Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Interfaces Enabled for 802.1X or MAC RADIUS Authentication

 

EX Series switches support port firewall filters. Port firewall filters are configured on a single EX Series switch, but in order for them to operate throughout an enterprise, they must be configured on multiple switches. To reduce the need to configure the same port firewall filter on multiple switches, you can instead apply the filter centrally on the RADIUS server by using RADIUS server attributes. Terms are applied after a device is successfully authenticated through 802.1X. For more information, read this topic.

Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants by Using RADIUS Server Attributes on an EX Series Switch

You can use RADIUS server attributes and a port firewall filter to centrally apply terms to multiple supplicants (end devices) connected to an EX Series switch in your enterprise. Terms are applied after a device is successfully authenticated through 802.1X. If the firewall filter configuration is modified after end devices are authenticated using the 802.1X authentication, then the established 802.1X authentication session must be terminated and re-established for the firewall filter changes to take effect.

EX Series switches support port firewall filters. Port firewall filters are configured on a single EX Series switch, but in order for them to operate throughout an enterprise, they must be configured on multiple switches. To reduce the need to configure the same port firewall filter on multiple switches, you can instead apply the filter centrally on the RADIUS server by using RADIUS server attributes.

The following example uses FreeRADIUS to apply a port firewall filter on a RADIUS server. For information about configuring your server, consult the documentation that was included with your RADIUS server.

This example describes how to configure a port firewall filter with terms, create counters to count packets for the supplicants, apply the filter to user profiles on the RADIUS server, and display the counters to verify the configuration:

Requirements

This example uses the following software and hardware components:

Note

This example also applies to QFX5100 switches.

  • Junos OS Release 9.3 or later for EX Series switches

  • One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.

  • One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you connect the server to the switch, be sure you have:

Overview and Topology

When the 802.1X configuration on an interface is set to multiple supplicant mode, you can apply a single port firewall filter configured through the Junos OS CLI on the EX Series switch to any number of end devices (supplicants) by adding the filter centrally to the RADIUS server. Only a single filter can be applied to an interface; however, the filter can contain multiple terms for separate end devices.

For more information about firewall filters, see Firewall Filters for EX Series Switches Overview or Overview of Firewall Filters.

RADIUS server attributes are applied to the port where the end device is connected after the device is successfully authenticated using 802.1X. To authenticate an end device, the switch forwards the end device’s credentials to the RADIUS server. The RADIUS server matches the credentials against preconfigured information about the supplicant located in the supplicant’s user profile on the RADIUS server. If a match is found, the RADIUS server instructs the switch to open an interface to the end device. Traffic then flows from and to the end device on the LAN. Further instructions configured in the port firewall filter and added to the end device’s user profile using a RADIUS server attribute further define the access that the end device is granted. Filtering terms configured in the port firewall filter are applied to the port where the end device is connected after 802.1X authentication is complete.

Note

If you modify the port firewall filter after an end device is successfully authenticated using 802.1X, you must terminate and re-establish the 802.1X authentication session for the firewall filter configuration changes to be effective.

Figure 1 shows the topology used for this example. The RADIUS server is connected to an EX4200 switch on access port ge-0/0/10. Two end devices (supplicants) are accessing the LAN on interface ge-0/0/2. Supplicant 1 has the MAC address 00:50:8b:6f:60:3a. Supplicant 2 has the MAC address 00:50:8b:6f:60:3b.

Note

This figure also applies to QFX5100 switches.

Figure 1: Topology for Firewall Filter and RADIUS Server Attributes Configuration
Topology
for Firewall Filter and RADIUS Server Attributes Configuration

Table 1 describes the components in this topology.

Table 1: Components of the Firewall Filter and RADIUS Server Attributes Topology

PropertySettings

Switch hardware

EX4200 access switch, 24 Gigabit Ethernet ports: 16 non-PoE ports and 8 PoE ports.

One RADIUS server

Backend database with the address 10.0.0.100 connected to the switch at port ge-0/0/10.

802.1X supplicants connected to the switch on interface ge-0/0/2

  • Supplicant 1 has MAC address 00:50:8b:6f:60:3a.

  • Supplicant 2 has MAC address 00:50:8b:6f:60:3b.

Port firewall filter to be applied on the RADIUS server

filter1

Counters

counter1 counts packets from Supplicant 1, and counter2 counts packets from Supplicant 2.

Policer

policer p1

User profiles on the RADIUS server

  • Supplicant 1 has the user profile supplicant1.

  • Supplicant 2 has the user profile supplicant2.

