05-26-2016 07:38 AM - edited 03-10-2019 11:48 PM
I am curious to get your feedback on the best order to authorize devices in the Authorization Policy.
Currently we have it set for First Matched Rule Applies, and have the rules set up like this:
1: Wireless Blacklist devices --> Denied
2: MAB devices --> Allowed
3: Profiled devices --> Allowed
4: Dot1x Wired devices --> Allowed
5: Dot1x wireless devices --> Allowed
6: Guest wireless --> Allowed
7: Guest wired --> Allowed
8: Default --> Denied
Should we be authorizing profiled devices first, dot1x devices first, etc?
Solved! Go to Solution.
05-26-2016 10:48 AM
Hi
Your order seems correct.
First of all, you can use policy-set in order to apply different rules for wired and wireless. With this feature, you can also do different rules based on ssid for example...
You have blacklist rule on 1st position because you don't want to give a chance to connect to a device that has been blocked.
MAB is 2nd because you want to connect some devices directly by checking mac addresses and avoid that those devices try to connect in another way.
Profiled device could be a BYOD (802.1x with certificate and device registration in a specific group). You already know those devices and want them to be connected and avoid that they are going to do again a simple dot1x process or doing again all registration process.
Theblogic is the same for all rules with at the end a deny to block all unknown devices that couldn't connect in a way you have decided on your network.
Saying that order is correct could be difficult without seeing all rules (conditions and results).
By reading conditions and results you can define order. Because some devices can authenticate in different ways but not the way you have decided. That's why order is important.
As you said, it's 1st match rule like a firewall from top to down.
Thanks. Hope this is clear enough.
05-26-2016 10:48 AM
Hi
Your order seems correct.
First of all, you can use policy-set in order to apply different rules for wired and wireless. With this feature, you can also do different rules based on ssid for example...
You have blacklist rule on 1st position because you don't want to give a chance to connect to a device that has been blocked.
MAB is 2nd because you want to connect some devices directly by checking mac addresses and avoid that those devices try to connect in another way.
Profiled device could be a BYOD (802.1x with certificate and device registration in a specific group). You already know those devices and want them to be connected and avoid that they are going to do again a simple dot1x process or doing again all registration process.
Theblogic is the same for all rules with at the end a deny to block all unknown devices that couldn't connect in a way you have decided on your network.
Saying that order is correct could be difficult without seeing all rules (conditions and results).
By reading conditions and results you can define order. Because some devices can authenticate in different ways but not the way you have decided. That's why order is important.
As you said, it's 1st match rule like a firewall from top to down.
Thanks. Hope this is clear enough.
05-26-2016 01:53 PM
Thank you for your help!
05-26-2016 01:59 PM
You're welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide