Enforcement using EX Series Ethernet Switches

Overview

You can use the EX Series switch as an Infranet Enforcer with Ivanti Policy Secure. With this solution, Ivanti Policy Secure is the policy decision point, while the switch is the policy enforcement point. In prior releases, Layer 3 firewalls were the only option for policy enforcement points. This scenario allows enforcement with 802.1X deployments.

To employ the switch as an Infranet Enforcer, you configure a connection between the EX Series switch and the Ivanti Policy Secure, establish communication, set up 802.1X, configure Ivanti Policy Secure parameters for admission to the network, and configure resource access policies.

Upon successful configuration, the following occurs:

• The EX Series switch sends a connection request to Ivanti Policy Secure.

• The EX Series switch shares its RADIUS configuration with Ivanti Policy Secure from the CLI configuration on the switch.

• Ivanti Policy Secure creates the RADIUS client for the EX Series switch using the information provided.

• When a user successfully authenticates, Ivanti Policy Secure provides an auth table entry to the connected EX Series switch. The auth table includes the MAC address of the user, the assigned roles and the port index.

• Ivanti Policy Secure must receive the attributes Calling Station ID and Network Access Server (NAS) Port from the switch to successfully make the connection.