Home > User Interface > Configuration > Policy Configuration > Administration Rules
Logo

Administration Rules

Menu path: Configuration > Policies and Access Control > Administration Rules.

Administration rules dictate what administrative privileges will be granted to the user when the authentication source is applied.

There are four major fields in the rules description:

Field Usage Example
Name The name of the rule. Catchall
Description The intent of the rule. Apply to all.
Matches One of All or Any. All indicates that all of the conditions must be matched in order for the administration rule to be triggered. Any means that any of the conditions can be matched. All
Conditions The conditions that need to be met. The Matches field dictates whether all or just one of the conditions needs to be met. Conditions are further described below.  
Actions The actions that should be preformed if the conditions are met. Actions are further described below.  

Conditions

Conditions are optional; if omitted, then the conditions will always be met as a catchall. The Matches field dictates whether all or any of the conditions need to be met. New conditions are added via the Add Condition button. After the first condition is created, additional conditions can be defined through the use of the add icon button and an entry can be deleted through the use of the delete icon button. Conditions can be rearranged after creation. Conditions are divided into three fields:

In this example, the condition is SSID equals Corporate. This will be matched if the SSID of the user is Corporate.

Condition Items

The condition items along with their operators and comparison values are described in the table below. The LDAP attributes in this list are controlled on the System ConfigurationMain ConfigurationAdvanced page.

Condition Comparison Operators Comparison Values
SSID starts, equals, contains, ends, matches regexp The SSID of the user's wireless connection.
Current time is before, is after HH:MM
Current time period in time period wd {Mon-Fri} hr {9am-5pm}
Connection type is, is not
  • Organized by Types and Groups:
  • Types
    • Ethernet-EAP
    • Ethernet-NoEAP
    • Ethernet-Web-Auth
    • Inline
    • SNMP-Traps
    • WIRED_MAC_AUTH
    • Wireless-802.11-EAP
    • Wireless-802.11-NoEAP
    • Wireless-Web-Auth
  • Groups
    • EAP
    • Ethernet
    • Web-Auth
    • Wireless
Computer name starts, equals, contains, ends, matches regexp The name of the user's computer.
MAC address starts, equals, contains, ends, matches regexp The MAC address of the user's computer.
Realm starts, equals, contains, ends, matches regexp The Realm matching the user's authentication.
UserPrincipalName starts, equals, contains, ends, matches regexp, is member of The user's principal name matching.
cn starts, equals, contains, ends, matches regexp, is member of A common name (CN) component of an AD/LDAP distinguished name (DN). For example Users in CN=Users.
department starts, equals, contains, ends, matches regexp, is member of The department component of a DN.
description starts, equals, contains, ends, matches regexp, is member of The description component of a DN.
displayName starts, equals, contains, ends, matches regexp, is member of First, middle, and last name components of a DN.
distinguishedName starts, equals, contains, ends, matches regexp, is member of The full DN from an AD/LDAP entry.
eduPersonPrimaryAffiliation starts, equals, contains, ends, matches regexp, is member of When using Eduroam authentication, the user's primary institutional affiliation
givenName starts, equals, contains, ends, matches regexp, is member of The first name of a user's DN.
groupMembership starts, equals, contains, ends, matches regexp, is member of The group membership in the user's DN.
mail starts, equals, contains, ends, matches regexp, is member of The mail attribute of the user's DN.
memberOf starts, equals, contains, ends, matches regexp, is member of Matches the organization attributes of a DN, including CN and OU.
nested group starts, equals, contains, ends, matches regexp Matches a security groups whose members are other security groups as opposed to users.
postOfficeBox starts, equals, contains, ends, matches regexp, is member of The postOfficeBox attribute of the user's DN.
sAMAccountName starts, equals, contains, ends, matches regexp The account name in the user's DN.
sAMAccountType starts, equals, contains, ends, matches regexp The account type in the user's DN.
servicePrincipalName starts, equals, contains, ends, matches regexp, is member of The client's service principal name.
sn starts, equals, contains, ends, matches regexp, is member of The surname in the user's DN.
uid starts, equals, contains, ends, matches regexp, is member of The uid in the user's DN.
userAccountControl starts, equals, contains, ends, matches regexp The userAccountControl settings in the user's DN.

Comparison Operators

The comparison operators used in conditions are described in the table below.

Operator Used in Usage
starts These operators are used for all text comparisons. The string starts with the comparison value.
equals The string matches the comparison value.
contains The string contains the comparison value.
ends The string ends with the comparison value.
matches regexp The string is matched against a regular expression (regexp). Regexp is a powerful language for expressing string matches. An introduction to regexps can be found here.
is member of Used within DN matching. The string matches a group within the DN.
is before Current time The current time is before a particular hour and minute expressed as HH:MM.
is after Current time The current time is after a particular hour and minute expressed as HH:MM.
in time period Current time period

The current time is within a time period expressed as described here. For example, working hours can be expressed as wd {Mon-Fri} hr {9am-5pm}.
is Connection type Matches a particular connection type.
is not Connection type Ensure that the connection is NOT a particular connection type.

Actions

Actions dictate what is to happen if the authentication rule applies and all Conditions are met. The possible actions and their settings are described in the table below:

Action Options
Access level

Dictates a user's level of access to the A3 administration interface. One of:

  • User Manager - able to manage A3 users via the top-level USERS menu.
  • NONE - all admin privileges are removed.
  • ALL - all admin privileges are enabled.
  • Security event manager - able to manage security events (trigger, open, close) for the client.
  • ALL_PF_ONLY - all admin rights related to deployment, excluding switch login rights.
  • Client manager - able to manage A3 clients via the top-level Clients menu.
  • Security event manager - able to manage security events from the Compliance OverviewSecurity Events page.
Mark as Sponsor Marks the user as a sponsor for email-based CWP login. No options apply.
Tenant ID Sets the ID of the user as a particular tenant in a mufti-tenant facility managed by A3.

 

Copyright © 2021 Extreme Networks. All rights reserved. Published April 2021.