Create or edit an access control policy

In this topic, you will learn how to create and assign an access control policy in Portnox™ Cloud.

To understand what are policies in Portnox Cloud, what types of policies are available, and how they work together with accounts and groups, read the following topic: What are policies in Portnox Cloud?.

Note: The System Default Policy is tuned to meet the requirements of most configurations. When testing or initially deploying Portnox Cloud, you can skip this topic and keep the default settings. The System Default Policy is assigned to all groups, unless you create another policy and assign it manually.
  1. In the Cloud portal top menu, click on the Policies option.

  2. In the right hand pane, click on the Create a new Policy link to create a new policy.
    Note: You can also click on the Edit link on the right-hand side of the selected line that represents the policy. The creation and editing processes are almost the same.
  3. In the Access Control Policy Name field, enter the name for the new policy and in the field below, enter an optional description.

    If you’re editing the System Default Policy, you cannot change its name.

  4. On the left-hand side, select Wireless in the NETWORK TYPE field to configure policy rules for wireless networks.

    Each policy contains rules for all three network types. If you do not configure a specific network type, Portnox Cloud will use default settings for that network type.

  5. In the SUCCESSFUL AUTHENTICATION tab, define the rules for successful authentication for wireless networks:

    These rules will apply if the device authenticates successfully with Portnox Cloud and gains access to the network.

    1. In the VLAN SETTINGS section, optionally select the Assign to a specific VLAN checkbox.

      If this setting is not turned on, the device will have access to the network without being assigned to any VLANs. If this setting is turned on, you can either select a VLAN ID or VLAN name, and the NAS will assign the device to the selected VLAN.

    2. In the ACL SETTINGS section, optionally select the Assign devices to a specific Access Control List checkbox.

      If this setting is not turned on, the device will have access to the network without being assigned to any ACLs. If this setting is turned on, you can either select an existing ACL rule ID or Custom ACL rules to create rules yourself.

    3. If you selected Custom ACL rules in the previous step, click on the Add new rule link to create a new rule.

      • In the Action field, select whether this rule will Deny or Permit packets that match the rule.

      • In the Protocol field, select the protocol that this rule applies to: TCP, UDP, or Any.

      • In the Source IP or IP/Range field, enter the source IP address or the source IP address in the CIDR format or leave the field empty to match all source IP addresses.

      • In the Source Port field, enter the source port number or leave the field empty to match all source port numbers.

      • In the Destination IP or IP/Range field, enter the destination IP address or the destination IP address in the CIDR format or leave the field empty to match all destination IP addresses.

      • In the Destination Port field, enter the destination port number or leave the field empty to match all destination port numbers.

      Click on the Save button to save the rule. Add more rules using the Add new rule link or edit/remove existing rules using Edit or Remove links on the right-hand side of a selected rule.

  6. In the AUTHENTICATION VIOLATION tab, define the rules for authentication violation for wireless networks:

    These rules will apply if the device fails to authenticate with Portnox Cloud for any reason.

    1. In the UPON AN AUTHENTICATION VIOLATION section, select the action to be taken upon authentication violation:

      • Deny access: The NAS will deny the device access to the network.

      • Quarantine devices in a specific VLAN: The NAS will allow the device to access the network but will assign the device to a specific VLAN.

    2. If you selected the Quarantine devices in a specific VLAN, follow the instructions as described for the SUCCESSFUL AUTHENTICATION tab.
  7. In the RISK POLICY VIOLATION tab, define the rules for risk policy violation for wireless networks. The configuration process is identical to the one for the AUTHENTICATION VIOLATION tab.

    These rules will apply if the device fails the assigned risk assessment policy. To create or edit a risk policy, see the following topic: Create or edit a risk assessment policy.

  8. In the BLOCKED BY ADMIN tab, define the rules for when the wireless device is blocked by the administrator. The configuration process is identical to the one for the AUTHENTICATION VIOLATION tab.

    These rules will apply if the Portnox Cloud administrator manually blocks the device on the Devices screen.

  9. In the NETWORK TYPE field, select the Wired option and repeat the steps above for wired networks.

    The configuration options for wired networks are identical to those for wireless networks.

  10. In the NETWORK TYPE field, select the VPN option and repeat the following steps for all tabs: SUCCESSFUL AUTHENTICATION, AUTHENTICATION VIOLATION, RISK POLICY VIOLATION, and BLOCKED BY ADMIN:

    The configuration options for VPNs are identical for all four tabs.

    1. Click on the Assign VPN-connected devices to a Group policy checkbox to activate it.

      This setting applies to Windows Group Policies on the VPN server. If this setting is not turned on, VPN-connected devices will be assigned to the default Group Policy. If this setting is turned on, you can select the Group Policy to assign the device to.

    2. In the field next to the Assign VPN-connected devices to a Group policy option, enter the name of the Group Policy.
  11. To save your policy settings, click on the Save policy changes button in the top right corner.

Result: You created or edited an access control policy. You can now assign this policy to groups.

To assign policies to groups, see the following topic: Assign policies to a group.

Important: If you change the VLAN/ACL assignments of a policy that is already used by devices, these changes do not apply immediately, but only after the device disconnects and reconnects to the network. This is because only then the device will receive the new assignments from the RADIUS server. However, you can force such a disconnect by using the RADIUS Change of Authorization (CoA) feature. To learn more about how to set up your environment to support RADIUS CoA, see the following topic: Enable the RADIUS Change of Authorization feature.