Help Center User GuideGetting StartedFAQ
 
X
User Guide
Getting Started
FAQ
Contents  

About the Authentication Profiles Page

To access this page, select Configuration > SD-LAN > Authentication Profiles in Customer Portal.

Use this page to view, clone, edit, and delete authentication profiles. An authentication profile enables you to define parameters to authenticate a user. You can define the following parameters in an authentication profile—the authentication method, fallback options, and other settings (for example, number of retries, maximum number of requests that can be allowed, and authentication server timeout) related to the communication between the switch and a supplicant.

Tasks You Can Perform

You can perform the following tasks from this page:

Field Descriptions

Table 227 describes the fields on the Authentication Profiles page.

Table 227: Authentication Profiles Page Fields

Field

Description

Profile Name

Name of the authentication profile.

Description

A description about the authentication profile.

Supplicant Mode

The mode of authenticating supplicants:

  • Single—Authenticates only the first supplicant in a LAN. All other supplicants in the LAN that connect later to the port are allowed access without any further authentication, based on the first supplicant’s authentication.

  • Single Secure—Allows only one supplicant in a LAN to connect to the port. No other supplicant in the LAN is allowed to connect until the first supplicant logs out.

  • Multiple—Allows multiple supplicants in a LAN to connect to the port. Each supplicant is authenticated individually.

Primary Authentication Method

The primary method for authenticating a supplicant:

  • dot1x—IEEE 802.1X standard for port-based network access control (PBNAC); protects Ethernet LANs from unauthorized user access.

    The dot1x method blocks all traffic to and from a supplicant at the port until the supplicant’s credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch allows traffic from and to the supplicant to transmit through it.

  • MAC RADIUS—Used for network devices (such as a printer or a camera) connected in a LAN that needs to access network resources, but do not support the 802.1X standard.

    When a switch detects a supplicant that is not 802.1X-enabled on its port, the switch transmits the MAC address of the supplicant to the authentication server. The server then tries to match the MAC address with a list of MAC addresses in its database. If the MAC address matches an address in the list, the supplicant is authenticated.

Secondary Authentication Method

The secondary method for authenticating a supplicant when the switch is unable to validate a supplicant by using the primary method :

  • None

  • dot1x, when MAC RADIUS is set as the primary authentication method.

  • MAC RADIUS, when the dot1x method is set as the primary authentication method.

Server Fail

The action that the switch takes when the RADIUS servers are unavailable for authenticating a supplicant:

  • None—No action is taken. If network access is already granted to a supplicant, the access is maintained.

  • Deny—Network access is denied to the supplicant.

  • Permit—Network access is permitted to the supplicant. If a RADIUS server timeout occurs during reauthentication, traffic is allowed from and to the supplicant as the supplicant is already authenticated.

  • Use Cache—Recognizes already connected supplicants and reauthenticates the supplicant when there is a RADIUS server timeout (new supplicants are denied access):

  • VLAN ID—Moves a supplicant to a specified VLAN (server fail VLAN) if a RADIUS server timeout occurs:

Server Reject

The action the switch takes when the switch is unable to validate a supplicant because of incorrect credentials provided by the supplicant:

  • None—No action is taken and the supplicant is denied network access.

  • VLAN ID—Moves the supplicant to a specified VLAN (server reject VLAN) with limited network access (Internet only)

Guest

The action the switch takes for temporary users such as guests or contractors:

  • None—No action is taken and the supplicant is denied network access.

  • VLAN ID—Moves the supplicants to a specified VLAN (guest VLAN) with limited network access (Internet only)

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit