How to Configure Dynamic VLAN Assignment for Colorless Ports
You can configure an EX Series switch and a Network Access Control (NAC) server to profile endpoints in the authentication process and use the device profiling information to determine access policy and VLAN assignment.
Dynamic VLAN Assignment for Colorless Ports
Enterprises typically have a variety of users and endpoints, which results in multiple use cases that need to be addressed by their policy infrastructure. The policy infrastructure should enable any device we can use to connect to any port in the access switch and to be authenticated based on the capabilities of the device, the authorization level of the user, or both.
Colorless ports allow any device we can use to connect to any port because they all have the same configuration. The colorless port concept relies on device profiling for VLAN assignment. Based on the type of the device that is connected to the port (AP, IP camera, or printer), the NAC server will return the appropriate VLAN using RADIUS attributes.
Benefits of Dynamic VLAN Assignment for Colorless Ports
Allow any device to be connected to any port on an access switch.
Deploy consistent security policies across the enterprise.
When 802.1X authentication is enabled on a port, the switch (known as the authenticator) blocks all traffic to and from the end device (known as a supplicant) until the supplicant’s credentials are presented and matched on an NAC server. The NAC server is typically a RADIUS server or a policy manager that acts as a RADIUS server. After the supplicant is authenticated, the switch opens the port to the supplicant.
As part of the authentication process, a RADIUS server can return IETF-defined attributes that provide VLAN assignments to the switch. You can configure a policy manager to pass different RADIUS attributes back to the switch based on the endpoint access policy. The switch dynamically changes the VLAN assigned to the port according to the RADIUS attributes it receives.
To support both access and trunk ports as colorless ports, the RADIUS attribute must indicate if the frames on the VLAN for this port are to be represented in tagged or untagged format. The following attributes are supported for dynamically assigning a VLAN and also specifying the frame format:
The Egress-VLAN-ID or Egress-VLAN-Name attribute contains two parts; the first part indicates if frames on the VLAN for this port are to be represented in tagged or untagged format, the second part is the VLAN name.
0x31 = tagged
0x32 = untagged
For example, the following RADIUS profile includes one tagged and one untagged VLAN:
001094001177 Cleartext-Password := "001094001177“ Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Egress-VLANID += 0x3100033, Egress-VLANID += 0x3200034,
1 = tagged
2 = untagged
In the example below, VLAN 1vlan-2 is tagged, and VLAN 2vlan-3 is untagged:
001094001144 Cleartext-Password := "001094001144“ Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Egress-VLAN-Name += 1vlan-2, Egress-VLAN-Name += 2vlan-3,
It is mandatory to include the Tunnel-Type and Tunnel-Medium-Type attributes in the profile with Egress-VLAN-ID or Egress-VLAN-Name.
When the switch receives a VLAN assignment with "Egress-VLAN-ID," it checks if the VLAN is already present in the system. If not, it creates the dynamic VLAN. If the Egress-VLAN-Name is used, the VLAN should be already in the system.
Supplicant mode attributes
RADIUS attributes can also be used to change the supplicant mode for 802.1X authentication. Using a Juniper Networks vendor-specific attribute (VSA), you can set the supplicant mode to either single or single-secure:
Juniper-AV-Pair = Supplicant-Mode-Single
Juniper-AV-Pair = Supplicant-Mode-Single-Secure
When these attributes are received from the NAC server, the configured supplicant mode will be changed to match the VSA value after the session is authenticated. When the session ends, the supplicant mode reverts to the mode that was configured on the system before receiving the VSA from the NAC server.
Configuring Dynamic VLAN Assignment for Colorless Ports
This configuration example shows how to configure a switch and NAC server to profile endpoints in the 802.1X authentication process and use their device profiling information to determine access policy. In this example, an organization has four types of endpoints for which it has defined access policies:
Access points—Access points are allowed access to the network and are dynamically assigned to the AP_VLAN VLAN.
IP phones—IP phones are allowed access to the network. The IPPhone_VLAN is dynamically assigned as the VoIP VLAN.
Corporate laptops—Endpoints that have an 802.1X supplicant are authenticated by the user credentials. After the user is successfully authenticated, the laptop is granted access to the network and placed in the Employee_VLAN VLAN.
Camera /IOT Devices—Camera and IOT devices with or without 802.1x supplicants can be added to the network and granted access to the Camera_IOT_VLAN VLAN.
Noncorporate laptops/Tablets—Endpoints that do not have an 802.1X supplicant and that are profiled as non-corporate devices are provided only internet access.
Table 1: Access Policies Details
ALLOWED VLAN = 121,131,151,102
DHCP, NTP, and NVR
Between phones and call manager server
To implement the endpoint access policies, the policy infrastructure is configured as follows:
All access interfaces on the switch are initially configured in VLAN 100, which serves as a remediation VLAN. If an endpoint is not successfully authenticated or is not successfully profiled as one of the supported endpoints, it remains in the remediation VLAN.
Endpoints that have an 802.1X supplicant are authenticated by using 802.1X PEAP authentication. For more information on 802.1X PEAP authentication, see Configuring 802.1X PEAP and MAC RADIUS Authentication with EX Series Switches and Aruba ClearPass Policy Manager
Endpoints that do not have an 802.1X supplicant are authenticated using MAC RADIUS authentication and are profiled to determine what type of device they are. These endpoints undergo a two-step authentication process:
The first step occurs after an endpoint first connects to the switch but before it has been profiled by the NAC. After it connects, the endpoint is authenticated using MAC RADIUS authentication. The NAC applies an enforcement policy that instructs the switch to grant the endpoint access to the Internet but prevents it from accessing the internal network.
