1.2.1. Policy

The policy is a set of hierarchical rules that operates similarly to a firewall. To facilitate its design, it declares the more specific rules at the top descending to more general rules. Each openNAC rule is composed as follows:

Defalt Portal

../../../_images/policies_add_new.png


NextGen Portal

../../../_images/create_new_policy.png


Before creating a new policy we have to understand the main sections that are included in a policy evaluation process.

The General section contains the policy name, an optional comment to describe the policy and lets the user the possibility of enable or disable the policy.

The Preconditions section allows to add conditions before the authentication happens, Time of the connection, Users, User and Network devices evolved, and type of authentication (Sources), right after we will detail all the options available.

The Postconditions section allows to add conditions after that authentication happens, Vlan assignment, Security Profiles or ACLS at ingress port, plugins and its parameters, notifications, etc.

The Other sectionAllow activate device autolearning (User devices that match with this policy will be automatically added to ON CMDB). If autolearning is activated you can set a tag that will be inserted to the user device. In this section a customized message can be defined to be used in openNAC Agent and in the different captive portal workflows.

The policy engine has two main principles to consider to avoid mistakes and unexpected behavior:

../../../_images/policy_principles.png


Principle 1: Vertical parameters act as a logic “AND” during policy evaluation. For instance, if you set “Preconditions: Users” and “Preconditions: Sources” both must match with the user device event to match with that policy.

Principle 2: Different source in “Preconditions: Sources” will act as a logic “OR” because each event only has one source. This will allow the user to create an unique policy for more than one source event. “Precondition: Users”, “Precondition: User devices” and “Precondition: Network devices” only allow to set one of the options. For instance, if we try to add an user and after an user group in “Precondition: Users” in the same policy, user group will overwrite the user condition.

You can find the Policies configuration window in the Default Administration Portal under ON NAC > Policies.

In the NextGen Administration Portal, this window is located under Configure > NAC > Policies.

If you have any doubts regarding which portal documentation you should refer to, read the Administration Portal section. There you can find the details about both portals and the use cases they support.