Understanding 802.1X Port-Based Network Authentication
From Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D75 and Junos OS Release 17.3R1, IEEE 802.1X port-based network authentication is not supported.
Starting in Junos OS 15.1X49-D80, 802.1X port-based authentication is supported on SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices.
Both IEEE 802.1X authentication and MAC RADIUS authentication both provide network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from devices at the interface until the supplicant's credential or MAC address is presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch stops blocking access and opens the interface to the supplicant.
A LAN network configured for 802.1X authentication contains three basic components:
Supplicant—The IEEE term for a host that requests to join the network. The host can be responsive or nonresponsive. A responsive host is one on which 802.1X authentication is enabled and that provides authentication credentials (such as a user name and password). A nonresponsive host is one on which 802.1X authentication is not enabled.
Authenticator port access entity—The IEEE term for the authenticator. The SRX Series device is the authenticator and controls access by blocking all traffic from host/supplicant until they are authenticated.
Authentication server—The server containing the back-end database that makes authentication decisions. (Junos OS supports RADIUS authentication servers.) The authentication server contains credential information for each supplicant that can connect to the network. The authenticator forwards credentials supplied by the supplicant to the authentication server. If the credentials forwarded by the authenticator match the credentials in the authentication server database, access is granted. If the credentials forwarded do not match, access is denied.
Table 1 lists the features that the implementation of 802.1X authentication provides for specific devices. (Platform support depends on the Junos OS release in your installation.). Table 2 lists the supplicant capacities that the implementation of 802.1X authentication provides for specific devices.
Table 1: 802.1X Authentication Features
Feature | SRX300/SRX320 | SRX340/SRX345 | SRX550M | SRX1500 |
|---|---|---|---|---|
Dynamic VLAN assignment | Yes | Yes | Yes | Yes |
MAC RADIUS authentication | Yes | Yes | Yes | Yes |
Static MAC bypass | Yes | Yes | Yes | Yes |
Guest VLAN | Yes | Yes | Yes | Yes |
RADIUS server failure fallback | Yes | Yes | Yes | Yes |
VoIP VLAN support | Yes | Yes | Yes | Yes |
RADIUS accounting | Yes | Yes | Yes | Yes |
Table 2: 802.1x Supplicant Capacities
Capacities | SRX300/SRX320 | SRX340/SRX345 | SRX550M | SRX1500 |
|---|---|---|---|---|
Supplicants per port | 64 | 64 | 64 | 64 |
Supplicants per system | 2K | 2K | 2K | 2K |
Supplicants with dynamic VLAN assignments | 64 | 300 | 2K | 2K |
This topic contains the following sections:
Dynamic VLAN Assignment
When a supplicant first connects to an SRX Series device, the authenticator sends a request to the supplicant to begin 802.1X authentication. If the supplicant is an 802.1X-enabled device, it responds, and the authenticator relays an authentication request to the RADIUS server.
As part of the reply to the authentication request, the RADIUS server returns information about the VLAN to which the port belongs. By configuring the VLAN information at the RADIUS server, you can control the VLAN assignment on the port.
MAC RADIUS Authentication
If the authenticator sends three requests to a supplicant to begin 802.1X authentication and receives no response, the supplicant is considered nonresponsive. For a nonresponsive supplicant, the authenticator sends a request to the RADIUS server for authentication of the supplicant’s MAC address. If the MAC address matches an entry in a predefined list of MAC addresses on the RADIUS server, authentication is granted and the authenticator opens LAN access on the interface where the supplicant is connected.
You can configure the number of times the authenticator attempts to receive a response and the time period between attempts.
Static MAC Bypass
The authenticator can allow particular supplicants direct access to the LAN, bypassing the authentication server, by including the supplicants’ MAC addresses in the static MAC bypass list configured on the SRX Series device. Supplicants’ MAC addresses are first checked against this list. If a match is found, the corresponding supplicant is considered successfully authenticated and the interface is opened up for it. No further authentication is done for that supplicant. If a match is not found and 802.1X authentication is enabled for the supplicant, the device continues with MAC RADIUS authentication on the authentication server.
For each MAC address in the list, you can configure the VLAN to which the supplicant is moved or the interfaces on which the supplicant can connect.
Guest VLAN
You can specify a guest VLAN that provides limited network access for nonresponsive supplicants. If a guest VLAN is configured, the authenticator connects all nonresponsive supplicants to the predetermined VLAN, providing limited network access, often only to the Internet. This type of configuration can be used to provide Internet access to visitors without compromising company security.
