In this topic, you will learn how to assign different types of policies to a selected group in Portnox™ Cloud.
Before you begin, you must create a group in Portnox Cloud. To create a group and configure its basic settings, read the
following topic: Create a group.
To understand what are groups and policies in Portnox Cloud and how they work together with accounts, read the following
topic: What are accounts, groups, policies, and sites?.
-
In the Cloud portal top menu, click on the Groups option.
-
Click on the ⋮ icon on the right-hand side of the selected group name and
select the Group policies option from the pop-up menu to begin the process of managing the
policies assigned to the selected group.
-
In the NETWORK ACCESS CONTROL POLICIES section, assign access control policies to sites:
-
Click on the Add access control policy link.
-
In the Access Control Policy field, select an existing access control policy.
-
In the Site field, select an existing site.
-
Click on the Save button to save the added assignment or click on the
Cancel button to abandon all changes.
-
Repeat the above steps for other sites, if necessary.
Result: Access control policies are assigned to sites.
The policy that is defined for the site ANY will apply to all remaining sites.
- Optional:
If you’re using the Conditional Access functionality, in the
APPLICATION ACCESS CONTROL POLICIES section, click on the Edit link to
select the access control policy to apply to application access.
Note: Conditional Access applies the same access control policy to all applications. There is no option to apply
different policies to different applications.
-
In the Device risk assessment policy section, assign a risk assessment policy to this group by
selecting it from the list of available risk assessment policies below.
If no risk assessment policy is assigned, the System Default Policy is used.
-
In the Remediation policy section, assign a remediation policy to this group by selecting it
from the list of available risk assessment policies below.
The remediation policy is not mandatory and by default this field has a value Unassigned.
-
In the TACACS+ policies section, assign TACACS+ policies
to NAS devices.
-
Click on the Add a TACACS+ policy link.
A new row appears on the list of TACACS+ policies. Do the following actions in this
row.
-
In the TACACS+ POLICY column, select an existing TACACS+ policy.
-
In the APPLIED TO column, field, click on the ✎ icon to define the rules for applying this policy to NAS devices.
The APPLY TACACS+ POLICY window opens.
-
In the APPLY TACACS+ POLICY window, use the controls to create a logical tree of
conditions.
Click on the AND/OR button in a logical branch to
change the logical condition.
Click on the + button in a logical branch and select Add
rule to add another condition to the current logical branch.
Click on the + button in a logical branch and select Add And/Or
block to add a sub-branch to the current logical branch.
In the first column of a logical rule, select Site or
NAS to set the class of parameters to be tested in the
condition.
In the second column of a logical rule, select a parameter applying to the site or to the NAS, such
as Name (for both site and NAS) or Vendor (for NAS) to
be tested in the condition.
In the third column of a logical rule, select Equals, or
StartsWith to set the comparison operator.
In the fourth column of a logical rule, enter a value for comparison or select from a list of
possible values (depending on the condition).
-
In the APPLY TACACS+ POLICY window, click on the Save button to
save the logical tree of conditions and close the window.
-
Repeat the above steps for other TACACS+ policies, if necessary. Use the ⠿ icons on the left-hand side of the row to drag that row up or down and
change priorities.
When a NAS device receives a TACACS+ request, Portnox Cloud first determines the group that it belongs to.
Then, Cloud checks the assignment rules for TACACS+ policies in the priority order on the list (top-down),
and when it finds a policy that matches the rules, it applies this policy, and ignores all lower priority
policies (even if they would match).
-
In the Custom RADIUS attribute policy section, assign custom RADIUS attribute policies to NAS devices.
Note: By default, the System Default Policy is assigned to all devices and accounts in the
group. After you add more policies, this becomes the fallback policy for all devices and accounts that don’t meet
any of the conditions that you added. You can change the assigned policy but you cannot remove this final
condition.
-
Click on the Add Custom RADIUS attribute policy link.
A new row appears on the list of custom RADIUS attribute policies. Do the following actions in this
row.
-
In the CUSTOM RADIUS ATTR. POLICY column, select an existing custom RADIUS attribute
policy.
-
In the APPLIED TO column, field, click on the ✎ icon to define the rules for applying this policy to NAS devices.
The APPLY POLICY window opens.
-
In the APPLY POLICY window, use the controls to create a logical tree of conditions.
Click on the AND/OR button in a logical branch to
change the logical condition.
Click on the + button in a logical branch and select Add
rule to add another condition to the current logical branch.
Click on the + button in a logical branch and select Add And/Or
block to add a sub-branch to the current logical branch.
In the first column of a logical rule, select Site or
NAS to set the class of parameters to be tested in the
condition.
In the second column of a logical rule, select a parameter applying to the site or to the NAS, such
as Name (for both site and NAS) or Vendor (for NAS) to
be tested in the condition.
In the third column of a logical rule, select Equals,
Contains, StartsWith, or
EndsWith to set the comparison operator.
In the fourth column of a logical rule, enter a value for comparison or select from a list of
possible values (depending on the condition).
-
In the APPLY POLICY window, click on the Save button to save the
logical tree of conditions and close the window.
-
Repeat the above steps for other custom RADIUS attribute policies, if necessary. Use the ⠿ icons on the left-hand side of the row to drag that row up or down and
change priorities.
Portnox Cloud first determines the group that the device belongs to. Then, Cloud checks the assignment rules
for custom RADIUS attribute policies in the priority order on the list (top-down), and when it finds a
policy that matches the rules, it applies this policy, and ignores all lower priority policies (even if they
would match).
-
To save your group settings, click on the Save button on the bottom right of the page.