3.1.6.5. Security Profiles

You can create Security profiles (access lists) objects for use in the policy engine as postcondition parameters. These profiles can be assigned to any user ingress port during network access, enabling the definition of access lists that allow or deny ingress traffic at end users’ access ports. This information is then utilized as a RADIUS parameter for communication with network devices.

../../../_images/securityprofile_overview.png


There are two types of Security profiles:

Static: For static security profiles, the Access Control List (ACL) must be pre-defined on the network device. Specify the name or ID of the security profile, ensuring it matches the ACLs on the network devices. When a user device accesses the network and triggers the security policy, the corresponding Security Profile is sent via RADIUS.

Dynamic: For dynamic security profiles, run a security profile command directly to the network devices from OpenNAC Enterprise without prior definition on the network device. This allows for remote application. In a dynamic security profile, specify the command to be sent to the network device, defining ACLs that permit specific traffic in the user port.

3.1.6.5.1. Static configuration

  1. Begin by applying a specific ACL configuration on the network device, allowing reference from the OpenNAC Enterprise system.

For example, defining the ACL DENY_DNS_GOOGLE when configuring a Cisco 2920:

ip device tracking
ip access-list extended DENY_DNS_GOOGLE
deny ip any host 8.8.8.8
permit ip any any

  1. In the Administration Portal, when adding a new security profile, configure the Security Profile ID parameter, in this case, with the value “DENY_DNS_GOOGLE”:

../../../_images/securityprofile_static.png


3.1.6.5.2. Dynamic configuration

The Dynamic configuration requires a single step. When creating a Security Profile, configure the Command parameter with the ACLs that you want to send to the network device.

The format of these ACLs will depend on the model of the device. Following the example of Cisco models, we use the following format:

ip:inacl#1=deny ip any host 8.8.8.8
ip:inacl#2=permit ip any any
../../../_images/securityprofile_dynamic.png