Configuring Enforcement Policies

Only one enforcement policy can be associated with each service. Enforcement policies can be added in one of two ways:

From the Configuration > Services page as part of the flow of the Add Service wizard.

From Configuration > Enforcement > Enforcement Policies.

Figure 1  Enforcement Policies Page

Adding an Enforcement Policy

1. To add a new enforcement policy from the Enforcement Policies page, navigate to Configuration > Enforcement > Enforcement Policies.

2. Click Add. The Add Enforcement Policy page opens to the Enforcement tab:

Figure 2   Add Enforcement Policy > Enforcement Tab

3. Specify the Add Enforcement Policy > Enforcement parameters as described in the following table:

Table 1: Add Enforcement Policy > Enforcement Tab Parameters

Parameter

Action/Description

Name

Enter the name of this enforcement policy.

Description

Enter a useful description of this enforcement policy (recommended).

Enforcement Type

Select one of the following enforcement types:

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

WebAuth (SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. /CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.)/CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

Application

Event

Based on this selection, the Default Profile drop-down lists the associated enforcement profiles.

NOTE: Web-based Authentication or WebAuth (HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) is the mechanism used by authentications performed via a browser, and authentications performed via Policy Manager OnGuard.
Both SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. - and CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.-(SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. /Telnet) based enforcement profiles can be sent to the network device based on the type of device and the use case.

Default Profile

Select the Default Profile from the drop-down.

An enforcement policy applies conditions (roles, health, and time attributes) against specific values associated with those attributes to determine the enforcement profile. If none of the rules matches, Policy Manager applies the default profile.

To add a new enforcement profile, click the Add New Enforcement Profile link.

4. In the Rules tab, click Add Rule to display the Rules Editor:

Figure 3  Add Enforcement Policy > Rules Editor

Table 2: Add Enforcement Policy: Rules Editor Action Buttons

Button

Action/Description

Add Rule

Click the Add Rule action button to bring up the Rules Editor and add a new rule.

Copy Rule

Select the rule you want to copy, then click the Copy Rule action button. The copied rule is added to the existing list of rules.

Move Up/ Move Down

To change the order that rules are executed in the enforcement policy, select an enforcement policy rule, then click Move Up or Move Down as desired.

Edit Rule

Select the rule you want to edit, then click the Edit Rule action button.

Remove Rule

Select the rule you want to delete, then click the Remove Rule action button.

5. Specify the Add Enforcement Policy > Rules tab parameters as described in the following table:

Table 3: Add Enforcement Policy: Rules Editor

Field

Description

Conditions/Enforcement Profiles

Select conditions for this rule. For each condition, select a matching action (enforcement profile).

NOTE: A condition in an enforcement policy rule can contain attributes from the following namespaces: Tips:Role, Tips:Posture, and Date.

NOTE: The value field for the Tips:Role attribute can be a role defined in Policy Manager, or a role fetched from the authorization source.
You can enter role names fetched from the authorization source free-form in the Value field. To commit the rule, click Save.

Enforcement Profiles

If the rule conditions match, attributes from the selected enforcement profiles are sent to the Network Access Device

If a rule matches and there are multiple enforcement profiles, the enforcement profile disambiguation rules apply.

Refer to Configuring Enforcement Profiles for a list of the default profiles.

Binding SNMP Enforcement for Ingress Events

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  enforcement profiles can be bound to an event-based enforcement policy, which enables Policy Manager to trigger SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  enforcement based on an Ingress event.

This section demonstrates how Policy Manager allows the binding of an SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. -based enforcement profile to an event-based enforcement policy.

Figure 4  SNMP-Based Enforcement Profile

The configuration shown in Figure 5 demonstrates the binding of an SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. -based enforcement to an event-based enforcement policy.

Figure 5  Binding an SNMP-Based Enforcement to an Event-Based Enforcement Policy