Understanding Guest VLANs for 802.1X on MX Series Routers in Enhanced LAN Mode
Starting with Junos OS Release 14.2, guest VLANs can be configured on switches that are using 802.1X authentication to provide limited access—typically only to the Internet—for:
End devices that are not 802.1X-enabled
Nonresponsive end devices when MAC RADIUS authentication has not been configured on the switch interfaces to which the hosts are connected
A guest VLAN is not used for supplicants sending incorrect credentials. Those supplicants are directed to the server-reject VLAN instead.
For end devices that are not 802.1X-enabled, a guest VLAN can allow limited access to a server from which the non-802.1X-enabled end device can download the supplicant software and attempt authentication again.
A guest VLAN is not used when MAC RADIUS authentication has been configured on the switch interfaces to which the hosts are connected. Some end devices, such as a printer, cannot be enabled for 802.1X. The hosts for such devices should be connected to switch interfaces that are configured for MAC RADIUS authentication.