3.2.2.4.3. Policy plugins

In the Policy plugins section, you can see all OpenNAC Enterprise plugins and configure them with their corresponding variables. The plugins are displayed grouped by use case: Visibility, UNAC, Segmentation, Network Device Compliance, Guest & BYOD, 2SRA (VPN).

Synchronous plugins

The synchronous plugins are executed during the device authentication process using poleval, allowing to change certain device parameters.

During the execution of a synchronous plugin, a poleval can trap and notify possible errors by showing a message in the poleval status message. If the plugin execution time exceeds 10 seconds, it will trigger a warning message.

After the execution of each synchronous plugin, the VLAN ID will be checked, and if the VLAN ID is set to “rejected,” the session status will be automatically updated accordingly. This ensures that the status change is enforced.

Asynchronous plugins

On the other hand, the asynchronous plugins are executed to complement the information or execute other functions when the device is already authenticated. Whenever an asynchronous plugin is executed, it is assigned a tag in the format PLE_<plugin_name>.

Asynchronous plugins are executed using workers, so the log is stored in /var/log/opennac/opennac-job.log file, and it can be viewed from OpenNAC Enterprise server command line or from OpenNAC Enterprise admin UI in Status -> File Log Viewer.

Plugin execution order ensures that during a poleval execution, the plugins are executed in the following order:

1. Synchronous plugins (based on their Execute order attribute)

2. Synchronous plugins

3. Asynchronous plugins

3.2.2.4.3.1. View list of plugin by policy

By clicking on View list of plugins by policy, it will display the same view as in the Configure > NAC > Policies section.

The toolbar helps you hide policies without configured plugins, filter by policy or by plugin, and select specific policies to visualize in the list.

3.2.2.4.3.2. Adding plugins in the policy rule Postconditions

You can add plugins to a policy rule in the NAC > Policies > Postconditions section. When a device passes a policy, the plugins configured on that policy will be executed.

In the same postconditions configuration section, administrators can overwrite the plugin parameters using a single policy rule using Custom params. You can modify the plugins parameters using the respective variable.

See the details of the available plugins grouped by use case in the following sections.

• 3.2.2.4.3.2.1. Visibility plugins
  • 3.2.2.4.3.2.1.1. checkHostDomain
  • 3.2.2.4.3.2.1.2. cynerio
  • 3.2.2.4.3.2.1.3. discover
  • 3.2.2.4.3.2.1.4. getUserInfoSync
  • 3.2.2.4.3.2.1.5. ipdiscover
    • 3.2.2.4.3.2.1.5.1. Requirements for a correct behavior
  • 3.2.2.4.3.2.1.6. medigate
  • 3.2.2.4.3.2.1.7. openPorts
  • 3.2.2.4.3.2.1.8. userDeviceProfiling
• 3.2.2.4.3.2.2. UNAC plugins
  • 3.2.2.4.3.2.2.1. ciscoprime
  • 3.2.2.4.3.2.2.2. getADGroup
  • 3.2.2.4.3.2.2.3. maxMacConnected
  • 3.2.2.4.3.2.2.4. staticNetworkPortSync
• 3.2.2.4.3.2.3. Segmentation plugins
  • 3.2.2.4.3.2.3.1. fortiGateAccounting
    • 3.2.2.4.3.2.3.1.1. Firewall Autodiscover - fortiGateAccounting feature
  • 3.2.2.4.3.2.3.2. getADGroup
  • 3.2.2.4.3.2.3.3. paloAlto
  • 3.2.2.4.3.2.3.4. setVlanSync
  • 3.2.2.4.3.2.3.5. snmpQuarantine
• 3.2.2.4.3.2.4. Network Device Compliance plugins
  • 3.2.2.4.3.2.4.1. airwatch
  • 3.2.2.4.3.2.4.2. airwatchSync
  • 3.2.2.4.3.2.4.3. maas360
  • 3.2.2.4.3.2.4.4. maas360Sync
• 3.2.2.4.3.2.5. Guest & BYOD plugins
  • 3.2.2.4.3.2.5.1. manageTags
  • 3.2.2.4.3.2.5.2. sendHttpRequest
  • 3.2.2.4.3.2.5.3. tagsLogoutSync
• 3.2.2.4.3.2.6. 2SRA plugins
  • 3.2.2.4.3.2.6.1. ironchipSync
    • 3.2.2.4.3.2.6.1.1. Ironchip authorization process
  • 3.2.2.4.3.2.6.2. mobileApp2FASync
  • 3.2.2.4.3.2.6.3. maxFailedAuthentications
  • 3.2.2.4.3.2.6.4. maxFailedAuthenticationsSync
  • 3.2.2.4.3.2.6.5. mobileIron
  • 3.2.2.4.3.2.6.6. mobileIronSync
  • 3.2.2.4.3.2.6.7. radius2FASync
  • 3.2.2.4.3.2.6.8. wireGuardSync