The second step occurs after an endpoint has been successfully profiled. After being authenticated in the first step, the endpoint contacts a DHCP server to request an IP address. The switch relays the DHCP messages sent by the endpoint to the DHCP server to the NAC server as well, which allows the NAC to profile the endpoint. After it has profiled the endpoint and added the endpoint to its endpoint repository, the NAC server sends a RADIUS Change of Authorization (CoA) message to the switch to terminate the session. The switch then attempts reauthentication on behalf of the endpoint. Because the endpoint now exists in the endpoint repository, the NAC server applies an enforcement policy appropriate to the device type when it authenticates the endpoint. For example, if the endpoint is an access point, the NAC server applies the enforcement policy that dynamically assigns the access point to the AP_VLAN VLAN.
To configure the EX switch:
- Provide the RADIUS server connection information.
user@Policy-EX-switch# set access radius-server 10.25.22.11 dynamic-request-port 3799
user@Policy-EX-switch# set access radius-server 10.25.22.11 secret password
user@Policy-EX-switch# set access radius-server 10.25.22.11 source-address 10.25.99.11
- Configure the access profile.
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS accounting-order radius
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS authentication-order radius
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS radius authentication-server 10.25.22.11
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS radius accounting-server 10.25.22.11
- Configure the interfaces ranges AUTHC and AP.
user@Policy-EX-switch# set interfaces interface-range AP member ge-0/0/0
user@Policy-EX-switch# set interfaces interface-range AP native-vlan-id 130
user@Policy-EX-switch# set interfaces interface-range AP unit 0 family ethernet-switching interface-mode trunk
user@Policy-EX-switch# set interfaces interface-range AP unit 0 family ethernet-switching vlan members AP
user@Policy-EX-switch# set interfaces interface-range AP unit 0 family ethernet-switching vlan members EMPLOYEE-WIRELESS
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/6
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/3
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/2
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/4
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/7
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/8
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/9
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/5
- Configure 802.1X to use ACCESS_PROF_RADIUS and enable
the protocol on each access interface. In addition, configure the
interfaces to support MAC RADIUS authentication and to allow more
than one supplicant, each of which must be individually authenticated.
By default, the switch will first attempt 802.1X authentication. If it receives no EAP packets from the endpoint, indicating that the endpoint does not have an 802.1X supplicant, it then tries MAC RADIUS authentication.
user@Policy-EX-switch# set protocols dot1x authenticator authentication-profile-name ACCESS_PROF_RADIUS
user@Policy-EX-switch# set protocols dot1x authenticator interface AUTHC supplicant multiple
user@Policy-EX-switch# set protocols dot1x authenticator interface AUTHC transmit-period 3
user@Policy-EX-switch# set protocols dot1x authenticator interface AUTHC mac-radius
- Configure the VLANs used in this example.
user@Policy-EX-switch# set vlans AP vlan-id 130
user@Policy-EX-switch# set vlans EMPLOYEE-WIRED vlan-id 150
user@Policy-EX-switch# set vlans EMPLOYEE-WIRELESS vlan-id 151
user@Policy-EX-switch# set vlans IOT-WIRED vlan-id 111
user@Policy-EX-switch# set vlans IOT-WIRELESS vlan-id 112
user@Policy-EX-switch# set vlans IP-PHONE-WIRED vlan-id 120
user@Policy-EX-switch# set vlans IP-PHONE-WIRELESS vlan-id 121
user@Policy-EX-switch# set vlans MANAGEMENT vlan-id 99
user@Policy-EX-switch# set vlans MANAGEMENT l3-interface irb.99
user@Policy-EX-switch# set vlans REMEDIATION-WIRED vlan-id 101
user@Policy-EX-switch# set vlans REMEDIATION-WIRELESS vlan-id 102
- Configure DHCP relay to forward DHCP request packets to
the authentication server.
user@Policy-EX-switch# set dhcp-relay server-group dhcp-dot1x 10.25.22.11
user@Policy-EX-switch# set dhcp-relay active-server-group dhcp-dot1x
The general steps for configuring the NAC server are:
Verify the Juniper-AV-Pair attribute exists in your RADIUS dictionary.
Add the EX switch as a network device.
Ensure that the server certificate used for 802.1X PEAP authentication has been installed.
Add the local user used in this example for 802.1X authentication.
Create the following enforcement profiles:
VLAN 150 ENF PROF that places endpoints in VLAN 150.
JUNIPER VOIP VLAN 120 ENF PROF that defines VLAN 120 as the VoIP VLAN.
VLAN 130 ENF PROF that places endpoints in VLAN 130.
Internet_Only_Access_Filter_ID_ENF_Prof that specifies the firewall filter Internet_Only_Access be used for devices that have not yet been profiled.
Create two enforcement policies:
A policy that is invoked when MAC RADIUS authentication is used.
A policy that is invoked when 802.1X authentication is used.
Define the MAC RADIUS authentication service and the 802.1X authentication service.
Ensure that the MAC RADIUS authentication service is evaluated before the 802.1X authentication service.
For more information about configuring dynamic VLANs on your RADIUS server, see the documentation for your RADIUS server.