1) A system will be plugged into a port and will show up in the end-systems tab
2) An administrator will then add that to the "Allowed Devices" group which we have created (for simplicity, this group uses the "Default NAC Profile" which uses the "Enterprise User" Accept Policy)
3) All other systems that have not been added to the "Allowed Devices" group are blocked from accessing the network.
I have an isolated non-production switch that I want to test this on, but I have a question about the config and the rules.
1) We have one Configuration (IMS) that is currently in use on all switches. I have made a secondary Configuration (IMS - MAC Auth) which I wanted to use for MAC auth testing, but I can't figure out how to apply that to just the one switch I want to test on (it has been a while since we first deployed XMC/NAC and I don't know if I am just forgetting where the option is or if a whole new Policy Domain is needed to make this happen)?
2) If the other configuration can be assigned to just a switch for testing, will the attached rules accomplish what we want?
- Quarantine anything in the Blacklist group
- Send a notification for anything in the Assessment Warning group
- Allow anyone if the omni\XOS Administrators group to login to the switches (this currently works)
- Quarantine any system from which a user attempts to login to a switch but they are not in the omni\XOS administrators group
- Allow any system that is in the "Allowed Devices" group onto the network
- Block all other devices
I'm new to the NAC side of things and know that it can cause issues when configured incorrectly, so all the help (and clarification to ideas that I am not understanding correctly) you can provide is welcome.