Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding 802.1X Port-Based Network Authentication

 
Note

From Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D75 and Junos OS Release 17.3R1, IEEE 802.1X port-based network authentication is not supported.

Note

Starting in Junos OS 15.1X49-D80, 802.1X port-based authentication is supported on SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices.

Both IEEE 802.1X authentication and MAC RADIUS authentication both provide network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from devices at the interface until the supplicant's credential or MAC address is presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch stops blocking access and opens the interface to the supplicant.

A LAN network configured for 802.1X authentication contains three basic components:

  • Supplicant—The IEEE term for a host that requests to join the network. The host can be responsive or nonresponsive. A responsive host is one on which 802.1X authentication is enabled and that provides authentication credentials (such as a user name and password). A nonresponsive host is one on which 802.1X authentication is not enabled.

  • Authenticator port access entity—The IEEE term for the authenticator. The SRX Series device is the authenticator and controls access by blocking all traffic from host/supplicant until they are authenticated.

  • Authentication server—The server containing the back-end database that makes authentication decisions. (Junos OS supports RADIUS authentication servers.) The authentication server contains credential information for each supplicant that can connect to the network. The authenticator forwards credentials supplied by the supplicant to the authentication server. If the credentials forwarded by the authenticator match the credentials in the authentication server database, access is granted. If the credentials forwarded do not match, access is denied.

Table 1 lists the features that the implementation of 802.1X authentication provides for specific devices. (Platform support depends on the Junos OS release in your installation.). Table 2 lists the supplicant capacities that the implementation of 802.1X authentication provides for specific devices.

Table 1: 802.1X Authentication Features

Feature

SRX300/SRX320

SRX340/SRX345

SRX550M

SRX1500

Dynamic VLAN assignment

Yes

Yes

Yes

Yes

MAC RADIUS authentication

Yes

Yes

Yes

Yes

Static MAC bypass

Yes

Yes

Yes

Yes

Guest VLAN

Yes

Yes

Yes

Yes

RADIUS server failure fallback

Yes

Yes

Yes

Yes

VoIP VLAN support

Yes

Yes

Yes

Yes

RADIUS accounting

Yes

Yes

Yes

Yes

Table 2: 802.1x Supplicant Capacities

Capacities

SRX300/SRX320

SRX340/SRX345

SRX550M

SRX1500

Supplicants per port

64

64

64

64

Supplicants per system

2K

2K

2K

2K

Supplicants with dynamic VLAN assignments

64

300

2K

2K

This topic contains the following sections:

Dynamic VLAN Assignment

When a supplicant first connects to an SRX Series device, the authenticator sends a request to the supplicant to begin 802.1X authentication. If the supplicant is an 802.1X-enabled device, it responds, and the authenticator relays an authentication request to the RADIUS server.

As part of the reply to the authentication request, the RADIUS server returns information about the VLAN to which the port belongs. By configuring the VLAN information at the RADIUS server, you can control the VLAN assignment on the port.

MAC RADIUS Authentication

If the authenticator sends three requests to a supplicant to begin 802.1X authentication and receives no response, the supplicant is considered nonresponsive. For a nonresponsive supplicant, the authenticator sends a request to the RADIUS server for authentication of the supplicant’s MAC address. If the MAC address matches an entry in a predefined list of MAC addresses on the RADIUS server, authentication is granted and the authenticator opens LAN access on the interface where the supplicant is connected.

You can configure the number of times the authenticator attempts to receive a response and the time period between attempts.

Static MAC Bypass

The authenticator can allow particular supplicants direct access to the LAN, bypassing the authentication server, by including the supplicants’ MAC addresses in the static MAC bypass list configured on the SRX Series device. Supplicants’ MAC addresses are first checked against this list. If a match is found, the corresponding supplicant is considered successfully authenticated and the interface is opened up for it. No further authentication is done for that supplicant. If a match is not found and 802.1X authentication is enabled for the supplicant, the device continues with MAC RADIUS authentication on the authentication server.

For each MAC address in the list, you can configure the VLAN to which the supplicant is moved or the interfaces on which the supplicant can connect.

Guest VLAN

You can specify a guest VLAN that provides limited network access for nonresponsive supplicants. If a guest VLAN is configured, the authenticator connects all nonresponsive supplicants to the predetermined VLAN, providing limited network access, often only to the Internet. This type of configuration can be used to provide Internet access to visitors without compromising company security.

Note

In 802.1X, MAC RADIUS, and guest VLAN must not be configured together, because guest VLAN does not work when MAC RADIUS is configured.

IEEE 802.1X provides LAN access to nonresponsive hosts, which are hosts where 802.1X is not enabled. These hosts, referred to as guests, typically are provided access only to the Internet.

