While each of the security features mentioned previously can be configured on a network-wide basis, there are times when certain clients should have more specific policies applied than the network-wide defaults. While it certainly is possible to use static or dedicated IPs to create unique rules to bypass or enforce additional Layer 3 firewall rules, this creates additional overhead and doesn’t bypass features such as content filtering, Layer 7 firewall rules, and Cisco AMP.
For situations like this, where specific clients or users require a different set of rules or policies than the network-wide configuration, you configure group policies and assign them to either enhance or override network-wide configurations for specific clients, users, or even entire subnets. Figure 5-5 shows several group policies, each configured to allow special network access for group members, while Figure 5-6 shows the detailed configuration for an example group policy.
Figure 5-5 Example Group Policies List in the Dashboard
Figure 5-6 Example Configuration for a Specific Group Policy
To create group policies, navigate to the Network-wide > Group Policy page on the Dashboard. If you want to assign group polices manually to a specific client device, go to the Network-wide > Clients page, select the client, and use the Policy drop-down list to apply a new policy to the client. You also can choose to automatically assign group policies to specific users through the use of either Active Directory or RADIUS integration by passing specific attributes, such as Filter-ID in the case of RADIUS, matching an associated group policy configured on the Dashboard during the logon process.
Using an integration like Active Directory or RADIUS allows administrative users, for example, to automatically be provided with increased network access based on their needs without having to manually reassign device policies or create manual exceptions. This can greatly reduce the overhead required for troubleshooting and daily administration, as users will automatically be assigned an appropriate access policy based on the information passed during user logon, regardless of the device currently in use.