Feature Request: NAC Rule Grouping, Rule Description

  • 3
  • Idea
  • Updated 2 years ago
Hi folks,

The NAC rules are getting confusing. It would be great there would be a possibility to group some rules e.g. Wireless Authentication.

Another great thing would be a column for description.

A very good example for great rule ordering is Check Point (See Demo picture below).



What do you think about this?

Best Regards
Michael
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb

Posted 3 years ago

  • 3
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,120 Points 20k badge 2x thumb
I think that is a great idea !!!

The NAC installations that I've done so far were easy and used mainly a small rule set - even then it's kind of confusing.
I can't imagine a rule set with 100+ lines.....
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
My customers NAC has more than 750 rule matrix lines, so no fell into panic. It works great (with currently LPA's and 2 HPA's) (they will be changed in the next 2 months in reason for the "end of life" of the LPA's. They never has more than 5% CPU load on the LPA's with more than 4000 users.
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
It depends on that what the customer wants to do. My customers NAC has more than 750 rule matrix lines, wireless is one of these. You could authenticate on the "Switchport" where the users enters the LAN, in case of Wireless this is the WLAN Controller.

With NAC you have so many possibilties, specially also for NAC where you can easilly create a location binding (some users are only allowed on specified Accesspoints to a pre-defined time) and much much more.

Combine all the information you get from Netsight and NAC to make it secure. If you know that a printer will never comes up as a windows maschine, deny it. We have also for some special SSID's a "whitelist" where we define what End-System-Group is able to access this SSID (reverse blacklist)....
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
I worked since now more than 16 years with Cabletron/Enterasys devices, but overall, they NEVER created such a stable thing as there NAC system. If there is something wrong, it is your fault. If NAC is configured properly, it works all the time, all the years....
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Hi Rainer,

I totally agree with you that NAC is a very powerfull and robust product. But to be honest even NAC has bugs sometimes ;) - lucky you if you did not run into one so far.

But never the less - why should Extreme stop improving their already great product? This is just a feature request.

Regards
Michael
Photo of M.Nees

M.Nees, Embassador

  • 9,126 Points 5k badge 2x thumb
Some need for my customers!!

NAC needs Rule Grouping, Rule Description - Checkpoint GUI is a great template!