Configuring Enforcement Profiles

You can configure Policy Manager enforcement profiles globally, but they must be referenced to an enforcement policy that is associated with a service. Policy Manager includes the following enforcement profiles by default.

Table 1: Default Enforcement Profiles

Enforcement Profile

Type

Description

[Aerohive - Terminate Session]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect user (Aerohive).

[AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. Personal Device]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile for an AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. personal device request.

[AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. Response]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile for any AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. request.

[AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. Shared Device]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile for an AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. shared device request.

[Allow Access Profile]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile to allow network access.

[AOS-CX - Bounce Switch Port] RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. System-defined profile to bounce the switch port on AOS-CX switches.
[AOS-CX - Disconnect] RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. System-defined profile to disconnect a device on AOS-CX switches.

[Allow Application Access Profile]

Application

System-defined profile to allow access to an application.

ArubaOS Switching - Bounce Switch Port

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to bounce the switch port on ArubaOS Switching products.

ArubaOS Switching - Terminate Session

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect the user on ArubaOS Switching, HP ProCurve, and HP UWW (Unified Wired-WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.) products.

ArubaOS Wireless - Bounce Switch Port

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to bounce the switch port on ArubaOS Mobility controllers, Multi-Port APs, and Mobility Access Switches.

[ArubaOS Wireless - TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Read-Only Access]

TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.

System-defined profile for TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. read-only access on ArubaOS Mobility controllers, Aruba Instant APs, and Mobility Access Switches.

[ArubaOS Wireless - TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. root Access]

TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.

System-defined profile for TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. root access on ArubaOS Mobility controllers, Aruba Instant APs, and Mobility Access Switches.

[Aruba Wireless - Terminate Session]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect the user on ArubaOS Mobility controllers, Aruba Instant APs, and Mobility Access Switches.

[Cisco - Bounce-Host-Port]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to bounce the host port (Cisco).

[Cisco - Disable Host-Port]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disable the host port (Cisco).

[Cisco - Reauthenticate-Session]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to re-authenticate session (Cisco).

[Cisco - Terminate-Session]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect a user (Cisco).

[Deny Access Profile]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile to deny network access.

[Deny Application Access Profile]

Application

System-defined profile to deny access to an application.

[Drop Access Profile]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

System-defined profile to drop the request.

[H3C - Bounce Switch Port]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to bounce the switch port on H3C products (including HPE FlexNetwork/Comware)

[H3C - Disable Switch Port]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disable the switch port on H3C products (including HPE FlexNetwork/Comware).

[H3C - Terminate Session]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect the user on H3C products (including HPE FlexNetwork/Comware).

[Handle AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. Time Sharing]

HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.

System-defined profile to send time-based sharing policy to the AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. notification service.

[Juniper Terminate Session]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect a user (Juniper).

[Motorola - Terminate Session]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect a user (Motorola).

[Operator Login - Admin Users]

Application

Enforcement profile for Guest admin logins.

[Operator Login - Local Users]

Application

Enforcement profile for Guest operator logins.

Registered Device MPSK

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

Enforcement profile for Multiple Pre-Shared Key (MPSK) Device Registration. Returns a device's assigned MPSK that was generated automatically during Device Registration.

[Return Device Sponsor Name - RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  User-Name] RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

Returns the [Guest Device Repository]:SponsorName value as the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. :IETF:User-Name value when Policy Manager is configured to use Multiple Pre-Shared Key (MPSK) authentication.

[TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. Admin]

TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.

APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. admin access for Policy Manager Policy Manager Admin.

[TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Deny Profile]

TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.

System-defined profile to deny network access.

[TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Help Desk]

TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.

Help desk access for Policy Manager Policy Manager Admin.

[TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Network Admin]

TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.

Network admin access for Policy Manager Policy Manager Admin.

[TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Read-only Admin]

TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.

Read-only admin access for Policy ManagerPolicy Manager Admin.

[TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Receptionist]

TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.

Receptionist access for Policy ManagerPolicy Manager Admin

[TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Super Admin]

TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.

Super admin access for Policy Manager Policy Manager Admin.

[Trapeze - Terminate Session]

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. _CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

System-defined profile to disconnect a user (Trapeze).