In 802.1X, MAC RADIUS, and guest VLAN must not be configured together, because guest VLAN does not work when MAC RADIUS is configured.
IEEE 802.1X provides LAN access to nonresponsive hosts, which are hosts where 802.1X is not enabled. These hosts, referred to as guests, typically are provided access only to the Internet.
RADIUS Server Failure Fallback
You can define one of four actions to be taken if no RADIUS authentication server is reachable (if, for example, a server failure or a timeout has occurred on the authentication server).
deny—(default) Prevent traffic from flowing from the supplicant through the interface.
permit—Allow traffic to flow from the supplicant through the interface as if the supplicant were successfully authenticated by the RADIUS server.
use-cache—Force successful authentication if authentication was granted before the failure or timeout. This ensures that authenticated users are not adversely affected by a failure or timeout.
vlan vlan-name | vlan-id —Move the supplicant to a different VLAN specified by name or ID. This applies only to the first supplicant connecting to the interface.
For the permit, use-cache, and vlan fallback actions to work, 802.1X supplicants need to accept an out-of-sequence SUCCESS packet.
For RADIUS server settings, see Table 3.
Table 3: RADIUS Server Settings
Field | Function | Your Action |
|---|---|---|
IP Address | Specifies the IP address of the server. | Enter the IP address in dotted decimal notation. |
Password | Specifies the login password. | Enter the password. |
Confirm Password | Verifies the login password for the server. | Reenter the password. |
Server Port Number | Specifies the port with which the server is associated. | Type the port number. |
Source Address | Specifies the source address of the SRX Series device for communicating with the server. | Type the IP address in dotted decimal notation. |
Retry Attempts | Specifies the number of login retries allowed after a login failure. | Type the number. |
Timeout | Specifies the time interval to wait before the connection to the server is closed. | Type the interval in seconds. |
For 802.1X exclusion list details, see Table 4.
Table 4: 802.1X Exclusion List
Field | Function | Your Action |
|---|---|---|
MAC Address | Specifies the MAC address to be excluded from 802.1X authentication. | Enter the MAC address. |
Exclude if connected through the port | Specifies that a supplicant can bypass authentication if it is connected through a particular interface. | Select to enable the option. Select the port through which the supplicant is connected. |
Move the host to the VLAN | Moves the host to a specific VLAN once the host is authenticated. | Select to enable the option. Select the VLAN from the list. |
For 802.1X port settings, see Table 5.
Table 5: 802.1X Port Settings
Field | Function | Your Action |
|---|---|---|
Supplicant Mode | ||
Supplicant Mode | Specifies the mode to be adopted for supplicants:
| Select the required mode. |
Authentication | ||
Enable re-authentication | Specifies enabling reauthentication on the selected interface. | Select to enable reauthentication. Enter the timeout for reauthentication in seconds. |
Action for nonresponsive hosts | Specifies the action to be taken in case a supplicant is nonresponsive:
| Select the required action. |
Timeouts | Specifies timeout values for:
| Enter timeout values in seconds for the appropriate options. |
VoIP VLAN Support
When VoIP is used with 802.1X, the RADIUS server authenticates the phone, and Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) provides the class-of-service (CoS) parameters for the phone.
You can configure 802.1X authentication to work with VoIP in multiple-supplicant or single-supplicant mode:
Multiple-supplicant mode—Allows multiple supplicants to connect to the interface. Each supplicant is authenticated individually.
Single-supplicant mode—Authenticates only the first supplicant. All other supplicants that connect later to the interface are allowed to piggyback on the first supplicant’s authentication and gain full access.
RADIUS Accounting
Configuring RADIUS accounting on a SRX Series device lets you collect statistical data about users logging in to and out off a LAN, and sends it to a RADIUS accounting server. The collected data can be used for general network monitoring, to analyze and track usage patterns, or to bill a user on the basis of the amount of time or type of services accessed.
To configure RADIUS accounting, specify one or more RADIUS accounting servers to receive the statistical data from the device, and select the type of accounting data to be collected. To view the collected statistics, you can access the log file configured to receive them.
Server Reject VLAN
By default, when authentication fails, the supplicant is denied access to the network. However, you can specify a VLAN to which the supplicant is moved if authentication fails. The server reject VLAN is similar to a guest VLAN. With a server reject VLAN, however, authentication is first attempted by credential, then by MAC address. If both authentication methods fail, the supplicant is given access to a predetermined VLAN with limited network access.