Security Solutions
3-120
Designing Access Controls
Finalize Security Policies
Note Some directories, such as eDirectory, allow you to extend the schema with
RADIUS attributes. You can then assign dynamic settings directly to a user or
group object rather than through a RADIUS server policy. See your LDAP
server’s documentation to determine whether or not it supports this option.
Create the NAC Policies
You have already learned how to quarantine non-compliant endpoints. Now
you need to consider how you will define non-compliance.
The NAC 800 tests endpoints against NAC policies. As you learned in
Chapter 1: “Access Control Concepts” these consist of a series of tests, the
conditions endpoints must meet to pass each test, and the actions the NAC
800 takes if they do not.
NAC policies are divided into groups, and each NAC 800 enforcement cluster
(group of ESs that test the same pool of endpoints and enforce the same
quarantine method) is assigned a NAC policy group.
Because you can create a variety of NAC policies and policy groups, you have
precise control over which tests will be applied to which endpoints.
Design NAC Policy Groups
You will create a policy group and then add policies to the group. You should
create one policy for each set of endpoints that you want to test in a different
way. If you want all endpoints to meet the same conditions, you can create a
single policy.
The NAC 800 matches endpoints to a particular policy by:
■ Domain name
■ MAC address
■ NetBIOS name
■ IP address
This means that you can set up different policies for different:
■ Domains—Set the appropriate domain name in each NAC policy in the
group.
■ Hardware—You might record the MAC addresses of your organization’s
equipment and set up different policies for different MAC addresses. For
example, you could list wired MAC addresses in one policy and wireless
MAC addresses in another policy in the group. However, management can
be tedious, and this level of granularity is not typically required.