Security Solutions
3-116
Designing Access Controls
Finalize Security Policies
3. Quarantine—In a network with endpoint integrity, you must create a rule
that matches the EI postures Quarantine or Infected with the quarantine
access profile. (Typically, the other inputs should be “any” because you
always want non-compliant endpoints quarantined.) You must also create
a rule for the Unknown posture. Either match that posture to a test access
profile or the quarantine access profile. If you want all users to be placed
in the same quarantine VLAN, you can create global rules.
Plan your access policy group rules in Table 3-89.
Table 3-89. Access Policy Group Rules
Table 3-90 presents an example of policy group rules for PCU.
Table 3-90. Sample Access Policy Group Rules for PCU
Access Policy
Group
Inputs Outputs—Access Profile
Location Time System WLAN EI
Access Policy
Group
Inputs Outputs—Access Profile
Location Time System WLAN EI
Global any any any any Unknown Quarantine
Global any any any any Fail Quarantine
Global any any any any Infected Quarantine
IT admin any any any any Pass IT admin
President and
other
executives
any any any PCU Pass President, etc.
Partners and
customers
any any any Guests Pass Unencrypted