Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Creating a Policy Enforcer Connector for Third-Party Switches

Access this page from Administration > Policy Enforcer > Connectors.

Before You Begin

Procedure

To configure threat remediation for third-party devices, you must install and register the threat remediation plug-in with Policy Enforcer as follows:

  1. Access Administration > Policy Enforcer > Connectors.
  2. Click +.
  3. Complete the configuration using the information in Table 251.
  4. Click OK.

    Note: Once configured, you select the connector name as an Enforcement Point in your Secure Fabric.

Table 251: Fields on the Policy Enforcement Connectors Page

Field

Description

Connector for

At this time only Third Party Switch is available.

Name

Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63-character maximum.

Description

Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.

Identity Server Type

Select a server type. (Note that only ClearPass supported at this time.)

IP Address

Enter the IP Address (IPv4 or IPv6) of the server.

Port

(Optional) Enter the port to be used. When this is left blank, port 443 is used as the default.

For ClearPasss: Client ID

For Cisco ISE: Username

For ClearPass, enter the Client ID created while setting up the ClearPass API client. See ClearPass Configuration for Third-Party Plug-in for details.

For Cisco ISE, enter the username you used when you created the API Client in the Cisco ISE UI. See Cisco ISE Configuration for Third-Party Plug-in.

For ClearPass: Client Secret

For Cisco ISE: Password

For ClearPass, enter the Client Secret string created while setting up the ClearPass API client. See ClearPass Configuration for Third-Party Plug-in for details.

Warning: When the Access Token Lifetime expires, you must generate a new Client Secret in ClearPass and update it here too.

For Cisco ISE, enter the password you used when you created the API Client in the Cisco ISE UI. See Cisco ISE Configuration for Third-Party Plug-in .

IP Subnet

Optionally, add subnet information to the connector configuration so you can include those subnets in groups and then apply policies to the groups. When using Junos Space, Policy Enforcer is able to dynamically discover subnets configured on Juniper switches. Policy Enforcer does not have the same insight with third-party devices.

When you add subnets as part of the connector configuration, those subnets become selectable in Policy Enforcement Groups.

To add subnet information, do one of the following:

  • Click Upload File to upload a text file with an IP address list.

    Note that the file you upload must contain only one item per line (no commas or semi colons). All items are validated before being added to the list.

Manually enter your item in the space provided in by clicking + to add more spaces.

For syntax, enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

Note: Be sure the correct credentials are provided for the ClearPass and Cisco ISE identity servers. If the initial connection fails, an error message is shown only at that time. Once that message disappears, the status of connectivity to the identity server is not shown in Policy Enforcer. Note that the identity servers are only queried ondemand.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit