Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

MAC RADIUS Authentication

 

You can control access to your network through a switch by using several different authentication methods. Junos OS switches support 802.1X, MAC RADIUS, and captive portal as an authentication methods to devices requiring to connect to a network.

You can configure MAC RADIUS authentication on the switch interfaces to which the hosts are connected to provide LAN access. For more information, read this topic.

Configuring MAC RADIUS Authentication (CLI Procedure)

You can permit devices that are not 802.1X-enabled LAN access by configuring MAC RADIUS authentication on the switch interfaces to which the hosts are connected.

Note

You can also allow non-802.1X-enabled devices to access the LAN by configuring their MAC address for static MAC bypass of authentication.

You can configure MAC RADIUS authentication on an interface that also allows 802.1X authentication, or you can configure either authentication method alone.

If both MAC RADIUS and 802.1X authentication are enabled on the interface, the switch first sends the host three EAPoL requests to the host. If there is no response from the host, the switch sends the host’s MAC address to the RADIUS server to check whether it is a permitted MAC address. If the MAC address is configured as permitted on the RADIUS server, the RADIUS server sends a message to the switch that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected.

If MAC RADIUS authentication is configured on the interface but 802.1X authentication is not (by using the mac-radius restrict option), the switch attempts to authenticate the MAC address with the RADIUS server without delaying by attempting 802.1X authentication first.

Before you configure MAC RADIUS authentication, be sure you have:

To configure MAC RADIUS authentication by using the CLI:

  • On the switch, configure the interfaces to which the nonresponsive hosts are attached for MAC RADIUS authentication, and add the restrict qualifier for interface ge-0/0/20 to have it use only MAC RADIUS authentication:

    [edit]

    user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius

    user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict
  • On a RADIUS authentication server, create user profiles for each nonresponsive host using the MAC address (without colons) of the nonresponsive host as the username and password (here, the MAC addresses are 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f):

    [root@freeradius]#

    edit /etc/raddb

    vi users

    00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe"

    0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"

Example: Configuring MAC RADIUS Authentication on an EX Series Switch

To permit hosts that are not 802.1X-enabled to access a LAN, you can configure MAC RADIUS authentication on the switch interfaces to which the non-802.1X-enabled hosts are connected. When MAC RADIUS authentication is configured, the switch will attempt to authenticate the host with the RADIUS server by using the host’s MAC address.

This example describes how to configure MAC RADIUS authentication for two non-802.1X-enabled hosts:

Requirements

This example uses the following software and hardware components:

Note

This example also applies to QFX5100 switches.

  • Junos OS Release 9.3 or later for EX Series switches.

  • An EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.

  • A RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you configure MAC RADIUS authentication, be sure you have:

Overview and Topology

IEEE 802.1X port-based network access control (PNAC) authenticates and permits devices access to a LAN if the devices can communicate with the switch by using the 802.1X protocol (that is, the devices are 802.1X-enabled). To permit non-802.1X-enabled end devices to access the LAN, you can configure MAC RADIUS authentication on the interfaces to which the end devices are connected. When the MAC address of the end device appears on the interface, the switch consults the RADIUS server to check whether it is a permitted MAC address. If the MAC address of the end device is configured as permitted on the RADIUS server, the switch opens LAN access to the end device.

You can configure both MAC RADIUS authentication and 802.1X authentication methods on an interface configured for multiple supplicants. Additionally, if an interface is connected only to a non-802.1X-enabled host, you can enable MAC RADIUS and not enable 802.1X authentication by using the mac-radius restrict option, and thus avoid the delay that occurs while the switch determines that the device is does not respond to EAP messages.

Figure 1 shows the two printers connected to the switch.

Note

This figure also applies to QFX5100 switches.

Figure 1: Topology for MAC RADIUS Authentication Configuration
Topology for MAC RADIUS
Authentication Configuration

Table 1 shows the components in the example for MAC RADIUS authentication.

Table 1: Components of the MAC RADIUS Authentication Configuration Topology

PropertySettings

Switch hardware

EX4200 ports (ge-0/0/0 through ge-0/0/23)

VLAN name

sales

Connections to printers (no PoE required)

ge-0/0/19, MAC address 00040ffdacfe

ge-0/0/20, MAC address 0004aecd235f

RADIUS server

Connected to the switch on interface ge-0/0/10

The printer with the MAC address 00040ffdacfe is connected to access interface ge-0/0/19. A second printer with the MAC address 0004aecd235f is connected to access interface ge-0/0/20. In this example, both interfaces are configured for MAC RADIUS authentication on the switch, and the MAC addresses (without colons) of both printers are configured on the RADIUS server. Interface ge-0/0/20 is configured to eliminate the normal delay while the switch attempts 802.1X authentication; MAC RADIUS authentication is enabled and 802.1X authentication is disabled using the mac radius restrict option.

Configuration

CLI Quick Configuration

To quickly configure MAC RADIUS authentication, copy the following commands and paste them into the switch terminal window:

[edit]

set protocols dot1x authenticator interface ge-0/0/19 mac-radius



set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict

Note

You must also configure the two MAC addresses as usernames and passwords on the RADIUS server, as is done in step 2 of the Step-by-Step Procedure.

Step-by-Step Procedure

Configure MAC RADIUS authentication on the switch and on the RADIUS server:

  1. On the switch, configure the interfaces to which the printers are attached for MAC RADIUS authentication, and configure the restrict option on interface ge-0/0/20, so that only MAC RADIUS authentication is used:
    [edit]

    user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius

    user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict

  2. On the RADIUS server, configure the MAC addresses 00040ffdacfe and 0004aecd235f as usernames and passwords:
    [root@freeradius]#

    edit /etc/raddb

    vi users

    00040ffdacfe Auth-type:=EAP, User-Password = "00040ffdacfe"

    0004aecd235f Auth-type:=EAP, User-Password = "0004aecd235f"

Results

Display the results of the configuration on the switch:

Verification

Verify that the supplicants are authenticated:

Verifying That the Supplicants Are Authenticated

Purpose

After supplicants are configured for MAC RADIUS authentication on the switch and on the RADIUS server, verify that they are authenticated and display the method of authentication.

Action

Display information about the 802.1X-configured interfaces ge-0/0/19 and ge-0/0/20:

user@switch> show dot1x interface ge-0/0/19.0 detail
user@switch> show dot1x interface ge-0/0/20.0 detail

Meaning

The sample output from the show dot1x interface detail command displays the MAC address of the connected end device in the Supplicant field. On interface ge-0/0/19, the MAC address is 00:04:0f:fd:ac:fe, which is the MAC address of the first printer configured for MAC RADIUS authentication. The Authentication method field displays the authentication method as Radius. On interface ge-0/0/20, the MAC address is 00:04:ae:cd:23:5f, which is the MAC address of the second printer configured for MAC RADIUS authentication. The Authentication method field displays the authentication method as Radius.