370
| Administrator Tasks
ClearPass Guest 3.9 | Deployment Guide
The ‘Deny Behavior’ drop-down list may be used to specify the action to take when access is denied.
The access control rules will be applied in order, from the most specific match to the least specific match.
Access control entries are more specific when they match fewer IP addresses. The most specific entry is a
single IP address (for example,
1.2.3.4
), while the least specific entry is the match-all address of
0.0.0.0/0
.
As another example, the network address
192.168.2.0/24
is less specific than a smaller network such as
192.168.2.192/26
, which in turn is less specific than the IP address
192.168.2.201
(which may also be
written as
192.168.2.201/32
).
To determine the result of the access control list, the most specific rule that matches the client’s IP address
is used. If the matching rule is in the Denied Access list, then the client will be denied access. If the
matching rule is in the Allowed Access list, then the client will be permitted access.
If the Allowed Access list is empty, all access will be allowed, except to clients with an IP address that
matches any of the entries in the Denied Access list. This behavior is equivalent to adding the entry
0.0.0.0/0
to the Allowed Access list.
If the Denied Access list is empty, only clients with an IP address that matches one of the entries in the
Allowed Access list will be allowed access. This behavior is equivalent to adding the entry
0.0.0.0/0
to the
Denied Access list.
For example, assuming that visitors are assigned IP addresses in the
10.1.0.0/16
network, and operators
are using the
192.168.88.0/24
network:
If the ‘Allowed’ list is empty and the ‘Denied’ list contains
10.1.0.0/16
, operator logins will be permitted
to all IP addresses other than those on the guest network.
For greater security, the operator logins may be restricted more explicitly:
If the ‘Allowed’ list is set to
192.168.88.0/24
, and the ‘Denied’ list is set to
0.0.0.0/0
, operators may only
access the system from the specified network.
Guest self-registration is still permitted regardless of guest IP address.
The ‘Deny Behavior’ drop-down list may be used to specify the action to take when access is denied.
Network Diagnostic Tools
A number of built-in diagnostic tools are available to verify different aspects of your network’s
configuration. To view these tools, navigate to
Administrator > Network Setup,
then click the
Network
Diagnostics
command link.
Summary of Contents for ClearPass Guest 3.9
Page 1: ...ClearPass Guest 3 9 Deployment Guide ...
Page 32: ...32 Management Overview ClearPass Guest 3 9 Deployment Guide ...
Page 178: ...178 RADIUS Services ClearPass Guest 3 9 Deployment Guide ...
Page 316: ...316 Guest Management ClearPass Guest 3 9 Deployment Guide ...
Page 410: ...410 Administrator Tasks ClearPass Guest 3 9 Deployment Guide ...
Page 414: ...414 Administrator Tasks ClearPass Guest 3 9 Deployment Guide ...
Page 423: ...ClearPass Guest 3 9 Deployment Guide Hotspot Manager 423 ...
Page 440: ...440 High Availability Services ClearPass Guest 3 9 Deployment Guide ...
Page 518: ...518 Index ClearPass Guest 3 9 Deployment Guide ...