Policy Enforcer Connector Overview
Configure a connector for third-party products (non-Juniper Networks) to unify policy enforcement across all network elements. This protects endpoints, wired and wireless, connecting to third-party devices as well as Juniper devices.
For Policy Enforcer to provide threat remediation to endpoints connecting through third-party devices, it must be able to authenticate those devices and determine their state. It does this using a tracking and accounting threat remediation plug-in to gather information from a RADIUS server and enforce policies such as terminate session and quarantine.
All third-party switches being used with Policy Enforcer must support AAA/RADIUS and Dynamic Authorization Extensions to RADIUS protocol (RFC 3579 and RFC 5176).
All Cisco Systems switch models that adhere to Radius IETF attributes and support Radius Change of Authorization from Aruba ClearPass are supported by Policy Enforcer for threat remediation.
Figure 1 illustrates the communication between Clearpass Connector, RADIUS Server, and 802.1x enabled switches and wireless devices.
Once configured, the connector uses an API to gather endpoint MAC address information from the RADIUS server. If a host is found to be suspicious, the RADIUS server sends a CoA to disconnect the active session and quarantine the host. Once the threat has been mitigated, the interface can return to the network again, but must be authorized to do so by Policy Enforcer using the plug-in and information gathered from the RADIUS server.
Once you have a connector configured, the following information is provided on the Connectors main page.
Table 1: Connectors Information- Main Page
The name you entered for the connector.
This field always reads Third Party Switch at this time.
The current status of the connector. (Active or Inactive.)
Hover over the status to see more details of connector instances and their respective status.
The following statuses are shown:
Specifies the description of a connector.
Specifies the IP address of the product management server.
The IP address of the ClearPass RADIUS server.
Benefits of Policy Enforcer Connector
Custom threat feed and automation - Automates the threat remediation workflows for third-party products ( Cisco ISE and Aruba ClearPass RADIUS servers).
RESTful APIs - Provides APIs for building connectors to third-party products (CiscoISE and Aruba ClearPass RADIUS servers).