mac-radius

Syntax


                        
                           mac-radius <flap-on-disconnect> <restrict>;

Hierarchy Level


                        
                           [edit protocols dot1x                 authenticator                 interface                 interface-name]

Release Information

Statement introduced in JUNOS Release 9.3 for EX-series switches.

Option flap-on-disconnect introduced in JUNOS Release 9.4 for EX-series switches.

Description

Configure 802.1X MAC RADIUS authentication for specific interfaces. MAC RADIUS authentication allows LAN access to permitted MAC addresses. When a new MAC address appears on an interface, the switch consults the RADIUS server to check whether the MAC address is a permitted address. If the MAC address is configured on the RADIUS server, the device is allowed access to the LAN.

You can configure other 802.1X authentication methods on a single interface except when the optional keyword restrict is configured for MAC RADIUS. In restrictive mode, all 802.1X packets are eliminated, and the attached device on the interface is considered a nonresponsive host.

Options

flap-on-disconnect—(Optional) When the RADIUS server sends a disconnect message to a supplicant, the switch resets the interface on which the supplicant is authenticated. If the interface is configured for multiple supplicant mode, the switch resets all the supplicants on the specified interface. This option takes effect only when the restrict option is also set.
restrict—(Optional) Eliminates the normal 90-second delay needed by the switch to determine if the device connected to an interface is a responsive host (802.1X-enabled) or a nonresponsive host.

Required Privilege Level

routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.