ExtremeCloud IQ Controller is shipped a with the following default policy configurations listed in Preconfigured Policy Roles.
Policy roles define the authorization level that ExtremeCloud IQ Controller assigns to a connecting end-system based on the end-system's authentication and/or assessment results. The access policies define a set of network access services that determine exactly how an end-system's traffic is authorized on the network.
| Role | Description |
|---|---|
| Enterprise User | Intended for admin users with full access |
| Quarantine | The Quarantine access policy is used to restrict network access to end-systems that have failed assessment. The Quarantine policy role denies all traffic by default while permitting access to only required network resources such as basic network services (e.g., ARP, DHCP, and DNS) and HTTP to redirect web traffic for assisted remediation. |
| Unregistered | The Unregistered access policy default action is to deny all unregistered traffic. |
| Guest Access | The Guest Access policy allows registered guest traffic. |
| Deny Access | The Deny Access policy default action is to deny all traffic. |
| Assessing | The Assessment access policy temporarily allocates a set of
network resources to end-systems while they are being assessed. Typically, the
Assessment access policy allows access to basic network services (e.g. ARP, DHCP,
and DNS), permits all IP communication to the Assessment servers so the assessment
can be successfully completed, and HTTP to redirect web traffic for Assisted
Remediation. For RFC 3580-compliant switches, the Assessment access policy may be mapped to the Quarantine VLAN. It is not mandatory to assign the Assessment policy to a connecting end-system while it is being assessed. The policy role received from the RADIUS server or an accept policy can be applied to the end-system, allowing the end-system immediate network access while the end-system assessment is occurring in the background. In this case, the policy role or accept policy (or the associated VLAN for RFC 3580-compliant switches) must be configured to allow access to the appropriate network resources for communication with the Assessment servers. Note: The Assessment server sends an ICMP Echo Request (a
"ping") to the end-system before the server begins to test IP connectivity to the
end-system. Therefore, the Assessment policy role, the router ACLs, and the
end-system's personal firewall must allow this type of communication between
end-systems and Assessment servers in order for the assessment to take place. If
the Assessment server cannot verify IP connectivity, the Failsafe policy is
assigned to the end-system.
|
| Failsafe | The Failsafe access policy is applied to an end-system when it is in an Error connection state. An Error state results if the end-system's IP address could not be determined from its MAC address, or if there was an assessment error and an assessment of the end-system could not take place. For RFC 3580-compliant switches, the Failsafe access policy may be mapped to the Production VLAN. |
| Pass Through External RADIUS | Use this policy when the AAA mode is RADIUS (using an external RADIUS server). When this policy is selected, end-systems that match the rule get the RADIUS attributes from the upstream server's ACCEPT response, including Filter-Id. |
| Use Default Auth Role | Use the Default Auth Role that is configured for the wireless network that the end-system is connected to. |