Configuring Network Policy Roles and Dynamic Access Control

A policy-based network relies on roles to define network access based on criteria defined in the role. Access Control Rules add additional criteria based on groups, adding a level of specificity to access conditions. The grouping criteria is dynamic, allowing the level of permissions to change based on a user's group associations.

To illustrate how policy and Access Control Rules work together, consider the policy role of a student:

Policy Roles:

Learning Student Access
Basic Student Access

Configure a policy role named Learning Student Access: The member has full access to the network but is denied access to social media apps.
- One network policy rule that provides full access to the network.
- One application policy rule that denies access to social media apps.
Configure a policy role named Basic Student Access: The member has limited network access but access to all applications is allowed.
- One network policy rule that limits students to TCP access on ports: HTTP/S, DNS, and DHCP-Server.
  Note
  If no application policy rule exists, access to all applications is allowed.

Groups

Configure the following groups:

Student Body. User group that includes all registered students.
School Computers. End-System group with MAC addresses for all school issued computers.

Captive Portal

Configure a captive portal to associate with one or more Access Control Rules. Authentication settings on the captive portal will deny access to students who are no longer a member of the student body.

Access Control Rules

Configure Access Control Rule "Learning Student".
The Access Control Rule takes the defined policy rule: Learning Student Access and applies it to members of the student body who are using school issued computers in a single rule.

Group Criteria:
Select the following values for each group:
- User Group = Student Body
- End-System Group = School Computers
Policy Role:

Select Learning Student Access as the Policy Role.
Configure Access Control Rule "Basic Student"
The Access Control Rule takes the defined policy rule: Basic Student Access and applies it to all members of the student body that are using non-school issued devices.

Group Criteria:
1. Select the following values for each group:
  - User Group = Student Body
  - End-System Group = School Computers.
2. Check Invert check box. This indicates a match if student is not using a school computer.
Policy Role:

Select Basic Student Access as the Policy Role.

Results:

If the student is a member of the student body using a school computer, the student has full network access and is denied access to social media applications.
If the student is a member of the student body using a personal computer, the student has limited access to the network and full access to social media.
If the student is no longer a member of the student body, but does have a school computer, the captive portal authentication settings will deny network access.
If the student is no longer a member of the student body, but is using a personal computer, the captive portal authentication settings will deny network access.

Note

The ExtremeCloud IQ Controller installation provides the following default system rules:

Catch-All rule. End-systems that do not match any of the defined rules are assigned the default Catch-All rule. The Default Catch-All rule assigns the Enterprise User policy role by default, which allows full network access. The policy role assigned by this rule is configurable (You can edit the rule and change the "Accept Policy" field value.)
Blacklist. End-systems with a MAC address that is a member of the Blacklist group are denied network access. They are assigned the Quarantine policy role. The Quarantine policy denies all traffic by default. Go to Policy > Roles to configure the Quarantine policy definition.