Juniper Networks :: Technical Documentation :: Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch

Download PDFs
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch

Related Topics
Configuring 802.1X Authentication (CLI Procedure)
Configuring 802.1X Authentication (J-Web Procedure)

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch

As part of IEEE 802.1X Port-Based Network Access Control (PNAC), you can configure access through 802.1X-configured ports to your LAN for devices that are not 802.1X-enabled. These devices, typically printers, are known as nonresponsive hosts. Nonresponsive hosts are authenticated by means of their MAC address. If a nonresponsive host's MAC address is compared and matched against a user-configured static MAC address list, the nonresponsive host is authenticated and an interface opened for it.

This example describes how to configure static MAC authentication for two printers.

Requirements

This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches
One EX 4200 switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you configure static MAC authentication, be sure you have:

Configured basic access between the EX-series switch and the RADIUS server. See Connecting and Configuring an EX-series Switch (J-Web Procedure).
Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch.

Overview and Topology

Figure 1 shows the two printers connected to the EX 4200.

Figure 1: Topology for Static MAC Authentication Configuration

Image g020070.gif

The interfaces shown in Table 1 will be configured for static MAC authentication.

Table 1: Components of the Static MAC Authentication Configuration Topology

Property	Settings
Switch hardware	EX 4200 24T, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
VLAN name	default
Connections to integrated printer/fax/copier machines (no PoE required)	ge-0/0/19, MAC address 00:04:0f:fd:ac:fe ge-0/0/20, MAC address 00:04:ae:cd:23:5f

The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface ge-0/0/19. A second printer with the MAC address 00:04:ae:cd:23:5f is connected to access interface ge-0/0/20. Both printers will be added to the static list and bypass 802.1X authentication.

Configuration

To configure static MAC authentication, perform these tasks:

CLI Quick Configuration

To quickly configure static MAC authentication, copy the following commands and paste them into the switch terminal window:

[edit]
set protocols
                              dot1x authenticator authenticaton-profile-name profile1
set protocols dot1x authenticator static
                              [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
set protocols dot1x interface all supplicant multiple

Step-by-Step Procedure

Configure static MAC authentication:

Configure the authentication profile name (access profile name) to use for authentication:

[edit protocols] user@switch# set dot1x authenticator authentication-profile-name profile1
Configure MAC addresses 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f as static MAC addresses:

[edit protocols] user@switch# set dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
Configure the 802.1X authentication method:

[edit protocols] user@switch# set dot1x interface all supplicant multiple

Results

Display the results of the configuration:


                        
                           user@switch> show
                           interfaces {
                           
                              
                                 ge-0/0/19 {
                                 
                                    
                                       unit 0 {
                                       
                                          
                                             family ethernet-switching {
                                             
                                                
                                                   vlan members default;
                                                
                                             
                                             }
                                          
                                       
                                       }
                                    
                                 
                                 }
                              
                           
                           
                              
                                 ge-0/0/20 {
                                 
                                    
                                       unit 0 {
                                       
                                          
                                             family ethernet-switching {
                                             
                                                
                                                   vlan members default;
                                                
                                             
                                             }
                                          
                                       
                                       }
                                    
                                 
                                 }
                              
                           
                           }
                           protocols {
                           
                              
                                 dot1x {
                                 
                                    
                                       authenticator {
                                       authentication-profile-name profile1
                                       static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f];
                                       
                                          
                                             interface {
                                             
                                                
                                                   all {
                                                   supplicant multiple;
                                                   }
                                                
                                             
                                             }
                                          
                                       
                                       }
                                    
                                 
                                 }
                              
                           
                           }

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Static MAC Authentication

Verifying Static MAC Authentication

Purpose

Verify that the MAC address for both printers is configured and associated with the correct interfaces.

Action

Use the operational mode command:

user@switch> show dot1x static-mac-address

MAC address           VLAN-Assignment           Interface 
00:04:0f:fd:ac:fe     default                   ge-0/0/19.0
00:04:ae:cd:23:5f     default                   ge-0/0/20.0

Meaning

The output field MAC address shows the MAC addresses of the two printers.

The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect to the LAN through interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f can connect to the LAN through interface ge-0/0/20.0.