Retaining the Authentication Session Based on IP-MAC Address Bindings
MAC RADIUS authentication is often used to permit hosts that are not enabled for 802.1X authentication to access the LAN. End devices such as printers are not very active on the network. If the MAC address associated with an end device ages out due to inactivity, the MAC address is cleared from the Ethernet switching table, and the authentication session ends. This means that other devices will not be able to reach the end device when necessary.
If the MAC address that ages out is associated with an IP address in the DHCP, DHCPv6, or SLAAC snooping table, that MAC-IP address binding will be cleared from the table. This can result in dropped traffic when the DHCP client tries to renew its lease.
You can configure the switching device to check for an IP-MAC address binding in the DHCP, DHCPv6, or SLAAC snooping table before terminating the authentication session when the MAC address ages out. If the MAC address for the end device is bound to an IP address, then it will be retained in the Ethernet switching table, and the authentication session will remain active.
This feature can be configured globally for all authenticated sessions using the CLI, or on a per-session basis using RADIUS attributes.
This feature provides the following benefits:
Ensures that an end device is reachable by other devices on the network even if the MAC address ages out.
Prevents traffic from dropping when the end device tries to renew its DHCP lease.
Before you can configure this feature:
DHCP snooping, DHCPv6 snooping, or SLAAC snooping must be enabled on the device.
The no-mac-table-binding CLI statement must be configured. This disassociates the authentication session table from the Ethernet switching table, so that when a MAC address ages out, the authentication session will be extended until the next reauthentication.
user@switch# set protocols dot1x authenticator no-mac-table-binding;
To configure this feature globally for all authenticated sessions:
- Configure the switching device to check for an IP-MAC
address binding in the DHCP, DHCPv6, or SLAAC snooping table before
terminating the authentication session when the MAC address ages out
using the ip-mac-session-binding CLI statement:
user@switch# set protocols dot1x authenticator ip-mac-session-binding;
You cannot commit the ip-mac-session-binding configuration unless the no-mac-table-binding is also configured.
RADIUS Server Attributes
You can configure this feature for a specific authentication session using RADIUS server attributes. RADIUS server attributes are clear-text fields encapsulated in Access-Accept messages sent from the authentication server to the switching device when a supplicant connected to the switch is successfully authenticated.
To retain the authentication session based on IP-MAC address bindings, configure both of the following attribute-value pairs on the RADIUS server:
Juniper-AV-Pair = “IP-Mac-Session-Binding”
Juniper-AV-Pair = “No-Mac-Binding-Reauth”
The Juniper-AV-Pair attribute is a Juniper Networks vendor-specific attribute (VSA). Verify that the Juniper dictionary is loaded on the RADIUS server and includes the Juniper-AV-Pair VSA (ID# 52).
If you need to add the attribute to the dictionary, locate the
dictionary file (
the RADIUS server and add the following text to the file:
ATTRIBUTE Juniper-AV-Pair Juniper-VSA(52, string) r
For specific information about configuring your RADIUS server, consult the AAA documentation included with your server.
Verify the configuration by issuing the operational mode command show dot1x interface interface-name detail and confirm that the Ip Mac Session Binding and No Mac Session Binding output fields indicate that the feature is enabled.
user@switch> show dot1x interface ge-0/0/16.0 detail
ge-0/0/16.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 5 seconds Mac Radius: Enabled Mac Radius Restrict: Disabled Mac Radius Authentication Protocol: EAP-MD5 Reauthentication: Disabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: <not configured> No Mac Session Binding: Enabled Ip Mac Session Binding: Enabled Number of connected supplicants: 1 Supplicant: abc, 00:00:5E:00:53:00 Operational state: Authenticated Backend Authentication state: Idle Authentication method: Mac Radius Authenticated VLAN: v100 Session Reauth interval: 3600 seconds Reauthentication due in 0 seconds Ip Mac Session Binding: Enabled No Mac Binding Reauth: Enabled Eapol-Block: Not In Effect
Clients authenticated with MAC RADIUS should remain authenticated, and MAC address entries in the Ethernet switching table should also be retained after expiration of the MAC timer.