1.2.1. Policy

The policy is a set of hierarchical rules that operates similarly to a firewall. To facilitate its design, it declares the more specific rules at the top descending to more general rules. Each openNAC rule is composed as follows:

../../../_images/policyoverview.png


Before creating a new policy we have to understand the main sections that are included in a policy evaluation process.

The General section contains the policy name, an optional comment to describe the policy and lets the user the possibility of enable or disable the policy.

The Preconditions section allows to add conditions before the authentication happens, Time of the connection, Users, User and Network devices evolved, and type of authentication (Sources), right after we will detail all the options available.

The Postconditions section allows to add conditions after that authentication happens, Vlan assignment, Security Profiles or ACLS at ingress port, plugins and its parameters, notifications, etc.

The Other sectionAllow activate device autolearning (User devices that match with this policy will be automatically added to ON CMDB). If autolearning is activated you can set a tag that will be inserted to the user device. In this section a customized message can be defined to be used in openNAC Agent and in the different captive portal workflows.

../../../_images/policy2.png


The policy engine has two main principles that we have to consider to avoid mistakes and unexpected behavior.

Principle 1: Vertical components act as a logic “AND” during policy evaluation. For instance, if you set “Preconditions: Users” and “Preconditions: Sources” both must match with the user device event to match with that policy.

Principle 2: Different source in “Preconditions: Sources” will act as a logic “OR” because each event only has one source. This will allow the user to create an unique policy for more than one source event. “Precondition: Users”, “Precondition: User devices” and “Precondition: Network devices” only allow to set one of the options. For instance, if we try to add an user and after an user group in “Precondition: Users” in the same policy, user group will overwrite the user condition.

For more information about policy read Operation Policies.