IEEE 802.1x Port-Based Network Access Control Overview
MX Series routers support the IEEE 802.1x Port-Based Network Access Control (dot1x) protocol on Ethernet interfaces for validation of client and user credentials to prevent unauthorized access to a specified router port. Before authentication is complete, only 802.1x control packets are allowed and forwarded to the router control plane for processing. All other packets are dropped.
Authentication methods used must be 802.1x compliant. Authentication using RADIUS and Microsoft Active Directory servers is supported. The following user/client authentication methods are allowed:
EAP-MD5 (RFC 3748)
EAP-TTLS requires a server certificate (RFC 2716)
EAP-TLS requires a client and server certificate
PEAP requires only a server certificate
You can use both client and server certificates in all types of authentication except EAP-MD5.
On the MX Series router, 802.1x can be enabled on bridged ports only and not on routed ports.
Dynamic changes to a user session are supported to allow the router administrator to terminate an already authenticated session by using the “RADIUS disconnect” message defined in RFC 3576.