Technical Documentation
EX Series Search
Related Documentation
- EX Series
- Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX Series Switch
- Configuring 802.1X Authentication (J-Web Procedure)
- Configuring 802.1X Interface Settings (CLI Procedure)
- Monitoring 802.1X Authentication
- Understanding Server Fail Fallback and Authentication on EX Series Switches
Configuring Server Fail Fallback (CLI Procedure)
Server fail fallback allows you to specify how end devices connected to the switch are supported if the RADIUS authentication server becomes unavailable or sends an Extensible Authentication Protocol Over LAN (EAPOL) access-reject message.
802.1X and MAC RADIUS authentication work by using an authenticator port access entity (the EX Series switch) to block all traffic to and from an end device at the interface until the end device's credentials are presented and matched on the authentication server (a RADIUS server). When the end device has been authenticated, the switch stops blocking and opens the interface to the end device.
When you set up 802.1X or MAC RADIUS authentication on the switch, you specify a primary authentication server and one or more backup authentication servers. If the primary authentication server cannot be reached by the switch and the secondary authentication servers are also unreachable, a RADIUS server timeout occurs. Because the authentication server grants or denies access to the end devices awaiting authentication, the switch does not receive access instructions for end devices attempting access to the LAN and normal authentication cannot be completed. Server fail fallback allows you to configure authentication alternatives that permit the switch to take appropriate actions toward end devices awaiting authentication or reauthentication.
To configure basic server fail fallback options using the CLI:
- Configure an interface to allow traffic to flow from a
supplicant to the LAN if a RADIUS server timeout occurs (as if the
end device had been successfully authenticated by a RADIUS server):
[edit protocols dot1x authenticator]
user@switch# set interface ge-0/0/1 server-fail permit - Configure an interface to prevent traffic flow from an
end device to the LAN (as if the end device had failed authentication
and had been rejected by the RADIUS server):
[edit protocols dot1x authenticator]
user@switch# set interface ge-0/0/1 server-fail deny - Configure an interface to move an end device to a specified
VLAN if a RADIUS server timeout occurs (in this case, the VLAN name
is vlan1):
[edit protocols dot1x authenticator]
user@switch# set interface ge-0/0/1 server-fail vlan-name vlan1 - Configure an interface to recognize already connected
end devices as reauthenticated if there is a RADIUS timeout during
reauthentication (new users will be denied access):
[edit protocols dot1x authenticator]
user@switch# set interface ge-0/0/1 server-fail use-cache - Configure an interface that receives an EAPOL access-reject
message from the authentication server to move end devices attempting
LAN access on the interface to a specified VLAN already configured
on the switch (in this case, the VLAN name is vlan-sf):
[edit protocols dot1x authenticator]
user@switch# set interface ge-0/0/1 server-reject-vlan vlan-sf
Related Documentation
- EX Series
- Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX Series Switch
- Configuring 802.1X Authentication (J-Web Procedure)
- Configuring 802.1X Interface Settings (CLI Procedure)
- Monitoring 802.1X Authentication
- Understanding Server Fail Fallback and Authentication on EX Series Switches
