Applies To:

Show Versions Show Versions

Manual Chapter: Access Policy Example
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The example access policy covered in this appendix is based on real-world use. You can find a description of the how-to scenario at the beginning of the section.
You can check your progress against screenshots provided at a number of steps. The intention is to keep you on track without overburdening you with screenshots.
When you complete the steps, you will have a working version of the functionality the scenario covers. All information you need to deploy the working model is provided, including any hints, best practices, requirements, or warnings.
In this example, you design an access policy that assigns different network access resources to a user, depending on the Microsoft Active Directory® primary group ID. This case study is built with a modified version of the AD Auth Query and Resources macro.
To configure this example, you should have a configured Active Directory AAA server on your system. However, you can configure the entire example without actually configuring an Active Directory server.
Two lease pools (192.168.105.1 - 192.168.105.100 and 192.168.106.100 - 192.168.106.111).
An Active Directory auth query and resources macro, for which you must configure actions, and to which you must add terminals.
Two Active Directory query actions. One Active Directory query checks for the primary group ID attribute with a value of 100, and one checks for the primary group ID attribute with a value of 200.
1.
On the Main tab of the navigation pane, expand Access Policy, and click ACLs.
The ACLs screen opens.
2.
Click the Create button.
The New ACL screen opens.
3.
In the Name box, type the name AD_ACL1.
4.
Click the Create button.
The ACL Properties screen opens.
5.
Above the Access Control Entries list, click the Add button.
The New Access Control Entry screen opens.
6.
From the Type list, select L4.
7.
From the Action list, select Allow.
8.
Click Finished.
Because you did not type any IP addresses or ports, but only selected an action, this ACL is configured as a default ACL, which means this action (Allow) is applied to all connections, on all IP addresses, and all protocols.
10.
Click the Create button.
The New ACL screen opens.
11.
In the Name box, type the name AD_ACL2.
12.
Click the Create button.
The ACL Properties screen opens.
13.
Above the Access Control Entries list, click the Add button.
The New Access Control Entry screen opens.
14.
From the Type list, select L4.
15.
16.
From the Action list, select Reject.
17.
Click Finished.
Again, because you did not type any IP addresses, but only selected an action and a protocol, this ACL rejects all connections on any IP address that attempt to use port 21, the typical FTP port.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Lease Pools.
The Lease Pool List screen opens.
2.
Click the Create button.
The New Lease Pool screen opens.
3.
In the Name box, type the name AD_Lease1.
4.
Click the button IP Address Range.
5.
In the Start IP Address box and the End IP Address box, type the start and end IP addresses for the IP address range. In this example, the start IP address is 192.168.105.1, and the end IP address is 192.168.105.100.
6.
Click the Add button to add the IP addresses to the lease pool.
The lease pool appears as in the Figure B.1.
7.
Click the Repeat button.
The New Lease Pool screen opens.
8.
In the Name box, type the name AD_Lease2.
9.
In the Member List select the existing entry (192.168.105.1 - 192.168.105.100) and click Delete.
10.
In the Start IP Address box and the End IP Address box, type the start and end IP addresses for the IP address range. In this example, the start IP address is 192.168.106.100, and the end IP address is 192.168.106.111.
11.
Click the Add button to add the IP addresses to the lease pool.
12.
Click Finished.
Figure B.1 Lease pool example
In this task, you configure the network access resources for the case study. Each network access resource contains one lease pool.
1.
On the Main tab of the navigation pane, expand Access Policy and click Network Access.
The Network Access screen opens.
2.
Click the Create button to create a new network access resource.
The New Resource screen opens.
3.
In the Name box, type CaseStudy_NA_AD1 as the name for the network access resource.
5.
Click Finished.
The Properties screen for the network access resource opens.
6.
On the Main tab of the navigation pane, under Access Policy, click Network Access again.
The Network Access screen opens.
7.
Click the Create button to create a new network access resource.
The New Resource screen opens.
8.
In the Name box, type CaseStudy_NA_AD2 as the name for the network access resource.
10.
Click Finished.
In this task, you create an access profile, and configure the access policy associated with it. The access policy contains the configuration that the user steps through when he attempts to connect.
1.
On the Main tab of the navigation pane, expand Access Policy and click Access Profiles.
The Access Profiles List screen opens.
2.
Click the Create button to create a new access profile.
