How to Connect An EX Series Switch to the JumpCloud Cloud RADIUS Service Using IEEE 802.1X Authentication
About This Network Configuration Example
This network configuration example (NCE) shows how to configure an EX Series switch to connect to JumpCloud’s Cloud RADIUS service, which is acting as a RADIUS authentication server. A RADIUS authentication server contains information about user accounts and their permissions to access various IT resources, and those resources query the server to authenticate users trying to access the resource. Juniper Networks EX Series switches use IEEE 802.1X authentication to provide access control to devices or users.
Use Case Overview
Enterprises are increasingly migrating business workloads to public clouds. Hosting services in the cloud provides new options for scalability, resiliency, and cost optimization. RADIUS servers allow you to centrally create a consistent set of user accounts for all devices in your network, which makes managing user accounts easier. JumpCloud now offers a RADIUS server service in the cloud. Their Cloud RADIUS service manages user accounts and related employee data, such as address and phone information, profile pictures, and more. These users and their identities can then be connected to the IT resources they need through RADIUS authentication, including systems (Windows, Mac, and Linux), cloud and on-premise servers (for example, Amazon Web Services, Google Cloud, Microsoft Azure, and private data centers), web and on-premise applications through LDAP and SAML, data and file storage, and wired and WiFi networks.
The EX Series switches provide network edge security with the IEEE 802.1X standard for port-based network access control, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from devices at the incoming interface until the user’s credentials are presented and matched on the authentication server. When the server authenticates the user, the switch stops blocking access and opens the interface to the user. When you configure 802.1X authentication on the switch, end devices are evaluated at the initial connection by an authentication server. To use 802.1X authentication, you must configure the connections on the switch to each authentication server you wish to use to authenticate users and devices.
A RADIUS authentication server acts as the backend database and contains credential information for end devices (supplicants) that have permission to connect to the network.
Example: How to View the Password for the JumpCloud RADIUS Server
For JumpCloud requirements, please see Welcome to Help Center! on the JumpCloud website.
Before You Begin
For this example, we assume that you have already followed the steps at Configuring RADIUS Servers in JumpCloud to become an administrator of a RADIUS server on the JumpCloud Cloud RADIUS service. You need to know the secret password (shared secret) of the server to be able to configure that password on the switch so that you can connect the switch to the RADIUS server. The password configured for the RADIUS server on the service and on the switch must match.
View the Password for the RADIUS Server
- Log in to https://console.jumpcloud.com as a JumpCloud Administrator user. You are now on the Users page.
- In the left-nav bar, click the icon for RADIUS.
- Click > to edit the information for the RADIUS
server. In this example, the server’s name is Rad-Home.
- Click the eye icon on the Shared Secret field
to see the server password.
Example: How to Connect the EX Series Switch to the JumpCloud Cloud RADIUS Service
This example uses the following hardware and software components:
One EX4300, EX3400, or EX2300 switch running Junos OS Release 18.4R2 or later.
For this example, we assume that your switch is already configured and functioning in your network, and that the network can send and receive traffic from the Internet. You should review your own requirements and change the steps below as needed.
To connect the switch to the JumpCloud Cloud RADIUS service, you:
Configure the RADIUS server information.
Create an access profile.
Configure the 802.1X authentication process to use the access profile.
Configure the interface connected to the end device.
Configure 802.1X authentication on that interface.
Verify the configuration.
- Configure information about the JumpCloud RADIUS server—the
IP address, the RADIUS server authentication port number, the secret
password, the timeout value, and retry count. The secret password
must match the “Shared Secret” configured on the JumpCloud
See Configuring a Wireless Access Point (WAP), VPN or Router for JumpCloud's RADIUS on the JumpCloud website for current IP addresses for the JumpCloud Cloud RADIUS service; in this example, we have used the IP address for the US West RADIUS service, 220.127.116.11. (The JumpCloud service does not support accounting at this time, so no need to configure the accounting-port statement.)set access radius-server 18.104.22.168 port 1812set access radius-server 22.214.171.124 secret "SharedSecret"set access radius-server 126.96.36.199 timeout 3set access radius-server 188.8.131.52 retry 3set access radius-server 184.108.40.206 accounting-retry 3
- Configure an access profile to specify the authentication
order, which specifies RADIUS as the method of authentication. You
also configure the IP address of the RADIUS server to be associated
with the profile and configure the revert interval, which is the amount
of time the switch waits after a server has become unreachable. (The
JumpCloud service does not support accounting at this time, so no
need to configure the accounting-server statement.)set access profile jumpcloud authentication-order radiusset access profile jumpcloud radius authentication-server 220.127.116.11set access profile jumpcloud radius options revert-interval 60
- Configure the RADIUS server to be used for IEEE 802.1X
authentication by specifying the access profile name.set protocols dot1x authenticator authentication-profile-name jumpcloud
- Configure the interface connected to the end device.set interfaces ge-0/0/8 unit 0 family ethernet-switching
- Configure the logical interface connected to the end device
(supplicant) with the 802.1X authentication mode (for example, single)
and some of the best practices, such as configuring EAP-PEAP authentication.
Replace ge-0/0/8.0 with the correct interface for your
end device.set protocols dot1x authenticator interface ge-0/0/8.0 supplicant singleset protocols dot1x authenticator interface ge-0/0/8.0 retries 3set protocols dot1x authenticator interface ge-0/0/8.0 quiet-period 60set protocols dot1x authenticator interface ge-0/0/8.0 transmit-period 30set protocols dot1x authenticator interface ge-0/0/8.0 mac-radius authentication-protocol eap-peapset protocols dot1x authenticator interface ge-0/0/8.0 reauthentication 3600set protocols dot1x authenticator interface ge-0/0/8.0 supplicant-timeout 30set protocols dot1x authenticator interface ge-0/0/8.0 server-fail deny
- Commit the configuration.
- Verify that the supplicant is being authenticated on the
interface (ge-0/0/8.0) using the show dot1x interface brief command. The output shows that jcuser1 has been successfully
authenticated using the JumpCloud Cloud RADIUS server.
root@exswitch> show dot1x interface brief 802.1X Information: Interface Role State MAC address User ge-0/0/8.0 Authenticator Authenticated 00:00:5E:00:53:01 jcuser1
- Verify that 802.1X authentication is configured as intended
using the show dot1x interface detail command.
root@exswitch> show dot1x interface detail ge-0/0/8.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Restrict: Disabled Mac Radius Authentication Protocol: PEAP/MSCHAPv2 Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: not configured Number of connected supplicants: 1
- In most cases, no further configuration is necessary, and users may connect to the network with their JumpCloud credentials. However, for some clients and end devices, the JumpCloud server may not be able to auto-negotiate the RADIUS server certificate. You may need to configure these clients using the PEAP settings at Configuring your WiFi Clients to use JumpCloud RADIUS on the JumpCloud website.