Create or edit an access control policy
In this topic, you will learn how to create and assign an access control policy in Portnox™ Cloud.
To understand what are policies in Portnox Cloud, what types of policies are available, and how they work together with accounts and groups, read the following topic: What are policies in Portnox Cloud?.
-
In the Cloud portal top menu, click on the Policies option.
-
In the right-hand side pane, click on the Create policy button to create a new policy.
Note: You can also edit an existing policy by clicking on the ✎ icon on the right-hand side of the selected line that represents the policy. The creation and editing processes are almost the same.
-
In the Access Control Policy Name field, enter the name for the new policy and in the field
below, enter an optional description.
If you’re editing the System Default Policy, you cannot change its name.
-
On the left-hand side, click on the Wireless (Network) option to configure policy rules for
wireless networks.
Each policy contains rules for all three network types as well as for applications. If you do not configure a specific type, Portnox Cloud will use default settings for that type.
-
In the SUCCESSFUL AUTHENTICATION tab, define the rules for successful authentication for
wireless networks:
These rules will apply if the device authenticates successfully with Portnox Cloud and gains access to the network.
-
In the AUTHENTICATION VIOLATION tab, define the rules for authentication violation for wireless
networks:
These rules will apply if the device fails to authenticate with Portnox Cloud for any reason.
-
In the RISK POLICY VIOLATION tab, define the rules for risk policy violation for wireless
networks. The configuration process is identical to the one for the AUTHENTICATION VIOLATION
tab.
These rules will apply if the device fails the assigned risk assessment policy. To create or edit a risk policy, see the following topic: Create or edit a risk assessment policy.
-
In the BLOCKED BY ADMIN tab, define the rules for when the wireless device is blocked by the
administrator. The configuration process is identical to the one for the AUTHENTICATION VIOLATION
tab.
These rules will apply if the Portnox Cloud administrator manually blocks the device on the Devices screen.
-
In the left-hand side menu, select the Wired (Network) option and repeat the steps above for
wired networks.
The configuration options for wired networks are identical to those for wireless networks.
-
In the left-hand side menu, select the VPN (Network) option and repeat the following steps for
all tabs: SUCCESSFUL AUTHENTICATION, AUTHENTICATION VIOLATION,
RISK POLICY VIOLATION, and BLOCKED BY ADMIN:
The configuration options for VPNs are identical for all four tabs.
Important: In this context, the term group policy refers to the Cisco definition, as outlined in Cisco documentation, rather than the more popular Microsoft interpretation of group policy: A group policy is a set of user-oriented attribute/value pairs for IPSec connections that are stored either internally (locally) on the device or externally on a RADIUS server. -
If you’re creating an access control policy for application access, select
a relevant option in the RISK POLICY VIOLATION tab.
Application access control policies are used only by the Portnox Conditional Access functionality, and in such policies, there are no network-related settings. The policy is there only to decide the action that Conditional Access takes if the user device does not meet the risk assessment policy requirements.
- Deny access: If the user device is evaluated as unsafe by the risk assessment policy requirements, Conditional Access does not allow the user to access to the application, displaying a standard message that directs the user to Portnox documentation.
- Deny access and display message: As in the above option, but you can specify a message to display. For example, you can provide contact details for your users, or a link to your local documentation.
- Deny access and redirect user to a given URL: As in the first option, but you can automatically redirect the user to any URL, for example, your local documentation pages for troubleshooting or contact information.
- Always allow access: This setting is only recommended for testing in a monitoring mode. Conditional Access will allow the user to access the application even if the device is evaluated as unsafe by the risk assessment policy.
The Advanced settings section lets you choose between two options of how to handle the situation when the user ID presented in the certificate does not match the user ID in the identity provider:
- Deny access: We recommend using this option for enhanced security. If there is a user mismatch between the identity provider and the certificate, the user will be denied access. This is the default setting.
- Allow access: Use this option only if you use shared accounts, which we do not recommend for security reasons.
-
To save your policy settings, click on the Save button on the bottom right of the page.
Result: You created or edited an access control policy. You can now assign this policy to groups.
To assign policies to groups, see the following topic: Assign policies to a group.