RADIUS Server Failure Fallback

You can define one of four actions to be taken if no RADIUS authentication server is reachable (if, for example, a server failure or a timeout has occurred on the authentication server).

  • deny—(default) Prevent traffic from flowing from the supplicant through the interface.

  • permit—Allow traffic to flow from the supplicant through the interface as if the supplicant were successfully authenticated by the RADIUS server.

  • use-cache—Force successful authentication if authentication was granted before the failure or timeout. This ensures that authenticated users are not adversely affected by a failure or timeout.

  • vlan vlan-name | vlan-id —Move the supplicant to a different VLAN specified by name or ID. This applies only to the first supplicant connecting to the interface.

Note

For the permit, use-cache, and vlan fallback actions to work, 802.1X supplicants need to accept an out-of-sequence SUCCESS packet.

For RADIUS server settings, see Table 3.

Table 3: RADIUS Server Settings

Field

Function

Your Action

IP Address

Specifies the IP address of the server.

Enter the IP address in dotted decimal notation.

Password

Specifies the login password.

Enter the password.

Confirm Password

Verifies the login password for the server.

Reenter the password.

Server Port Number

Specifies the port with which the server is associated.

Type the port number.

Source Address

Specifies the source address of the SRX Series device for communicating with the server.

Type the IP address in dotted decimal notation.

Retry Attempts

Specifies the number of login retries allowed after a login failure.

Type the number.

Timeout

Specifies the time interval to wait before the connection to the server is closed.

Type the interval in seconds.

For 802.1X exclusion list details, see Table 4.

Table 4: 802.1X Exclusion List

Field

Function

Your Action

MAC Address

Specifies the MAC address to be excluded from 802.1X authentication.

Enter the MAC address.

Exclude if connected through the port

Specifies that a supplicant can bypass authentication if it is connected through a particular interface.

Select to enable the option. Select the port through which the supplicant is connected.

Move the host to the VLAN

Moves the host to a specific VLAN once the host is authenticated.

Select to enable the option. Select the VLAN from the list.

For 802.1X port settings, see Table 5.

Table 5: 802.1X Port Settings

Field

Function

Your Action

Supplicant Mode

Supplicant Mode

Specifies the mode to be adopted for supplicants:

  • Single secure—Allows only one host for authentication.

  • Multiple—Allows multiple hosts for authentication. Each host is checked before being admitted to the network.

  • Single mode authentication for multiple hosts—Allows multiple hosts but only the first is authenticated.

Select the required mode.

Authentication

Enable re-authentication

Specifies enabling reauthentication on the selected interface.

Select to enable reauthentication. Enter the timeout for reauthentication in seconds.

Action for nonresponsive hosts

Specifies the action to be taken in case a supplicant is nonresponsive:

  • Move to the Guest VLAN—Moves the supplicant to the specified Guest VLAN.

  • Deny—Does not permit access to the supplicant.

Select the required action.

Timeouts

Specifies timeout values for:

  • Port waiting time after an authentication failure

  • EAPOL retransmitting interval

  • Maximum EAPOL requests

  • Maximum number of retries

  • Port timeout value for a response from the supplicant

  • Port timeout value for a response from the RADIUS server

Enter timeout values in seconds for the appropriate options.

VoIP VLAN Support

When VoIP is used with 802.1X, the RADIUS server authenticates the phone, and Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) provides the class-of-service (CoS) parameters for the phone.

You can configure 802.1X authentication to work with VoIP in multiple-supplicant or single-supplicant mode:

  • Multiple-supplicant mode—Allows multiple supplicants to connect to the interface. Each supplicant is authenticated individually.

  • Single-supplicant mode—Authenticates only the first supplicant. All other supplicants that connect later to the interface are allowed to piggyback on the first supplicant’s authentication and gain full access.

RADIUS Accounting

Configuring RADIUS accounting on a SRX Series device lets you collect statistical data about users logging in to and out off a LAN, and sends it to a RADIUS accounting server. The collected data can be used for general network monitoring, to analyze and track usage patterns, or to bill a user on the basis of the amount of time or type of services accessed.

To configure RADIUS accounting, specify one or more RADIUS accounting servers to receive the statistical data from the device, and select the type of accounting data to be collected. To view the collected statistics, you can access the log file configured to receive them.

Server Reject VLAN

By default, when authentication fails, the supplicant is denied access to the network. However, you can specify a VLAN to which the supplicant is moved if authentication fails. The server reject VLAN is similar to a guest VLAN. With a server reject VLAN, however, authentication is first attempted by credential, then by MAC address. If both authentication methods fail, the supplicant is given access to a predetermined VLAN with limited network access.

Release History Table
Release
Description
Starting in Junos OS 15.1X49-D80, 802.1X port-based authentication is supported on SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices.
From Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D75 and Junos OS Release 17.3R1, IEEE 802.1X port-based network authentication is not supported.