cancel
Showing results for 
Search instead for 
Did you mean: 

Trying to setup the most basic MAC based Access Control but need help

Trying to setup the most basic MAC based Access Control but need help

Stephen_Stormon
Contributor
We know that XMC and NAC can do a whole lot, but initially all we want to do is this:

1) A system will be plugged into a port and will show up in the end-systems tab
2) An administrator will then add that to the "Allowed Devices" group which we have created (for simplicity, this group uses the "Default NAC Profile" which uses the "Enterprise User" Accept Policy)
3) All other systems that have not been added to the "Allowed Devices" group are blocked from accessing the network.

I have an isolated non-production switch that I want to test this on, but I have a question about the config and the rules.
1) We have one Configuration (IMS) that is currently in use on all switches. I have made a secondary Configuration (IMS - MAC Auth) which I wanted to use for MAC auth testing, but I can't figure out how to apply that to just the one switch I want to test on (it has been a while since we first deployed XMC/NAC and I don't know if I am just forgetting where the option is or if a whole new Policy Domain is needed to make this happen)?
2) If the other configuration can be assigned to just a switch for testing, will the attached rules accomplish what we want?
  • Quarantine anything in the Blacklist group
  • Send a notification for anything in the Assessment Warning group
  • Allow anyone if the omni\XOS Administrators group to login to the switches (this currently works)
  • Quarantine any system from which a user attempts to login to a switch but they are not in the omni\XOS administrators group
  • Allow any system that is in the "Allowed Devices" group onto the network
  • Block all other devices
I know that this means that we will have enable identity management on all ports and add all systems to the "Allowed Devices" group before enforcing those rules.

I'm new to the NAC side of things and know that it can cause issues when configured incorrectly, so all the help (and clarification to ideas that I am not understanding correctly) you can provide is welcome.

6a5595c2cbe34599ac32cafbc141d742_4db75318-81f3-4189-90e5-3183dd8a15fc.png

15 REPLIES 15

Stephen_Stormon
Contributor
That must have been it.

Zdeněk_Pala
Extreme Employee
When you create new group, you can assign the configuration.
Regards Zdeněk Pala

Zdeněk_Pala
Extreme Employee
When you create new engine group you can define the configuration.
Regards Zdeněk Pala

Stephen_Stormon
Contributor
Thanks. I know that I had not gone into the "legacy" NAC manager before to set it. I still wonder how I changed it previously in the "new" interface.
GTM-P2G8KFN