Skip to main content

Access Policies

Access policies decide what happens when a device authenticates — which VLAN, which ACL, whether MFA or a posture check is required. They're evaluated by priority; the first match wins.

Create a policy

  1. Go to Network → RADIUS / NAC → Access PoliciesNew.
  2. Set the identity:
    • Name, Priority (lower = evaluated first), and Enabled.
    • Match typeany, group, user, device_type, ssid, nas, nas_identifier, medium, or cert_template — plus the Match value. Narrow further with SSID, NAS identifier, and Medium (wired/wireless) where relevant.

Decide the outcome

  • Assign VLAN — put matching devices on a specific VLAN.
  • Filter‑Id — apply a named ACL configured on the NAS.
  • Downloadable ACL (dACL) — push an ACL inline.
  • Session timeout (seconds) — force periodic re‑auth.

Add conditions

  • Require MFA — challenge for a second factor before granting access.
  • Require posture check — only allow devices that pass Posture Rules; cap trust with Max risk score (0–100) and Max posture age (minutes).
  • From / To — restrict the policy to a time window.

Order matters

Policies are checked top‑down by priority. Put specific rules (a group, an SSID) above broad ones, and keep a sensible catch‑all (match any) last.

tip

Model your quarantine path as a low‑priority "posture failed → restricted VLAN" policy, and your trusted path as a higher‑priority "group = employees + posture pass → corp VLAN".