Access Policies
Access policies decide what happens when a device authenticates — which VLAN, which ACL, whether MFA or a posture check is required. They're evaluated by priority; the first match wins.
Create a policy
- Go to Network → RADIUS / NAC → Access Policies → New.
- Set the identity:
- Name, Priority (lower = evaluated first), and Enabled.
- Match type —
any,group,user,device_type,ssid,nas,nas_identifier,medium, orcert_template— plus the Match value. Narrow further with SSID, NAS identifier, and Medium (wired/wireless) where relevant.
Decide the outcome
- Assign VLAN — put matching devices on a specific VLAN.
- Filter‑Id — apply a named ACL configured on the NAS.
- Downloadable ACL (dACL) — push an ACL inline.
- Session timeout (seconds) — force periodic re‑auth.
Add conditions
- Require MFA — challenge for a second factor before granting access.
- Require posture check — only allow devices that pass Posture Rules; cap trust with Max risk score (0–100) and Max posture age (minutes).
- From / To — restrict the policy to a time window.
Order matters
Policies are checked top‑down by priority. Put specific rules (a group, an SSID) above broad ones, and keep a sensible catch‑all (match any) last.
tip
Model your quarantine path as a low‑priority "posture failed → restricted VLAN" policy, and your trusted path as a higher‑priority "group = employees + posture pass → corp VLAN".