802.1X for Switches Overview
How 802.1X Authentication Works
802.1X authentication works by using an authenticator port access entity (the switch) to block ingress traffic from a supplicant (end device) at the port until the supplicant's credentials are presented and match on the authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant.
The end device is authenticated in single supplicant mode, single-secure supplicant mode, or multiple supplicant mode:
single supplicant—Authenticates only the first end device. All other end devices that connect later to the port are allowed full access without any further authentication. They effectively piggyback on the first end device’s authentication.
single-secure supplicant—Allows only one end device to connect to the port. No other end device is allowed to connect until the first device logs out.
multiple supplicant—Allows multiple end devices to connect to the port. Each end device is authenticated individually.
Network access can be further defined by using VLANs and firewall filters, both of which act as filters to separate and match groups of end devices to the areas of the LAN they require. For example, you can configure VLANs to handle different categories of authentication failures depending upon:
Whether or not the end device is 802.1X-enabled.
Whether or not MAC RADIUS authentication is configured on the switch interfaces to which the hosts are connected.
Whether the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message. See Configuring RADIUS Server Fail Fallback (CLI Procedure).
802.1X Features Overview
The following 802.1X features are supported on Juniper Networks Ethernet Switches:
Guest VLAN—Provides limited access to a LAN, typically only to the Internet, for nonresponsive end devices that are not 802.1X-enabled when MAC RADIUS authentication is not configured on the switch interfaces to which the hosts are connected. Also, a guest VLAN can be used to provide limited access to a LAN for guest users. Typically, the guest VLAN provides access only to the Internet and to other guests’ end devices.
Server-reject VLAN—Provides limited access to a LAN, typically only to the Internet, for responsive end devices that are 802.1X-enabled but that have sent the wrong credentials. If the end device that is authenticated using the server-reject VLAN is an IP phone, voice traffic is not allowed.
Server-fail VLAN—Provides limited access to a LAN, typically only to the Internet, for 802.1X end devices during a RADIUS server timeout.
Dynamic VLAN—Enables an end device, after authentication, to be a member of a VLAN dynamically.
Private VLAN—Enables configuration of 802.1X authentication on interfaces that are members of private VLANs (PVLANs).
Dynamic changes to a user session—Enables the switch administrator to terminate an already authenticated session. This feature is based on support of the RADIUS Disconnect Message defined in RFC 3576.
VoIP VLAN—Supports IP telephones. The implementation of a voice VLAN on an IP telephone is vendor-specific. If the phone is 802.1X-enabled, it is authenticated as any other supplicant is. If the phone is not 802.1X-enabled, but has another 802.1X-compatible device connected to its data port, that device is authenticated, and then VoIP traffic can flow to and from the phone (provided that the interface is configured in single supplicant mode and not in single-secure supplicant mode).
Configuring a VoIP VLAN on private VLAN (PVLAN) interfaces is not supported.
RADIUS accounting—Sends accounting information to the RADIUS accounting server. Accounting information is sent to the server whenever a subscriber logs in or logs out and whenever a subscriber activates or deactivates a subscription.
RADIUS server attributes for 802.1X—The Juniper-Switching-Filter is a vendor-specific attribute (VSA) that can be configured on the RADIUS server to further define a supplicant's access during the 802.1X authentication process. Centrally configuring attributes on the authentication server obviates the need to configure these same attributes in the form of firewall filters on every switch in the LAN to which the supplicant might connect to the LAN. This feature is based on RLI 4583, AAA RADIUS BRAS VSA Support.
The following features are supported to authenticate devices that are not 802.1X-enabled:
Static MAC bypass—Provides a bypass mechanism to authenticate devices that are not 802.1X-enabled (such as printers). Static MAC bypass connects these devices to 802.1X-enabled ports, bypassing 802.1X authentication.
MAC RADIUS authentication—Provides a means to permit hosts that are not 802.1X-enabled to access the LAN. MAC-RADIUS simulates the supplicant functionality of the client device, using the MAC address of the client as username and password.
802.1X Authentication on Trunk Ports
Starting in Junos OS Release 18.4R1, you can configure 802.1X authentication on trunk interfaces, which allows the network access device (NAS) to authenticate an access point (AP) or another connected Layer 2 device. An AP or switch connected to the NAS will support multiple VLANs, so must connect to a trunk port. Enabling 802.1X authentication on the trunk interface protects the NAS from a security breach in which an attacker might disconnect the AP and connect a laptop to get free access to network for all the configured VLANs.
Please note the following caveats when configuring 802.1X authentication on trunk interfaces.
Only single and single-secure supplicant modes are supported on trunk interfaces.
You must configure 802.1X authentication locally on the trunk interface. If you configure 802.1X authentication globally using the set protocol dot1x interface all command, the configuration is not applied to the trunk interface.
Dynamic VLANS are not supported on trunk interfaces.
Guest VLAN and server-reject VLAN are not supported on trunk interfaces.
Server fail fallback for VoIP clients is not supported on trunk interfaces (server-fail-voip).
Authentication on trunk port is not supported using captive portal.
Authentication on trunk port is not supported on aggregated interfaces.
Configuration of 802.1X authentication on interfaces that are members of private VLANs (PVLANs) is not supported on trunk ports.