Enforcement using EX Series Ethernet Switches

Overview

You can use the EX Series switch as an Infranet Enforcer with IPS. With this solution, IPS is the policy decision point, while the switch is the policy enforcement point. In prior releases, Layer 3 firewalls were the only option for policy enforcement points. This scenario allows enforcement with 802.1X deployments.

To employ the switch as an Infranet Enforcer, you configure a connection between the EX Series switch and the IPS, establish communication, set up 802.1X, configure IPS parameters for admission to the network, and configure resource access policies.

Upon successful configuration, the following occurs:

• The EX Series switch sends a connection request to IPS.

• The EX Series switch shares its RADIUS configuration with IPS from the CLI configuration on the switch.

• IPS creates the RADIUS client for the EX Series switch using the information provided.

• When a user successfully authenticates, IPS provides an auth table entry to the connected EX Series switch. The auth table includes the MAC address of the user, the assigned roles and the port index.

• IPS must receive the attributes Calling Station ID and Network Access Server (NAS) Port from the switch to successfully make the connection.