Rules

What are Rules?

Rules in Metadefender NAC decide which devices can access what parts of your network based on specific conditions you set up. Think of it as creating a checklist - if a device meets all the requirements on your checklist, it gets the access you've defined.

How Rules Work

When a device tries to connect to your network, MetaDefender NAC checks your rules from top to bottom. The first rule that matches the device's characteristics determines what access the device gets.

Example: If you have a rule that says "All company laptops with MD Endpoint installed get full network access," any laptop meeting those conditions will automatically receive full access.

Getting Started with Rules

Step 1: Access the Rules Section

  1. Log in to your MetaDefender IT Access console
  2. Click on "RADIUS NAC" in the left menu
  3. Select the "Rules" tab
  4. Click "Add New Rule" to create your first rule

Step 2: Name Your Rule

Give your rule a clear, descriptive name that explains what it does.

Good examples:

  • "Company Laptops - Full Access"
  • "Guest Devices - Limited Access"
  • "IT Department - Admin Access"

Avoid vague names like:

  • "Rule 1"
  • "Test"
  • "New Rule"

Step 3: Choose What Access to Grant

In the "Assign" dropdown, select which Access Profile devices should get when they match this rule.

Building Rule Conditions

This is where you define what devices must have or do to match your rule. The system lets you create from simple to complex conditions.

Understanding Condition Types

Your rules can check three main types of information about devices:

1. Device Information (Endpoint)

Basic information about the device itself:

  • Device Group: Which group the device belongs to
  • Device Status: Whether the device is compliant with your security policies
  • Agent: Whether your Metadefender Endpoint software is installed
  • Device Type: What kind of device it is (laptop, phone, tablet, etc.)
  • OS Type: The operating system (Windows, Mac, Android, etc.)
  • Authentication Status: Whether the user properly logged in

2. Certificate Information

Security certificates the device presents:

  • Certificate details: Serial numbers, who issued it, subject information
  • Certificate names: Various name fields in the certificate

3. User Directory Information (LDAP)

Information from your organization's user directory:

  • User Groups: Which groups the user belongs to
  • Department: User's department
  • Title: User's job title
  • Company: User's company affiliation

Important: Assigning a Profile to the Default Rule

Before adding your first custom rule, ensure that the Default Rule has an Access Profile assigned. By default, this rule does not have any profile associated with it, which means:

  • You will not be able to save changes to the ruleset until a profile is assigned.
  • Devices that do not match any custom rule will fall into the Default Rule, so leaving it unassigned may result in unintended access behavior.

To assign an Access Profile to the Default Rule:

  1. Navigate to the Rules tab.
  2. Locate the Default Rule in the list.
  3. Click to expand it and select an appropriate Access Profile from the dropdown.
  4. Click Apply to save changes.

Once this is done, you can proceed to create and configure custom rules with conditions.

Adding Your First Condition

  1. Click the "+ Condition" button

  2. Choose an attribute category from the popup:

    • Click the computer icon for Device/Endpoint attributes
    • Click the certificate icon for Certificate attributes
    • Click the people icon for LDAP/User attributes
  3. Select the specific attribute you want to check

  4. Set the condition (equals, contains, etc.)

  5. Enter the value to check for

Creating Simple Rules (AND Logic)

AND means ALL conditions must be true.

Example: Device must be a laptop AND have Metadefender Endpoint installed AND belong to the "Staff" group.

To create this:

  1. Add condition: Device Type equals "Laptop"
  2. Add condition: Agent equals "Installed"
  3. Add condition: Device Group equals "Staff"

All three must be true for the rule to match.

Creating Flexible Rules (OR Logic)

OR means ANY of the conditions can be true.

Example: Device can be either a laptop OR a desktop to get access.

To create this:

  1. Add condition: Device Type equals "Laptop"
  2. Click "OR"
  3. Add condition: Device Type equals "Desktop"

If either condition is true, the rule matches.

Creating Advanced Rules (Combined Logic)

You can combine AND and OR to create sophisticated rules.

