Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating a Policy Enforcer Connector for Third-Party Switches

    Access this page from Administration > Policy Enforcer > Connectors.

    • Have your ClearPass or Cisco ISE server information available.
    • Once configured, you select the Connector as an Enforcement Point in your Secure Fabric.
    • Note that only one ClearPass or Cisco ISE identity server can be added for a given connector, but you can select it multiple times for different sites.
    • Note that you cannot delete a connector that is assigned to a Policy Enforcement Group or site without disassociating the connector first.
    • Review the Policy Enforcer Connector Overview topic.

    To configure threat remediation for third-party devices, you must install and register the threat remediation plug-in with Policy Enforcer as follows:

    1. Access Administration > Policy Enforcer > Connectors.
    2. Click +.
    3. Complete the configuration using the information in Table 1.
    4. Click OK.

      Note: Once configured, you select the connector name as an Enforcement Point in your Secure Fabric.

    Table 1: Fields on the Policy Enforcement Connectors Page

    Field

    Description

    Connector for

    At this time only Third Party Switch is available.

    Name

    Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63-character maximum.

    Description

    Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.

    Identity Server Type

    Select a server type. (Note that only ClearPass supported at this time.)

    IP Address

    Enter the IP Address (IPv4 or IPv6) of the server.

    Port

    (Optional) Enter the port to be used. When this is left blank, port 443 is used as the default.

    For ClearPasss: Client ID

    For Cisco ISE: Username

    For ClearPass, enter the Client ID created while setting up the ClearPass API client. See ClearPass Configuration for Third-Party Plug-in for details.

    For Cisco ISE, enter the username you used when you created the API Client in the Cisco ISE UI. See Cisco ISE Configuration for Third-Party Plug-in.

    For ClearPass: Client Secret

    For Cisco ISE: Password

    For ClearPass, enter the Client Secret string created while setting up the ClearPass API client. See ClearPass Configuration for Third-Party Plug-in for details.

    Warning: When the Access Token Lifetime expires, you must generate a new Client Secret in ClearPass and update it here too.

    For Cisco ISE, enter the password you used when you created the API Client in the Cisco ISE UI. See Cisco ISE Configuration for Third-Party Plug-in .

    IP Subnet

    Optionally, add subnet information to the connector configuration so you can include those subnets in groups and then apply policies to the groups. When using Junos Space, Policy Enforcer is able to dynamically discover subnets configured on Juniper switches. Policy Enforcer does not have the same insight with third-party devices.

    When you add subnets as part of the connector configuration, those subnets become selectable in Policy Enforcement Groups.

    To add subnet information, do one of the following:

    • Click Upload File to upload a text file with an IP address list.

      Note that the file you upload must contain only one item per line (no commas or semi colons). All items are validated before being added to the list.

    Manually enter your item in the space provided in by clicking + to add more spaces.

    For syntax, enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

    Warning: Be sure the correct credentials are provided for the ClearPass and Cisco ISE identity servers. If the initial connection fails, an error message is shown only at that time. Once that message disappears, the status of connectivity to the identity server is not shown in Policy Enforcer. Note that the identity servers are only queried ondemand.

    Modified: 2017-09-27