This rule set will always be the the first set to be executed. Other rule sets are called from here.
is_location_enforcedUnenforced Devicesend_sessionDevice Settingsoffalways in productionMove to Productionalways in quarantineAlways in QuarantineDevice EnforcementQuarantineThe default action is to quarantine.
This rule set serves as an example for what might be done to launch actions based on audit results of a device not under enforcement (i.e. audits run on devices that are not on an enforced port).
nac_requestwas_immediate_runimmediateQuick ScanDefaultThe "#{health}" health verification against the "#{last_testset}" audit test set has failed.
This rule set is where specific device settings should be managed (e.g. setting the production zone).
production_zoneproduction_zonedefaultThis rule set is where enforcement of devices is managed.Allow a device with good health back on immediately if the device was online recently.last_online_time0last_audit_time0DefaultMove to ProductionbackgroundQuick Scan720Wait for MAC/IPcorporate-agentcorporate-agent-webauthRequire Lockdown Agentbackgroundwas_immediate_runimmediateQuick Scancorporate-agent-webauthcorporate-webauthRequire AuthenticationDefaultMove to Production (user)DefaultMove to ProductionMove to QuarantinenapThis rule set can be used to ensure a device is finally moved into its production network.in_productionagent_oninfoNow in ProductionThe Lockdown Enforcer has now placed you in Production.This rule set requires a Lockdown Agent only for the audit.agent_presentagent_offQuarantineThe Lockdown Agent is required before access to the network is allowed.backgroundwas_immediate_runimmediateQuick ScanQuarantineAn audit is being run to determine the health of your system.agent_presentDefault
This rule set can be used when a MAC and an IP address is required.
macipQuarantineWaiting to learn a MAC and an IP address.This rule set can be used to require authentication.is_authenticatedQuarantineAuthentication is required.prev_match#{dev} has authenticated as #{user} via #{auth_type}
This rule set can be used as a replacement for the Device Enforcement Rule Set. This one will still run a Quick Scan, but will allow devices on to the network right away and only quarantine them if the audit is failed.
Wait for MAC/IPwas_immediate_runimmediateQuick Scanwas_immediate_runDefaultMove to QuarantineMove to Production
This rule set can be used as a replacement for the Device Enforcement Rule Set. This one will still run a Quick Scan, but will allow devices on to the network right away if they have audit results that pass.
Wait for MAC/IPlast_testsetimmediateQuick Scanlast_testsetDefaultMove to QuarantineMove to Production
This is an example of how policy might be enforced for a particular conference room based on who has logged in. This can be used as a template to be called from the Device Enforcement Rule Set just after the rule for learning the IP. Note that this Rule Set makes use of some special names that either need to be in place or this set should be modified to use different values.
Conference RoomrulesetRequire Authenticationuser_groupsQuarantineWaiting to learn user group membership for #{user}.fullExecutivesproduction_zoneExecutive VLANAllow Last Audit PassedEmployeesAllow Before AuditNote that this rule will fall through to the remainder of the policy. The only change here is to assign the device to a special VLAN.Guestsproduction_zoneGuest VLANThis rule set can be used to require the Lockdown Agent.agent_presentQuarantineThe Lockdown Agent is required before access to the network is allowed.This rule set can be used to ensure a device is finally moved into its production network.in_productionagent_oninfoNow in ProductionThe Lockdown Enforcer has now placed you in Production.alicebobfulldonnaguestfullQuarantineThe "#{health}" health verification against the "#{last_testset}" audit test set has failed.QuarantineDevice #{dev} is a member of the Always in Quarantine group.