Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances
281282283284285286287288289290
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide Enforcement | 263
Chapter 11
Enforcement
Policy Manager controls network access by sending a set of access-control attributes to the request-originating
Network Access Device (NAD).
Policy Manager sends these attributes by evaluating an Enforcement Policy associated with the service. The
evaluation of Enforcement Policy results in one or more Enforcement Profiles; each Enforcement Profile wraps
the access control attributes sent to the Network Access Device. For example, for RADIUS requests, commonly
used Enforcement Profiles include attributes for VLAN, Filter ID, Downloadable ACL, and Proxy ACL.
For more information, see:
l Enforcement Architecture and Flow on page 263
l Configuring Enforcement Profiles on page 264
l Configuring Enforcement Policies on page 298
Enforcement Architecture and Flow
To evaluate a request, a Policy Manager Application assembles the request’s client roles, client posture (system
posture token), and system time. The calculation that matches these components to a pre-defined
Enforcement Profile occurs inside of a black box called an Enforcement Policy.
Each Enforcement Policy contains a rule or set of rules for matching Conditions (role, posture and time) to
Actions (Enforcement Profiles). For each request, it yields one or more matches, in the form of Enforcement
Profiles, from which Policy Manager assembles access-control attributes for return to the originating NAD,
subject to the following disambiguation rules:
l If an attribute occurs only once within an Enforcement Profile, transmit as is.
l If an attribute occurs multiple times within the same Enforcement Profile, transmit as a multi-valued
attribute.
l If an attribute occurs in more than one Enforcement Profile, only transmit the value from the first
Enforcement Profile in priority order.
Optionally, each Enforcement Profile can have an associated group of NADs; when this occurs, Enforcement Profiles
are only sent if the request is received from one of the NADs in the group. For example, you can have the same rule
for VPN, LAN and WLAN access, with enforcement profiles associated with device groups for each type of access. If a
device group is not associated with the enforcement profile, attributes in that profile are sent regardless of where
the request originated.