Creating a Policy Enforcer Connector for Third-Party Switches
To access this page, select Administration > Policy Enforcer > Connectors.
Before You Begin
Have your ClearPass, Cisco ISE, and , ForeScout server information available.
To obtain an evaluation copy of ForeScout CounterACT to use with Policy Enforcer, click here.
Once configure, you select the Connector as an Enforcement Point in your Secure Fabric.
Review the Policy Enforcer Connector Overview topic.
To create a connector for a public or a private cloud, see Creating a Policy Enforcer Connector for Public and Private Clouds.
To configure threat remediation for third-party devices, you must install and register the threat remediation plug-in with Policy Enforcer as follows:
- Select Administration > Policy Enforcer > Connectors.
The Connectors page appears.
- Click the create icon (+).
The Create Connector page appears.
- Complete the configuration using the information in Table 1.
- Click OK.
Once configured, you select the connector name as an Enforcement Point in your Secure Fabric.
Table 1: Fields on the Create Connector Page
Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63 characters maximum.
Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.
Select the required third-party network of devices to connect to your secure fabric and create policies for this network. The available connectors are Cisco ISE, HP ClearPass, and ForeScout CounterACT.
Enter the IP (IPv4 or IPv6) address of the product management server.
Select the port to be used from the list. When this is left blank, port 443 is used as the default.
Enter the username of the server for the selected connector type.
Enter the password of the server for the selected connector type.
DEX User Role
(For ForeScout connector type only)
Enter the Data Exchange (DEX) user role information to authenticate and connect to the ForeScout connector. See Integrating ForeScout CounterACT with Juniper Networks SDSN.
Connector Type: ClearPass, ForeScout CounterACT, and Cisco ISE
Add subnet information to the connector configuration so you can include those subnets in groups and then apply policies to the groups. When using Junos Space, Policy Enforcer is able to dynamically discover subnets configured on Juniper switches. Policy Enforcer does not have the same insight with third-party devices.
When you add subnets as part of the connector configuration, those subnets become selectable in Policy Enforcement Groups.
To add subnet information, do one of the following:
Note: It is mandatory to add at least one IP subnet to a connector. You cannot proceed to next step without adding a subnet.
Provide any additional information required for this particular connector connection. After the successful completion, the subnet you have created is mapped to that particular connector instance.
Note: For ClearPass and Cisco ISE connectors no additional configuration information are required.
You can associate ClearPass, Cisco ISE, or Forescout connector to a site only in your Secure Fabric.
When a connector is added to the site, Policy Enforcer discovers the vSRX Series associated with the connector and assigns it to the site. Hover over the connector name to view the corresponding vSRX with its IP address as a tool tip.
Ensure that the correct credentials are provided for the ClearPass, Cisco ISE, and ForeScout identity servers. If the initial connection fails, an error message is shown only at that time. Once that message disappears, the status of connectivity to the identity server is not shown in Policy Enforcer. Note that the identity servers are only queried on-demand.