Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
10
Helpful
3
Replies

What order for Authz Policy?

Go to solution
BTinNC
Level 1
Level 1

‎05-26-2016 07:38 AM - edited ‎03-10-2019 11:48 PM

I am curious to get your feedback on the best order to authorize devices in the Authorization Policy.

Currently we have it set for First Matched Rule Applies, and have the rules set up like this:

1: Wireless Blacklist devices --> Denied

2: MAB devices --> Allowed

3: Profiled devices --> Allowed

4: Dot1x Wired devices --> Allowed

5: Dot1x wireless devices --> Allowed

6: Guest wireless --> Allowed

7: Guest wired --> Allowed

8: Default --> Denied

Should we be authorizing profiled devices first, dot1x devices first, etc?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎05-26-2016 10:48 AM

Hi

Your order seems correct. 

First of all, you can use policy-set in order to apply different rules for wired and wireless. With this feature, you can also do different rules based on ssid for example...

You have blacklist rule on 1st position because you don't want to give a chance to connect to a device that has been blocked.

MAB is 2nd because you want to connect some devices directly by checking mac addresses and avoid that those devices try to connect in another way.

Profiled device could be a BYOD (802.1x with certificate and device registration in a specific group). You already know those devices and want them to be connected and avoid that they are going to do again a simple dot1x process or doing again all registration process.

Theblogic is the same for all rules with at the end a deny to block all unknown devices that couldn't connect in a way you have decided on your network. 

Saying that order is correct could be difficult without seeing all rules (conditions and results).

By reading conditions and results you can define order. Because some devices can authenticate in different ways but not the way you have decided. That's why order is important. 

As you said, it's 1st match rule like a firewall from top to down. 

Thanks. Hope this is clear enough. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎05-26-2016 10:48 AM

Hi

Your order seems correct. 

First of all, you can use policy-set in order to apply different rules for wired and wireless. With this feature, you can also do different rules based on ssid for example...

You have blacklist rule on 1st position because you don't want to give a chance to connect to a device that has been blocked.

MAB is 2nd because you want to connect some devices directly by checking mac addresses and avoid that those devices try to connect in another way.

Profiled device could be a BYOD (802.1x with certificate and device registration in a specific group). You already know those devices and want them to be connected and avoid that they are going to do again a simple dot1x process or doing again all registration process.

Theblogic is the same for all rules with at the end a deny to block all unknown devices that couldn't connect in a way you have decided on your network. 

Saying that order is correct could be difficult without seeing all rules (conditions and results).

By reading conditions and results you can define order. Because some devices can authenticate in different ways but not the way you have decided. That's why order is important. 

As you said, it's 1st match rule like a firewall from top to down. 

Thanks. Hope this is clear enough. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
BTinNC
Level 1
Level 1
In response to Francesco Molino

‎05-26-2016 01:53 PM

Thank you for your help!

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to BTinNC

‎05-26-2016 01:59 PM

You're welcome 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents