Policy

The policy is a set of hierarchical rules, operates similar to firewall, so to easily its design declares the more specific rules on the top descending to more general rules. Each openNAC rule is composed as follows:

../../_images/onnacpolicies1.PNG

Before create a new policy we have to understand the main sections that are included in a policy evaluation process.

The section 1 named general contains the policy name, an optional comment to describe the policy and lets the user the possibility of enable or disable the policy.

The section 2 named Preconditions allows to add conditions before the authentication happens, Time of the connection, Users, User and Network devices evolved, and type of authentication (Sources), right after we will detail all the options available.

The section 3 named Postconditions allows to add conditions after that authentication happens, Vlan assignment, Security Profiles or ACLS at ingress port, plugins and its parameters, notifications

The section 4 named Other Allow activate device autolearning (User devices that match with this policy will be automatically added to ON CMDB). If autolearning is activated you can set a tag that will be inserted to the user device. In this section a customized message can be defined to be used in openNAC Agent.

../../_images/onnacpolicies2.PNG

The policy engine have two main principles that have to take into account to avoid mistakes and undesirables behaviors.

Principle 1: Vertical components act as a logic “AND” during policy evaluation. For instance, if you set “Preconditions: Users” and “Preconditions: Sources” both must match with the user device event to match with that policy.

Principle 2: “Preconditions: Sources” will act as a logic “OR” because each event only have one source. This lets the user create an unique policy for more than one source event. “Precondition: Users”, “Precondition: User devices” and “Precondition: Network devices” only lets to set one of the possible options. For instance, if we try to add an user and after an user group in “Precondition: Users” in the same policy, user group will overwrite the user condition.

For more information about policy review Operation Policies.