Example: Grant network access to devices that meet:

  • Device criteria: Must be a desktop or laptop with the MD Endpoint installed

  • User criteria: User must be either:

    • In the IT department, OR
    • A member of Management, OR
    • Have a TLS certificate containing "VN-NAC" AND issued by "VN-NAC-AD-CA

This rule would have the structure as below:

Scss
Copy

How to Build:

Initial Setup

  1. Navigate to Rule Creation

    • Go to RADIUS NACRulesAdd new Rules
  2. Configure Basic Rule Information

    • Enter a descriptive Rule name (e.g., "IT-Management-Device-Access")
    • Select the option to assign a profile to the Rule
    • Note: The default root operator is AND (can be changed to OR if needed)

Building the Condition Structure

Level 1: Device Requirements (AND Group)

  1. Create Primary Device Condition Group

    • Click the AND button at level 1 to create a group condition with AND operator
    • This group will contain device-specific requirements
  2. Add Device Type Condition

    • Click +condition button at level 2 (inside the AND group)
    • Select condition: Device type is
    • Choose multi-select options: Desktop, Laptop
    • Note: This allows either desktop OR laptop devices
  3. Add Agent Installation Requirement

    • Click +condition button at level 2 (inside the same AND group)
    • Select condition: Agent is Installed

Level 1: User Authorization (OR Group)

  1. Create User Authorization Group

    • Click the OR button at level 1 to create a group condition with OR operator
    • This group will contain alternative user authorization methods
  2. Add IT Department Condition

    • Click +condition button at level 2 (inside the OR group)
    • Select condition: LDAP attribute Department equals IT
  3. Add Management Group Condition

    • Click +condition button at level 2 (inside the same OR group)
    • Select condition: LDAP attribute Member of equals Management

Level 2: Certificate Authentication (Nested AND)

  1. Create Nested Certificate Group

    • Click the AND button at level 2 (inside the OR group from step 6)
    • This creates a nested AND condition within the OR group
  2. Add Certificate Subject Condition

    • Click +condition button at level 3 (inside the nested AND group)
    • Select condition: Certificate TLS-Cert-Subject contains VN-NAC
  3. Add Certificate Common Name Condition

    • Click +condition button at level 3 (inside the same nested AND group)
    • Select condition: Certificate TLS-Cert-Common-Name equal VN-NAC-AD-CA

Finalize Rule

  1. Save the Rule
    • Click Add Rule button to create the new rule
    • Verify the rule appears in the rules list

Common Rule Examples

Example 1: Company Employee Access

Goal: Give full access to company employees with proper security

Conditions:

  • User is in "Employees" group AND
  • Device has Metadefender Endpoint installed AND
  • Device is compliant

Example 2: Guest Access

Goal: Give limited internet access to visitor devices

Conditions:

  • Authentication Status = "Authenticated via Guest Access" OR
  • Device Group = "Visitors"

Example 3: IT Department Special Access

Goal: Give IT staff administrative access from their work devices

Conditions:

  • (Department = "IT" OR User Group = "IT Admins") AND
  • Device Type = "Laptop" AND
  • Certificate Issuer = "Company CA"

Example 4: Mobile Device Policy

Goal: Allow mobile devices but with restrictions

Conditions:

  • (Device Type = "Phone" OR Device Type = "Tablet") AND
  • Agent = "Installed" AND
  • Device Status = "Compliant"

Managing Your Rules

Rule Order Matters

Rules are checked from top to bottom. The first matching rule wins.

Best Practice: Put your most specific rules at the top, general rules at the bottom.

Example Order:

  1. IT Admin Full Access (very specific)
  2. Company Employee Standard Access (specific)
  3. Guest Limited Access (general)
  4. Default Block All (catch-all)

Editing Rules

  • View Details: Click on a rule to see its conditions
  • Move Up/Down: Use arrow buttons to reorder rules
  • Enable/Disable: Use the toggle switch to turn rules on/off
  • Delete: Click the trash icon to remove a rule

The Default Rule

There's always a "Default Rule" at the bottom. This catches any device that doesn't match your other rules. Make sure to set this to an appropriate access level (usually very limited or blocked).

Troubleshooting Tips

Device Not Getting Expected Access

  1. Check rule order - Is a more general rule above your specific rule?
  2. Verify conditions - Are all the conditions actually true for the device?
  3. Test with simple rules - Start with one condition and add complexity

Rule Too Complex

  • Break complex rules into multiple simpler rules
  • Use descriptive names to track what each rule does
  • Document your logic in the rule name

Performance Issues

  • Avoid overly complex nested conditions
  • Place most commonly matched rules higher in the list
  • Regularly review and clean up unused rules

Best Practices

  1. Start Simple: Begin with basic rules and add complexity as needed
  2. Test Thoroughly: Always test new rules with actual devices
  3. Document Everything: Use clear rule names that explain the purpose
  4. Regular Reviews: Periodically review rules to ensure they're still needed
  5. Security First: When in doubt, be more restrictive rather than permissive

Getting Help

If you need assistance with creating rules:

  • Start with the examples provided
  • Test rules in a safe environment first
  • Contact your system administrator for complex scenarios
  • Keep rule logic as simple as possible while meeting your security needs
  • Or contact OPSWAT support
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard