Creating a Policy Enforcer Connector for Third-Party Switches

Before You Begin

Have your ClearPass, Cisco ISE, ForeScout, Pulse Secure server information available.
To obtain an evaluation copy of ForeScout CounterACT to use with Policy Enforcer, click here.
Once configure, you select the Connector as an Enforcement Point in your Secure Fabric.
Review the Policy Enforcer Connector Overview topic.
To create a connector for a public or a private cloud, see Creating a Policy Enforcer Connector for Public and Private Clouds.

Perform the following actions to create connectors for the third-party switches.

To configure threat remediation for third-party devices, you must install and register the threat remediation plug-in with Policy Enforcer as follows:

Select Administration > Policy Enforcer > Connectors.
The Connectors page appears.
Click the create icon (+).
The Create Connector page appears.
Complete the configuration using the information in Table 1.
Click OK.
Note:
Once configured, you select the connector name as an Enforcement Point in your Secure Fabric.

Table 1: Fields on the Create Connector Page
Field	Description
`General`
Name	Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63 characters maximum.
Description	Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.
Connector Type	Select the required third-party network of devices to connect to your secure fabric and create policies for this network. The available connectors are Cisco ISE, HP ClearPass, Pulse Secure, and ForeScout CounterACT.
IP Address/URL	Enter the IP (IPv4 or IPv6) address of the product management server.
Port	Select the port to be used from the list. When this is left blank, port 443 is used as the default.
Username	Enter the username of the server for the selected connector type. ClearPass—Enter the Client ID created while setting up the ClearPass API client. See ClearPass Configuration for Third-Party Plug-in for details. Cisco ISE—Enter the username you used when you created the API Client in the Cisco ISE UI. See Cisco ISE Configuration for Third-Party Plug-in. ForeScout—Enter the username of your DEX plugin. See Integrating ForeScout CounterACT with Juniper Networks SDSN.
Password	Enter the password of the server for the selected connector type. ClearPass—Enter the Client Secret string created while setting up the ClearPass API client. See ClearPass Configuration for Third-Party Plug-in for details. Warning: When the Access Token Lifetime expires, you must generate a new Client Secret in ClearPass and update it here too. Cisco ISE—Enter the password you used when you created the API Client in the Cisco ISE UI. See Cisco ISE Configuration for Third-Party Plug-in . ForeScout—Enter the password of your DEX plugin. See Integrating ForeScout CounterACT with Juniper Networks SDSN.
DEX User Role (For ForeScout connector type only)	Enter the Data Exchange (DEX) user role information to authenticate and connect to the ForeScout connector. See Integrating ForeScout CounterACT with Juniper Networks SDSN.
`Network Details`
Subnets	Connector Type: ClearPass, ForeScout CounterACT, Pulse Secure, and Cisco ISE Add subnet information to the connector configuration so you can include those subnets in groups and then apply policies to the groups. When using Junos Space, Policy Enforcer is able to dynamically discover subnets configured on Juniper switches. Policy Enforcer does not have the same insight with third-party devices. When you add subnets as part of the connector configuration, those subnets become selectable in Policy Enforcement Groups. To add subnet information, do one of the following: Click Upload File to upload a text file with an IP address list. Note that the file you upload must contain only one item per line (no commas or semi colons). All items are validated before being added to the list. OR Manually enter the IP addresses. For example: 192.168.0.1/24. Click the add icon (+) to add more IP addresses. Note: It is mandatory to add at least one IP subnet to a connector. You cannot proceed to next step without adding a subnet.
`Configuration`
Configuration	Provide any additional information required for this particular connector connection. After the successful completion, the subnet you have created is mapped to that particular connector instance. Note: For ClearPass and Cisco ISE connectors no additional configuration information are required.

Note:

You can associate ClearPass, Cisco ISE, Pulse Secure, or Forescout connector to a site only in your Secure Fabric.
When a connector is added to the site, Policy Enforcer discovers the vSRX Series associated with the connector and assigns it to the site. Hover over the connector name to view the corresponding vSRX with its IP address as a tool tip.

Warning:

Ensure that the correct credentials are provided for the ClearPass, Cisco ISE, Pulse Secure, and ForeScout identity servers. If the initial connection fails, an error message is shown only at that time. Once that message disappears, the status of connectivity to the identity server is not shown in Policy Enforcer. Note that the identity servers are only queried on-demand.

Creating a Policy Enforcer Connector for Third-Party Switches

Related Documentation