Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Flexible Authentication Order on EX Series Switches

 

Junos OS switches support 802.1X, MAC RADIUS, and captive portal as an authentication methods to devices requiring to connect to a network. You can use the flexible authentication order feature to specify the order of authentication methods that the switch uses when attempting to authenticate a client. If multiple authentication methods are configured on a single interface, when one authentication method fails, the switch falls back to another method. For more information, read this topic.

Configuring Flexible Authentication Order

You can use the flexible authentication order feature to specify the order of authentication methods that the switch uses when attempting to authenticate a client. If multiple authentication methods are configured on a single interface, when one authentication method fails, the switch falls back to another method.

By default, the switch attempts to authenticate a client by using 802.1X authentication first. If 802.1X authentication fails because there is no response from the client, and MAC RADIUS authentication is configured on the interface, the switch will attempt authentication using MAC RADIUS. If MAC RADIUS fails, and captive portal is configured on the interface, the switch attempts authentication using captive portal.

With a flexible authentication order, the sequence of authentication method used can be changed based on the type of clients connected to the interface. You can configure the authentication-order statement to specify whether 802.1X authentication or MAC RADIUS authentication must be the first authentication method tried. Captive portal is always the last authentication method tried.

If MAC RADIUS authentication is configured as the first authentication method in the order, then on receiving data from any client, the switch attempts to authenticate the client by using MAC RADIUS authentication. If MAC RADIUS authentication fails, then the switch uses 802.1X authentication to authenticate the client. If 802.1X authentication fails, and captive portal is configured on the interface, the switch attempts authentication using captive portal.

Note

If 802.1X authentication and MAC RADIUS authentication fail, and captive portal is not configured on the interface, the client is denied access to the LAN unless a server fail fallback method is configured. See Configuring RADIUS Server Fail Fallback (CLI Procedure) for more information.

Different authentication methods can be used in parallel on an interface that is configured in multiple-supplicant mode. Therefore, if an end device is authenticated on the interface by using captive portal, another end device connected to that interface can still be authenticated using 802.1X or MAC RADIUS authentication.

Before you configure the flexible authentication order on an interface, make sure that the authentication methods are configured on that interface. The switch does not attempt authentication using a method that is not configured on the interface, even if that method is included in the authentication order; the switch ignores that method and attempts the next method in the authentication order that is enabled on that interface.

Use the following guidelines when configuring the authentication-order statement:

  • The authentication order must include at least two methods of authentication.

  • 802.1X authentication must be one of the methods included in the authentication order.

  • If captive portal is included in the authentication order, it must be the last method in the order.

  • If mac-radius-restrict is configured on an interface then the authentication order cannot be configured on that interface.

To configure a flexible authentication order, use one of the following valid combinations:

Note

The authentication order can be configured globally using the interface all option as well as locally using the individual interface name. If the authentication order is configured both for an individual interface and for all interfaces, the local configuration for that interface overrides the global configuration.

  • To configure 802.1X authentication as the first authentication method, followed by MAC RADIUS authentication, and then captive portal:
    [edit]

    user@switch# set protocols dot1x authenticator interface interface-name authentication-order [dot1x mac-radius captive-portal]
  • To configure 802.1X authentication as the first authentication method, followed by captive portal:
    [edit]

    user@switch# set protocols dot1x authenticator interface interface-name authentication-order [dot1x captive-portal]
  • To configure 802.1X authentication as the first authentication method, followed by MAC RADIUS authentication:
    [edit]

    user@switch# set protocols dot1x authenticator interface interface-name authentication-order [dot1x mac-radius]
  • To configure MAC RADIUS authentication as the first authentication method, followed by 802.1X, followed by captive portal:
    [edit]

    user@switch# set protocols dot1x authenticator interface interface-name authentication-order [mac-radius dot1x captive-portal]

After you configure the authentication order, you must use the insert command to make any modifications to the authentication order. Using the set command does not change the configured order.

To change the authentication order after initial configuration:

[edit]

user@switch# insert protocols dot1x authenticator interface interface-name authentication-order authentication-method before authentication-method

For example, to change the order from [mac-radius dot1x captive portal] to [dot1x mac-radius captive portal]:

[edit]

user@switch# insert protocols dot1x authenticator interface interface-name authentication-order dot1x before mac-radius

Configuring EAPoL Block to Maintain an Existing Authentication Session

When a switch acting as an 802.1X authenticator receives an EAP-Start message from an authenticated client, the switch tries to re-authenticate the client using the 802.1X method and typically returns an EAP-Request message, and waits for a response. If the client fails to respond, the switch attempts to re-authenticate the client using MAC RADIUS or captive portal method if these methods were configured. Clients that have been authenticated using MAC RADIUS or captive portal authentication are non-responsive, and traffic is dropped on the interface as the switch attempts re-authentication.

If you have configured flexible authentication order on the interface so that MAC RADIUS is the first method used to authenticate a client, the switch still reverts to using 802.1X for re-authentication if the client sends an EAP-Start message, even if the client was successfully authenticated using MAC RADIUS authentication. You can configure an EAPoL block with either a fixed or flexible authentication order. If you do not configure the authentication-order statement, the order is fixed by default. The eapol-block statement can be configured with or without configuring the authentication-order statement.

You can configure a switch to ignore EAP-Start messages sent from a client that has been authenticated using MAC RADIUS authentication or captive portal authentication using the eapol-block statement. With a block of EAPoL messages in effect, if the switch receives an EAP-Start message from the client, it does not return an EAP-Request message, and the existing authentication session is maintained.

Note

If the endpoint has not been authenticated with MAC RADIUS authentication or captive portal authentication, the EAPoL block does not take effect. The endpoint can authenticate using 802.1X authentication.

If eapol-block is configured with the mac-radius option, then once the client is authenticated with MAC RADIUS authentication or CWA (Central Web Authentication), the client remains in authenticated state even if it sends an EAP-Start message. If eapol-block is configured with the captive-portal option, then once the client is authenticated with captive portal, the client remains in authenticated state even if it sends an EAP-Start message.

Note

This feature is supported on EX4300 and EX9200 switches.

To configure a block of EAPoL messages to maintain an existing authentication session:

  • To configure EAPoL block for a client authenticated using MAC RADIUS authentication:
    [edit]

    user@switch# set protocols dot1x authenticator interface interface-name eapol-block mac-radius
  • To configure EAPoL block for a client authenticated using captive portal authentication:
    [edit]

    user@switch# set protocols dot1x authenticator interface interface-name eapol-block captive-portal