Create Hybrid Policy

Use this task to create a hybrid policy.

  1. Go to Policies > Policies.
  2. Select Add Policy and select Hybrid from the drop-down list and configure the settings.
    Table 1. Hybrid Policy Settings
    FieldDescription
    Policy NameEnter at least 3 alphanumeric characters.
    Description (Optional)Enter a description.
    User GroupsSelect Any User or select a user group from the drop-down list or create one. For more information, see Manage User Groups.
    Device GroupsSelect Any Device or select a device group from the drop-down menu or create one, for details, see Managed Device Groups.
    Note: If user and device groups are configured in the policy, for the policy to match for network access both access conditions must pass.
    Location Based Condition (Optional)Select a location condition from the drop-down menu or create a new condition.
    Note: Location group is also used to scope the network policies to only those network devices included in the location condition.

    For more information, see Add Location-Based Conditions

    Time Based Condition (Optional)Select a time condition from the drop-down menu or create a new condition, for details, see Add Time-Based Conditions.
    Authentication Based Condition (Optional)Select an authentication condition from the drop-down menu or create a new condition, for details, see Create Authentication-Based Conditions.
    Applications GroupsSelect one from the drop-down menu or create one, for details, see Create Application Groups.
    Access ModeSelect Agent-based or Agentless to determine whether the applications defined in the application group should be available via the agent, the agentless web portal, or both.
    AP AwareAbility to determine AP attachment to port to prevent auth for wireless clients when Auth for wireless clients is handled via AP.
    Default Network AccessSelect the default access for the network. By default, all network access is dropped except for agent-based traffic.
    Select VLAN from ExtremeCloud IQYou can use your own VLAN or a VLAN defined in ExtremeCloud IQ .
    • To use your own VLAN, ensure Select VLAN from ExtremeCloud IQ is deactivated (default) and enter a VLAN ID.
    • To use a VLAN from ExtremeCloud IQ, activate Select VLAN from ExtremeCloud IQ and select a VLAN from the list.
    VLAN ID (Optional)

    Select a VLAN from the drop-down menu.

    Note:

    To add additional tagged VLANs, the first ID is always the untagged VLAN and should match the VLAN being assigned by the policy.

    In the Advanced Settings (below), you can use the FA-VLAN-ISID attribute to tag any extra VLANs. Even though the switch is not doing fabric attach, the attribute will allow for additional tagged VLANs.

    The format is:

    FA-VLAN-ISID=1:1,1101:1101,1102:1102,1201:1201,1202:1202

    In the above example, 1 is the first VLAN and is untagged and VLANs 1101,1102,1201,1202 are all tagged.

    ISID (Optional)Fabric Service Identifier (ISID).
    Network Service Group (Optional)Select Network Service Group and continue as follows:
    1. Select Add Network Service Group.
    2. Select Allowed or Denied.
    Note: The Network Service groups, and their associated actions are ordered. To re-arrange the order, drag the network service group up or down.
    Advanced Settings (Optional)
    • RADIUS VSA's - Select from the drop-down menu.
    • Variables - Select from the drop-down menu.
  3. Select Add.
  4. To update or remove and existing Hybrid policy, select Elipses and select Update or Remove from the drop-down list.
9039247-00 Rev AC