- :doc:`/authentication/authentication-options`
- :doc:`/endpoints/agent-node-policy`
- :doc:`/monitoring/network-nodes/managing-nodes`

Enforcement Policy
------------------

While **Node Policies** are mainly used for collecting information from Nodes,
**Enforcement Policies** are typically used to block the endpoint from
accessing the network and potentially take additional action. This additional
action may involve redirection to a **Captive Web Portal** for compliance
instructions, or control of the endpoint through an agent.

Once **Node Groups** are created,
(:doc:`/monitoring/network-nodes/managing-nodegroups`) controls can be defined
by creating **Enforcement Policies**. These policies can then be applied to the
**Node Group** to enforce those conditions upon the Nodes within the Group.

.. toctree::
   :maxdepth: 1

   enforcement-policy/permissions
   enforcement-policy/policy-nodegroup
   enforcement-policy/enforcement-agentaction

Troubleshooting
---------------

- :doc:`/troubleshoot/log-collect-method` 
- :doc:`/troubleshoot/diagnosis-method` 
- :doc:`/troubleshoot/not-match-agent-run-status`
- :doc:`/troubleshoot/agent-installed-not-running`
- :doc:`/troubleshoot/false-positive-platform` 
- :doc:`/troubleshoot/inconsistency-node-policy`