User's Guide
Table Of Contents
- Table of Contents
- Preface
- Welcome to Extreme Campus Controller
- Dashboard
- Monitor
- Sites List
- Device List
- Access Points List
- Smart RF Widgets
- Switches List
- Networks List
- Clients
- Policy
- Configure
- Network Configuration Steps
- Sites
- Add a Site
- Modifying Site Configuration
- Site Location
- Adding Device Groups to a Site
- Add or Edit a Configuration Profile
- Associated Profiles
- Associated Networks
- Mesh Point Profile Configuration
- Configure Client Bridge
- Understand Radio Mode
- Radio as a Sensor
- Advanced AP Radio Settings
- VLAN Profile Settings
- AirDefense Profile Settings
- ExtremeLocation Profile Settings
- IoT Profile Settings
- Positioning Profile Settings
- Analytics Profile Settings
- RTLS Settings
- Advanced Configuration Profile Settings
- Configuring RF Management
- Configuring a Floor Plan
- Advanced Tab
- Devices
- Networks
- Policy
- Automatic Adoption
- ExtremeGuest Integration
- AAA RADIUS Authentication
- Onboard
- Onboard AAA Authentication
- Manage Captive Portal
- Manage Access Control Groups
- Access Control Rules
- Tools
- Administration
- System Configuration
- Manage Administrator Accounts
- Extreme Campus Controller Applications
- Product License
- Glossary
- Index
Related Topics
Manage Access Control Groups on page 317
Access Control Group Settings on page 317
Access Control Rules
Access Control Rules enable you to apply network access permissions and restrictions based on defined
rules. The rules can address network resources, a user's role or purpose in the organization, or the
device type that is used to access the network. Network access control is dynamic. End-user network
access can change as group associations change without a network administrator getting involved.
Extreme Campus Controller grouping is the building block for Access Control Rules. An Access Control
Rule consists of one or more groups, a policy role definition, and an optional captive portal specification.
The policy role that defines the access control action is specified in the Access Control Rule.
Through the use of group criteria, the Access Control Rule definition provides dynamic control over
network access. Specify up to four group criteria from defined groups. The rule definition is a logical
"And" of the group criteria. This structure allows for varied levels of granularity in the Access Control
Rule definition.
Before configuring Access Control Rules, configure groups, policy roles, and captive portal definitions
that you can use in a rule definition.
The Extreme Campus Controller installation provides the following default system rules:
• Catch-All rule. End-systems that do not match any of the defined rules are assigned the default
Catch-All rule. The Default Catch-All rule assigns the Enterprise User policy role by default, which
allows full network access. The policy role assigned by this rule is configurable (You can edit the rule
and change the "Accept Policy" field value.)
• Blacklist. End-systems with a MAC address that is a member of the Blacklist group are denied
network access. They are assigned the Quarantine policy role. The Quarantine policy denies all trac
by default. Go to Policy > Roles to configure the Quarantine policy definition.
Related Topics
Configuring Network Policy Roles and Dynamic Access Control on page 320
Managing Access Control Rules on page 322
Rule Settings on page 323
Configuring Network Policy Roles and Dynamic Access Control
A policy-based network relies on roles to define network access based on criteria defined in the role.
Access Control Rules add additional criteria based on groups, adding a level of specificity to access
conditions. The grouping criteria is dynamic, allowing the level of permissions to change based on a
user's group associations.
To illustrate how policy and Access Control Rules work together, consider the policy role of a student:
Policy Roles:
• Learning Student Access
Access Control Rules
Onboard
320 Extreme Campus Controller User Guide for version 5.46.03