Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Switch Policies

To ensure more granular control over network access, you can now create switch policies, which act as access control lists (ACLs) for your Juniper Mist-managed switches. You can use port profile-based and RADIUS-based policies.

About Switch Policies

Your switch can use the following types of policies:

  • Port Profile-Based Policy—Applied as a layer 2 filter on the switchport in the input direction for all ports where the specified port profile is applied.

  • RADIUS-Based Policy—Uses a RADIUS based filter to filter traffic. The enforcement of each policy happens via the RADIUS server. These filters are supported on all EX Series switches that authenticate users through your RADIUS server. After adding your RADIUS firewall filters, make note of the IDs. You'll need them to create the switch policies in the Juniper Mist portal.

Create Switch Policies

First you'll create labels to categorize and classify users (as sources) and resources (as destinations). Then you'll use these labels in switch policies to specify which users are allowed to access specific resources within the network. You can define the labels at the organization, site, or switch level.

Before You Begin

To create switch policies:

  1. In the Juniper Mist portal, navigate to your switch template or site-level switch configuration.

    • To find a switch template—From the left menu, select Organization > Wired > Switch Templates. Then click the template.

    • To find a site-level switch configuration—From the left menu, select Site > Wired > Switch Configuration. Then click the site.

  2. To configure labels, scroll down to the Switch Policy Labels section, and add your source and destination tags as described below.

    • Source—Click Add Source, and then refer to the on-screen text to enter the information. Click Add to save the new source.

      Form titled Add Source for configuring source settings with fields for name, type, IP address, and port. Add and Cancel buttons.
      Table 1: Source Settings
      Field Description
      Name Enter a name to identify this source.
      Type

      Select the source type.
      Port Profile

      If you selected Port Profile as the Type, select a profile from this drop-down menu. This menu includes system-defined profiles and others that you've added to the configuration.
      From Radius AVP - "Filter ID" For a RADIUS-based filter, enter the filter. For more information, hover over the i button next to this field.
      Source IP Address (Optional) Enter a single IP address or multiple addresses separated by commas.
      Source Port (Optional) Enter a port number or a range of numbers. Valid numbers are 1 to 65535. For a range, enter the start number, a dash, and the end number, such as 50-60.

    • Destination—Click Add Destination, and then refer to the on-screen text to enter the information. Click Add to save the new destination.

      Destination fields showing Internal_Resources as the Name, an IP address in the Destination IP Address field, Any as the Protocol, and no specified Port Range
  3. To configure a policy, scroll down to the Switch Policy section and add a policy that uses your new labels:
    1. If you're working on a site-level switch configuration, select Override Template Defined.
    2. Click Add Switch Policy.
      A new policy appears at the top of the policy list, with a default name such as Switch Policy 1.
    3. Click the default policy name, and then enter a short, specific name to identify this policy.
    4. Under Source, click the + button, and then select a source label from the list.
    5. Under Destination, click the + button, and then select a destination label.
      The destination label appears with a green background, indicating that this policy allows access to this destination.
    6. If you want this policy to block access to the specified destination, click the destination button, and then click Deny.
      Selecting the Destination Button to Change the Action (Allow or Deny)
      When you change the policy to deny, the destination button turns red.
      Note:

      • The default action for a new rule is allow (green button).

      • Junous processes the policies in the listed order. After the final policy is processed, Junos defaults to deny. You don't need to add an explicit deny policy at the end of the list.

    This example shows how your configuration might look after you add source labels, destination labels, and policies.

    Screenshot showing several sources, destinations, and policies
  4. If you need to change the order of the policies, position your mouse on the blue button next to the policy number and drag up or down in the list.
  5. Click Save at the top-right corner of the configuration page.
  6. Review the on-screen confirmation information, and then click Save at the bottom of the confirmation window.
The switch policy configuration is pushed to the switches.

You can also find information about the number of times a switch policy rule was triggered (that is, matched by network traffic) at the switch level. The Switch Policy section on the switch details page provides the following details:

  • Overall hit count for a switch policy. This information is displayed in the Hit Count column.

  • Per-destination hit count for more granular insights. You can click each destination tag to view the hit count for that tag along with a policy trigger event time series.

User interface for managing Switch Policies in a network system, featuring a beta-labeled Switch Policy section, checkbox to override site or template settings, search bar, list of three policies with configuration details, policy scope, sources, destinations with hit counts and statuses, and an Add Switch Policy button.

Set Up Filters with Aruba ClearPass

Note: As an Aruba ClearPass admin, use this procedure for general guidance only. For detailed and up-to-date information, see the Aruba ClearPass documentation and support site.
  1. In Aruba ClearPass Policy Manager, navigate to Configuration > Enforcement > Profiles.
  2. On the Enforcement Profiles page, add a profile, or edit an existing one.

    • Profile tab—Select Filter ID Based Enforcement as the template. Specify the required parameters.

      Aruba ClearPass Enforcement Profiles - Profile Tab

    • Attributes tab—Add your RADIUS attributes.

      Aruba ClearPass Enforcement Profiles - Attributes Tab

    For help with the parameters, see your Aruba ClearPass documentation, such as Filter ID Based Enforcement Profile.

Set Up Filters with Cisco ISE

Note: As an Cisco ISE admin, use this procedure for general guidance only. For detailed and up-to-date information, see the Cisco ISE documentation and support site.

In Cisco ISE, navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Enter the required parameters.

Cisco ISE Authorization Profile

For help with the parameters, see your Cisco ISE documentation, such as Authorization Profile Window.

Set Up Labels (Filters) with Juniper Mist Access Assurance

Note: As an Juniper Mist Access Assurance admin, use this procedure for general guidance only. For detailed and up-to-date information, see the Juniper Mist Access Assurance documentation and support site.

Navigate to Organization > Auth Policy Labels > Add Label.

Enter the parameters to create a role. Creating a role in Access Assurance is equivalent to a filter-id.

Auth Policy Labels in Juniper Mist Access Assurance

For help with the parameters, see Configure Authentication Policy Labels in the Juniper Mist Access Assurance Guide.