[Update Endpoint Known]

Post-Authentication

System-defined profile to change an Endpoint's status to Known.

 

If an enforcement profile is added to a copy of a policy and the policy is then renamed, after upgrading to 6.9.0 the profile does not appear in the copied (renamed) policy anymore, and null is displayed in its place. The profile appears in the default policy instead. If an enforcement profile is added to a non-default policy, and then that policy's name is changed and this issue occurs, the enforcement policy must be edited to use the appropriate default enforcement profile again.

Adding a New Enforcement Profile

Each enforcement policy contains enforcement profiles that match conditions (role, posture, and time) to actions (enforcement profiles).

To create an enforcement profile:

1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens:

Figure 1  Enforcement Profiles Page

2. Click the Add link. The Add Enforcement Profile dialog opens.

Figure 2  Add Enforcement Profile Dialog

Select any of the following enforcement profile templates to create a profile based off of that template type.

Enforcment Profile templates
Template Description

Aruba Downloadable Role Enforcement Profiles

When Policy Manager successfully authenticates a user, the user is assigned a role by Policy Manager. However, if the role is not defined on the Aruba controller or switch, you can use downloadable role enforcement profiles to allow the role attributes to be downloaded automatically.

Aruba RADIUS Enforcement Profile

Define an enforcement profile based on Aruba vendor-specific RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes.

Cisco Downloadable ACL Enforcement Profile

Integrate a Cisco switch with Policy Manager by defining a Cisco Downloadable Access Control List (dACL) profile based on Cisco vendor-specific RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes.

Cisco Web Authentication Enforcement Profile

Integrate a Cisco switch with Policy Manager by defining a Web authentication enforcement profile based on Cisco vendor-specific RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes.

Filter ID Based Enforcement Profile

Define an enforcement profile based on RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Internet Engineering Task Force (IETF) attributes

RADIUS Based Enforcement Profile

Define an enforcement profile based on values from any of the following vendor- specific RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute types.

Radius:Aruba

Radius:IETF

Radius:Cisco

Radius: Hewlett-Packared-Enterprise

Radius: Lucent-Alcatel-Enterprise

Radius:Microsoft

Radius:Avenda

RADIUS Dynamic Authorization Enforcement Profile

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dynamic authorizationDynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. enforcement profile configuration pages contain a large variety of templates for different actions that are automatically populated with default RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  settings and values appropriate for that template type.

VLAN Enforcement Profile Define an enforcement profile that assigns VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. settings.
Agent Enforcement Profile Agent Enforcement profiles allows Policy Manager to define actions to be executed by OnGuard agents. Is this really true?
Agent Script Enforcement Profile Agent Script Enforcement profiles allows Policy Manager to execute custom scripts on endpoint devices as part of agent enforcement.
CLI-Based Enforcement Profile Agent Script Enforcement profiles allows Policy Manager to execute CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands on endpoint devices as part of agent enforcement.
Policy Manager Entity Update Enforcement Profile Entity Update enforcement profiles can push endpoint information or status updates to devices after they have been authenticated.
Generic Application Enforcement Profile Define an enforcement profile for an application.
HTTP Based Enforcement Profile Define an HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.-based enforcement policy.
SNMP-Based Enforcement Profile Define SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. -based enforcement profiles with attributes for a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID or session timeout period, or to reset the connection.
Session Notification Enforcement Profile Use a Session Notification Enforcement profile to send notification of a change in IP address to any external context server (such as a firewallFirewall is a network security system used for preventing unauthorized access to or from a private network.) by configuring that server as a generic HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. server and adding the appropriate generic HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. context server actions.
Session Restrictions Enforcement Profile  
TACACS+ Based Enforcement Profile  

Modifying an Existing Enforcement Profile

To modify an existing enforcement profile:

1. Navigate to the Configuration > Enforcement > Profiles page.

2. Select a profile name from the profiles list, then click Edit or Delete

3. Make the necessary changes in the Profile and Attributes dialogs, then click Save.

Deleting an Existing Enforcement Profile

To delete an existing enforcement profile:

1. Navigate to the Configuration > Enforcement > Profiles page.

2. Click the checkbox by a profile name from the profiles list, then click Edit or Delete

3. Make the necessary changes in the Profile and Attributes dialogs, then click Save.