4.1. Creating Policy
One of the most important pieces of any network access control infrastructure is the policy engine. The policy engine is central to a NAC deployment because it controls your entire NAC deployment by creating user access rules and controlling enforcement point in the network infrastructure.
NOTE
NAC central policy engines are called many different names:
Policy engine
Policy decision point
Policy server
NAC manager
NAC controller
The policy engine is responsible for determining whether a device or a particular usage should have access to the network. The policy engine also controls all the enforcement points on the network, whether the policy engine is a network appliance or a software agent running on a desktop machine or network server.
One of the primary roles of a policy engine is to make network access decisions based on access control policies determined by the NAC administrator. The core of the NAC policy typically includes three pieces of information:
NOTE
Network information: Source, destination, port, and protocol
Traditionally, a firewall policy examined the network information. The policy engine incorporates that function.
Endpoint integrity: Identifying hardware, applications, and the security posture of the endpoint.
User identity: Identifying the user and the user's groups.
4.1.1. Controls
With NAC, this policy includes network, user, and device information, using the policy engine and its primary job functions.
4.1.1.1. 802.1X control
The policy ...
Get Network Access Control For Dummies® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
