The Policy
Classification Engine feature helps configure device-based policies and client
(network endpoint) profiling and enforces a per user or per device policy on a
network.
You can configure
sets of different policies that can be used for lookup and sequential matching.
A policy is matched based on the configured policy statement. Use policies to
profile devices based on the Dynamic Host Control Protocol (DHCP) or HTTP to
identify end devices in a network. You can enforce specific policies at network
endpoints.
The device (switch; for example, Cisco Catalyst 3850 Wireless LAN
Controller) uses these attributes and predefined classification profiles to
identify devices.
Policies are configured based on the following parameters:
-
Device—Types of end devices. Examples are Windows machines, smart phones, Apple device like iPads, iPhones, and so on.
-
Regular expressions
-
User role—The user type or user group to which an user belongs. Examples are students, employees, and so on.
-
Username—Login credentials entered by users.
-
Time-of-day—The time-of-day when endpoints are allowed into a network.
-
OUI—The MAC address that identifies the Organizational Unique Identifier (OUI).
-
MAC address—The MAC address of the endpoint.
Once the device (switch) has a match corresponding to the policy parameters per end point, a policy is added. Policy enforcement
is based on the following session attributes:
You can configure policies and based on the session attributes, enforce
these policies on end points.