Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

authenticator

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.0 for the EX Series.

Statement introduced in Junos OS Release 9.3 for the MX Series.

no-mac-table-binding introduced in Junos OS Release 11.1.

radius-options introduced in Junos OS Release 12.1.

Statement introduced in Junos OS Release 14.1X53-D30 for the QFX Series.

add-interface-text-description introduced in Junos OS Release 18.4.

ip-mac-session-binding introduced in Junos OS Release 20.2R1.

Description

Specify the group of servers to be used for IEEE 802.1X or MAC RADIUS authentication for Port-Based Network Access Control, configure interfaces for 802.1x authentication, and configure static MAC bypass for 802.1x and MAC RADIUS authentication. 802.1X authentication is supported on interfaces that are members of private VLANs (PVLANs).

Note

You cannot configure 802.1X user authentication on interfaces that have been enabled for Q-in-Q tunneling.

Default

802.1X authentication is disabled.

Options

authentication-profile-name access-profile-name Specify the name of the access profile to be used for 802.1X or MAC RADIUS user authentication. The access profile is configured at the [edit access profile] hierarchy level and contains the RADIUS server IP address and other information used for authentication.
Note

Access profile configuration is required only for 802.1X clients, not for static MAC clients.

Default: No access profile is specified.

ip-mac-session-bindingConfigure the switching device to check for an IP-MAC address binding in the DHCP, DHCPv6, or SLAAC snooping table before terminating the authentication session when the MAC address ages out. If the MAC address for the end device is bound to an IP address, then it will be retained in the Ethernet switching table, and the authentication session will remain active.

To configure this feature, you must also disassociate the authentication session table from the Ethernet switching table using the no-mac-table-binding statement. This extends the authentication session until the next re-authentication period.

Note

This feature requires DHCP, DHCPv6, or SLAAC snooping to be enabled on the device.

Default: Not enabled

no-mac-table-bindingSpecify that the device not remove the session from the authentication session table when the MAC address ages out of the Ethernet switching table.

Default: Not enabled

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.