In this example, you configure a port firewall filter named filter1. The filter contains terms that will be applied to the end devices based on the MAC addresses of the end devices. When you configure the filter, you also configure the counters counter1 and counter2. Packets from each end device are counted, which helps you verify that the configuration is working. Policer p1 limits the traffic rate based on the values for exceeding and discard parameters. Then, you check to see that the RADIUS server attribute is available on the RADIUS server and apply the filter to the user profiles of each end device on the RADIUS server. Finally, you verify the configuration by displaying output for the two counters.

Configuring the Port Firewall Filter and Counters

CLI Quick Configuration

To quickly configure a port firewall filter with terms for Supplicant 1 and Supplicant 2 and create parallel counters for each supplicant, copy the following commands and paste them into the switch terminal window:

[edit]
set firewall family ethernet-switching filter filter1 term supplicant1 from source-mac-address 00:50:8b:6f:60:3a
set firewall family ethernet-switching filter filter1 term supplicant2 from source-mac-address 00:50:8b:6f:60:3b
set firewall policer p1 if-exceeding bandwidth-limit 1m

set firewall policer p1 if-exceeding burst-size-limit 1k
set firewall policer p1 then discard
set firewall family ethernet-switching filter filter1 term supplicant1 then count counter1
set firewall family ethernet-switching filter filter1 term supplicant1 then policer p1
set firewall family ethernet-switching filter filter1 term supplicant2 then count counter2

Step-by-Step Procedure

To configure a port firewall filter and counters on the switch:

  1. Configure a port firewall filter (here, filter1) with terms for each end device based on the MAC address of each end device:
    [edit firewall family ethernet-switching]


    user@switch# set filter filter1 term supplicant1 from source-mac-address 00:50:8b:6f:60:3a

    user@switch# set filter filter1 term supplicant2 from source-mac-address 00:50:8b:6f:60:3b

  2. Set policer definition:
    [edit]
    user@switch# set firewall policer p1 if-exceeding bandwidth-limit 1m

    user@switch# set firewall policer p1 if-exceeding burst-size-limit 1k

    user@switch# set firewall policer p1 then discard
  3. Create two counters that will count packets for each end device and a policer that limits the traffic rate:
    [edit firewall family ethernet-switching]


    user@switch# set filter filter1 term supplicant1 then count counter1

    user@switch# set filter filter1 term supplicant1 then policer p1

    user@switch# set filter filter1 term supplicant2 then count counter2

Results

Display the results of the configuration:

Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server

Step-by-Step Procedure

To verify that the RADIUS server attribute Filter-ID is on the RADIUS server and to apply the filter to the user profiles:

  1. Display the dictionary dictionary.rfc2865 on the RADIUS server, and verify that the attribute Filter-ID is in the dictionary:
    [root@freeradius]# cd usr/share/freeradius/dictionary.rfc2865


  2. Close the dictionary file.
  3. Display the local user profiles of the end devices to which you want to apply the filter (here, the user profiles are called supplicant1 and supplicant2):
    [root@freeradius]# cat /usr/local/etc/raddb/users

    The output shows:

  4. Apply the filter to both user profiles by adding the line Filter-Id = “filter1” to each profile, and then close the file:
    [root@freeradius]# cat /usr/local/etc/raddb/users

    After you paste the line into the files, the files look like this:

Verification

Verifying That the Filter Has Been Applied to the Supplicants

Purpose

After the end devices are authenticated on interface ge-0/0/2, verify that the filter has been configured on the switch and includes the results for both supplicants:

Action

user@switch> show dot1x firewall

Meaning

The output of the show dot1x firewall command displays counter1 and counter2. Packets from User_1 are counted using counter1, and packets from User 2 are counted using counter2. The output displays packets incrementing for both counters. The filter has been applied to both end devices.

Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication

On EX Series switches, firewall filters that you apply to interfaces enabled for 802.1X or MAC RADIUS authentication are dynamically combined with the per-user policies sent to the switch from the RADIUS server. The switch uses internal logic to dynamically combine the interface firewall filter with the user policies from the RADIUS server and create an individualized policy for each of the multiple users or nonresponsive hosts that are authenticated on the interface.

This example describes how dynamic firewall filters are created for multiple supplicants on an 802.1X-enabled interface (the same principles shown in this example apply to interfaces enabled for MAC RADIUS authentication):

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 9.5 or later for EX Series switches

  • One EX Series switch

  • One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you apply firewall filters to an interface for use with multiple supplicants, be sure you have:

Overview and Topology

When the 802.1X configuration on an interface is set to multiple supplicant mode, the system dynamically combines interface firewall filter with the user policies sent to the switch from the RADIUS server during authentication and creates separate terms for each user. Because there are separate terms for each user authenticated on the interface, you can, as shown in this example, use counters to view the activities of individual users that are authenticated on the same interface.

When a new user (or a nonresponsive host) is authenticated on an interface, the system adds a term to the firewall filter associated with the interface, and the term (policy) for each user is associated with the MAC address of the user. The term for each user is based on the user-specific filters set on the RADIUS server and the filters configured on the interface. For example, as shown in Figure 2, when User1 is authenticated by the EX Series switch, the system creates the firewall filter dynamic-filter-example. When User2 is authenticated, another term is added to the firewall filter, and so on.

Figure 2: Conceptual Model: Dynamic Filter Updated for Each New User
Conceptual
Model: Dynamic Filter Updated for Each New User

This is a conceptual model of the internal process—you cannot access or view the dynamic filter.

Note

If the firewall filter on the interface is modified after the user (or nonresponsive host) is authenticated, the modifications are not reflected in the dynamic filter unless the user is reauthenticated.

In this example, you configure a firewall filter to count the requests made by each endpoint authenticated on interface ge-0/0/2 to the file server, which is located on subnet 192.0.2.16/28, and set policer definitions to rate limit the traffic. Figure 3 shows the network topology for this example.

Figure 3: Multiple Supplicants on an 802.1X-Enabled Interface Connecting to a File Server
Multiple Supplicants
on an 802.1X-Enabled Interface Connecting to a File Server

Configuration

To configure firewall filters for multiple supplicants on 802.1X-enabled interfaces:

Configuring Firewall Filters on Interfaces with Multiple Supplicants

CLI Quick Configuration

To quickly configure firewall filters for multiple supplicants on an 802.1X-enabled interface copy the following commands and paste them into the switch terminal window:

[edit]
set protocols dot1x authenticator interface ge-0/0/2 supplicant multiple
set firewall family ethernet-switching filter filter1 term term1 from destination-address 192.0.2.16/28
set firewall policer p1 if-exceeding bandwidth-limit 1m

set firewall policer p1 if-exceeding burst-size-limit 1k
set firewall family ethernet-switching filter filter1 term term1 then count counter1
set firewall family ethernet-switching filter filter1 term term2 then policer p1

Step-by-Step Procedure

To configure firewall filters on an interface enabled for multiple supplicants:

  1. Configure interface ge-0/0/2 for multiple supplicant mode authentication:
    [edit protocols dot1x]

    user@switch# set authenticator interface ge-0/0/2 supplicant multiple
  2. Set policer definition:
    user@switch# show policer p1 |display set

    set firewall policer p1 if-exceeding bandwidth-limit 1m

    set firewall policer p1 if-exceeding burst-size-limit 1k

    set firewall policer p1 then discard
  3. Configure a firewall filter to count packets from each user and a policer that limits the traffic rate. As each new user is authenticated on the multiple supplicant interface, this filter term will be included in the dynamically created term for the user:
    [edit firewall family ethernet-switching]

    user@switch# set filter filter1 term term1 from destination-address 192.0.2.16/28

    user@switch# set filter filter1 term term1 then count counter1

    user@switch# set filter filter1 term term2 then policer p1

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Firewall Filters on Interfaces with Multiple Supplicants

Purpose

Verify that firewall filters are functioning on the interface with multiple supplicants.

Action

  1. Check the results with one user authenticated on the interface. In this case, the user is authenticated on ge-0/0/2:
    user@switch> show dot1x firewall

  2. When a second user, User2, is authenticated on the same interface, ge-0/0/2, you can verify that the filter includes the results for both of the users authenticated on the interface:
    user@switch> show dot1x firewall

Meaning

The results displayed by the show dot1x firewall command output reflect the dynamic filter created with the authentication of each new user. User1 accessed the file server located at the specified destination address 100 times, while User2 accessed the same file server 400 times.

Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication on EX Series Switches with ELS Support

Note

This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication. For ELS details, see Using the Enhanced Layer 2 Software CLI.

On EX Series switches, firewall filters that you apply to interfaces enabled for 802.1X or MAC RADIUS authentication are dynamically combined with the per-user policies sent to the switch from the RADIUS server. The switch uses internal logic to dynamically combine the interface firewall filter with the user policies from the RADIUS server and create an individualized policy for each of the multiple users or nonresponsive hosts that are authenticated on the interface.