The New Profile screen opens.
3.
In the Name box, type CaseStudy_AD as the name for the access profile.
4.
Click Finished.
1.
On the CaseStudy_AD access profile screen, click the Access Policy tab.
The Access Policy screen opens.
2.
Click the link Edit Access Policy for Profile "CaseStudy_AD".
The visual policy editor opens in a new tab or a new window, depending on your browser settings.
3.
Click the Add New Macro button.
The Macro Template popup screen appears.
4.
From the macro template list, select AD auth query and resources.
5.
Click Save.
1.
In the visual policy editor, click the plus sign () next to the AD auth query and resources macro to expand the macro.
2.
On the AD Auth action, click the x to delete it.
When the Item deletion confirmation popup screen appears, click Delete.
3.
On the AD Logging action, click the x to delete it.
When the Item deletion confirmation popup screen appears, click Delete.
1.
In the visual policy editor, click the plus sign () next to the AD auth query and resources macro to expand the macro.
2.
Click the AD Query action to view the configuration
The AD Query action popup screen opens.
4.
Verify that the Name box contains Primary Group ID is 100.
If this is not the name in the Name box, type the correct name.
5.
Verify that the text Expression: User's Primary Group ID is 100 appears below the Name box.
If the expression is not configured correctly, click the change link, make the changes, and click Finished.
6.
On the Fallback rule branch connected to the AD Query action, click the plus sign ().
The Add Item popup screen opens.
7.
If the list of authentication actions is not expanded, click the plus sign () next to Authentication to expand the list.
8.
Select AD Query and click Add Item.
The Active Directory query action popup screen opens.
9.
In the Name box, type AD Query 2.
10.
Click the Branch Rules tab.
11.
In the Name box, type Primary Group ID is 200.
12.
Next to Expression: Users Primary Group ID is 100, click the change link.
The Expression popup screen opens.
13.
In the Users Primary Group ID is box, type 200.
14.
Click Finished.
15.
Click Save.
1.
In the visual policy editor, click the plus sign () next to the AD auth query and resources macro to expand the macro.
2.
On the Primary Group ID is 100 rule branch connected to the AD Query action, click the Resource Assign action.
The Resource Assign action popup screen opens.
3.
Click the Add new entry button.
The screen changes to display a new resource assignment entry.
4.
Click Set Network Access Resource.
The resource assign popup screen opens.
6.
Click the ACLs tab, select AD_ACL1, and click Update.
You return to the Resource Assign action popup screen.
7.
Click the Save button.
The Resource Assign action popup screen closes.
8.
In the macro, on the Primary Group ID is 200 rule branch connected to the AD Query 2 action, click the plus sign ().
The Add Item popup screen opens.
9.
If the list of general purpose actions is not expanded, click the plus sign () next to General Purpose to expand the list.
10.
Select Resource Assign and click Add Item.
The Resource Assign action popup screen appears.
11.
In the Name box, type Resource Assign 2.
12.
Click the Add new entry button.
13.
Click Set Network Access Resource.
The resource assign popup screen opens.
15.
Click the ACLs tab, select AD_ACL2, and click Update.
You return to the Resource Assign action popup screen.
16.
Click the Save button.
The Resource Assign action popup screen closes.
1.
In the visual policy editor, above the macro, click the Edit Terminals button.
The Edit Terminals popup screen opens.
2.
In the Name box for the Successful terminal, replace the name Successful with the name Group100.
3.
Click the Add Terminal button.
The popup screen changes to display a new terminal line.
4.
In the Name box for the new terminal, replace the name Terminal 1 with the name Group200.
6.
Select the blue color #5 to change the color of the terminal, and click Save.
Note that you can choose any color for this terminal.
7.
Click Save.
8.
In the macro configuration, click the Failure terminal connected to the Resource Assign 2 action.
The Select Terminal popup screen opens.
9.
Select the Group200 terminal, and click Save.
The section of the macro you just configured appears in the following figure.
1.
In the access policy CaseStudy_AD, above the macro that you have configured, click the plus sign () on the Fallback branch.
The Add Item popup screen opens.
3.
Select the macrocall AD auth query and resources Rules: Group200, Group100, Failure, and click Add Item.
4.
Set the Group100 and Group200 endings to Allow endings.
5.
Click Apply Access Policy.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)