Access Control Rules

Access Control Rules enable you to apply network access permissions and restrictions based on defined rules. The rules can address network resources, a user's role or purpose in the organization, or the device type that is used to access the network. Network access control is dynamic. End-user network access can change as group associations change without a network administrator getting involved.

ExtremeCloud IQ Controller grouping is the building block for Access Control Rules. An Access Control Rule consists of one or more groups, a policy role definition, and an optional captive portal specification. The policy role that defines the access control action is specified in the Access Control Rule.

Through the use of group criteria, the Access Control Rule definition provides dynamic control over network access. Specify up to four group criteria from defined groups. The rule definition is a logical "And" of the group criteria. This structure allows for varied levels of granularity in the Access Control Rule definition.

Before configuring Access Control Rules, configure groups, policy roles, and captive portal definitions that you can use in a rule definition.

The ExtremeCloud IQ Controller installation provides the following default system rules:

Catch-All rule. End-systems that do not match any of the defined rules are assigned the default Catch-All rule. The Default Catch-All rule assigns the Enterprise User policy role by default, which allows full network access. The policy role assigned by this rule is configurable (You can edit the rule and change the "Accept Policy" field value.)
Blacklist. End-systems with a MAC address that is a member of the Blacklist group are denied network access. They are assigned the Quarantine policy role. The Quarantine policy denies all traffic by default. Go to Policy > Roles to configure the Quarantine policy definition.