This example describes how dynamic firewall filters are created for multiple supplicants on an 802.1X-enabled interface (the same principles shown in this example apply to interfaces enabled for MAC RADIUS authentication):

Requirements

This example uses the following software and hardware components:

Note

This example also applies to QFX5100 switches.

  • Junos OS Release 13.2 or later for EX Series switches

  • One EX Series switch with support for ELS

  • One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you apply firewall filters to an interface for use with multiple supplicants, be sure you have:

Overview and Topology

When the 802.1X configuration on an interface is set to multiple supplicant mode, the system dynamically combines the interface firewall filter with the user policies sent to the switch from the RADIUS server during authentication and creates separate terms for each user. Because there are separate terms for each user authenticated on the interface, you can, as shown in this example, use counters to view the activities of individual users that are authenticated on the same interface.

When a new user (or a nonresponsive host) is authenticated on an interface, the system adds a term to the firewall filter associated with the interface, and the term (policy) for each user is associated with the MAC address of the user. The term for each user is based on the user-specific filters set on the RADIUS server and the filters configured on the interface. For example, as shown in Figure 4, when User 1 is authenticated by the EX Series switch, the system adds a term to the firewall filter dynamic-filter-example. When User 2 is authenticated, another term is added to the firewall filter, and so on.

Note

This figure also applies to QFX5100 switches.

Figure 4: Conceptual Model: Dynamic Filter Updated for Each New User
Conceptual
Model: Dynamic Filter Updated for Each New User

This is a conceptual model of the internal process—you cannot access or view the dynamic filter.

Note

If the firewall filter on the interface is modified after the user (or nonresponsive host) is authenticated, the modifications are not reflected in the dynamic filter unless the user is reauthenticated.

In this example, you configure a firewall filter to count the requests made by each endpoint authenticated on interface ge-0/0/2 to the file server, which is located on subnet 192.0.2.16/28, and set policer definitions to rate-limit the traffic. Figure 5 shows the network topology for this example.

Figure 5: Multiple Supplicants on an 802.1X-Enabled Interface Connecting to a File Server
Multiple Supplicants
on an 802.1X-Enabled Interface Connecting to a File Server

Configuration

Configuring Firewall Filters on Interfaces with Multiple Supplicants

CLI Quick Configuration

To quickly configure firewall filters for multiple supplicants on an 802.1X-enabled interface copy the following commands and paste them into the switch terminal window:

[edit]
set firewall family ethernet-switching filter filter1 term term1 from ip-destination-address 192.0.2.16/28
set firewall family ethernet-switching filter filter1 term term2 from ip-destination-address 192.0.2.16/28
set firewall policer p1 if-exceeding bandwidth-limit 1m

set firewall policer p1 if-exceeding burst-size-limit 1500
set firewall policer p1 then discard
set firewall family ethernet-switching filter filter1 term term1 then count counter1
set firewall family ethernet-switching filter filter1 term term2 then policer p1

Step-by-Step Procedure

To configure firewall filters on an interface enabled for multiple supplicants:

  1. Set the policer definition:
    user@switch# show policer p1 |display set

    set firewall policer p1 if-exceeding bandwidth-limit 1m

    set firewall policer p1 if-exceeding burst-size-limit 1500

    set firewall policer p1 then discard
  2. Configure a firewall filter to count packets from each user and a policer that limits the traffic rate. As each new user is authenticated on the multiple supplicant interface, this filter term will be included in the dynamically created term for the user:
    [edit firewall family ethernet-switching]

    user@switch# set filter filter1 term term1 from ip-destination-address 192.0.2.16/28

    user@switch# set filter filter1 term term2 from ip-destination-address 192.0.2.16/28 user@switch# set filter filter1 term term1 then count counter1

    user@switch# set filter filter1 term term2 then policer p1

Results

Check the results of the configuration:

Verification

Verifying Firewall Filters on Interfaces with Multiple Supplicants

Purpose

Verify that firewall filters are functioning on the interface with multiple supplicants.

Action

  1. Check the results with one user authenticated on the interface. In this case, User 1 is authenticated on ge-0/0/2:
    user@switch> show dot1x firewall

  2. When a second user, User 2, is authenticated on the same interface, ge-0/0/2, you can verify that the filter includes the results for both of the users authenticated on the interface:
    user@switch> show dot1x firewall

Meaning

The results displayed by the show dot1x firewall command output reflect the dynamic filter created with the authentication of each new user. User 1 accessed the file server located at the specified destination address 100 times, while User 2 accessed the same file server 400 times.