Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

How to Connect An EX Series Switch to the JumpCloud Cloud RADIUS Service Using IEEE 802.1X Authentication

 

About This Network Configuration Example

This network configuration example (NCE) shows how to configure an EX Series switch to connect to JumpCloud’s Cloud RADIUS service, which is acting as a RADIUS authentication server. A RADIUS authentication server contains information about user accounts and their permissions to access various IT resources, and those resources query the server to authenticate users trying to access the resource. Juniper Networks EX Series switches use IEEE 802.1X authentication to provide access control to devices or users.

Use Case Overview

Enterprises are increasingly migrating business workloads to public clouds. Hosting services in the cloud provides new options for scalability, resiliency, and cost optimization. RADIUS servers allow you to centrally create a consistent set of user accounts for all devices in your network, which makes managing user accounts easier. JumpCloud now offers a RADIUS server service in the cloud. Their Cloud RADIUS service manages user accounts and related employee data, such as address and phone information, profile pictures, and more. These users and their identities can then be connected to the IT resources they need through RADIUS authentication, including systems (Windows, Mac, and Linux), cloud and on-premise servers (for example, Amazon Web Services, Google Cloud, Microsoft Azure, and private data centers), web and on-premise applications through LDAP and SAML, data and file storage, and wired and WiFi networks.

Technical Overview

The EX Series switches provide network edge security with the IEEE 802.1X standard for port-based network access control, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from devices at the incoming interface until the user’s credentials are presented and matched on the authentication server. When the server authenticates the user, the switch stops blocking access and opens the interface to the user. When you configure 802.1X authentication on the switch, end devices are evaluated at the initial connection by an authentication server. To use 802.1X authentication, you must configure the connections on the switch to each authentication server you wish to use to authenticate users and devices.

A RADIUS authentication server acts as the backend database and contains credential information for end devices (supplicants) that have permission to connect to the network.

Example: How to View the Password for the JumpCloud RADIUS Server

Requirements

For JumpCloud requirements, please see Welcome to Help Center! on the JumpCloud website.

Before You Begin

For this example, we assume that you have already followed the steps at Configuring RADIUS Servers in JumpCloud to become an administrator of a RADIUS server on the JumpCloud Cloud RADIUS service. You need to know the secret password (shared secret) of the server to be able to configure that password on the switch so that you can connect the switch to the RADIUS server. The password configured for the RADIUS server on the service and on the switch must match.

View the Password for the RADIUS Server

Step-by-Step Procedure

  1. Log in to https://console.jumpcloud.com as a JumpCloud Administrator user. You are now on the Users page.
  2. In the left-nav bar, click the icon for RADIUS.
  3. Click > to edit the information for the RADIUS server. In this example, the server’s name is Rad-Home.
  4. Click the eye icon on the Shared Secret field to see the server password.

Example: How to Connect the EX Series Switch to the JumpCloud Cloud RADIUS Service

Requirements

This example uses the following hardware and software components:

  • One EX4300, EX3400, or EX2300 switch running Junos OS Release 18.4R2 or later.

Overview

For this example, we assume that your switch is already configured and functioning in your network, and that the network can send and receive traffic from the Internet. You should review your own requirements and change the steps below as needed.

To connect the switch to the JumpCloud Cloud RADIUS service, you:

  • Configure the RADIUS server information.

  • Create an access profile.

  • Configure the 802.1X authentication process to use the access profile.

  • Configure the interface connected to the end device.

  • Configure 802.1X authentication on that interface.

  • Verify the configuration.

Topology

Configuration

Step-by-Step Procedure

  1. Configure information about the JumpCloud RADIUS server—the IP address, the RADIUS server authentication port number, the secret password, the timeout value, and retry count. The secret password must match the “Shared Secret” configured on the JumpCloud RADIUS server.

    See Configuring a Wireless Access Point (WAP), VPN or Router for JumpCloud's RADIUS on the JumpCloud website for current IP addresses for the JumpCloud Cloud RADIUS service; in this example, we have used the IP address for the US West RADIUS service, 54.203.27.225. (The JumpCloud service does not support accounting at this time, so no need to configure the accounting-port statement.)

  2. Configure an access profile to specify the authentication order, which specifies RADIUS as the method of authentication. You also configure the IP address of the RADIUS server to be associated with the profile and configure the revert interval, which is the amount of time the switch waits after a server has become unreachable. (The JumpCloud service does not support accounting at this time, so no need to configure the accounting-server statement.)
  3. Configure the RADIUS server to be used for IEEE 802.1X authentication by specifying the access profile name.
  4. Configure the interface connected to the end device.
  5. Configure the logical interface connected to the end device (supplicant) with the 802.1X authentication mode (for example, single) and some of the best practices, such as configuring EAP-PEAP authentication. Replace ge-0/0/8.0 with the correct interface for your end device.
  6. Commit the configuration.
  7. Verify that the supplicant is being authenticated on the interface (ge-0/0/8.0) using the show dot1x interface brief command. The output shows that jcuser1 has been successfully authenticated using the JumpCloud Cloud RADIUS server.
  8. Verify that 802.1X authentication is configured as intended using the show dot1x interface detail command.
  9. In most cases, no further configuration is necessary, and users may connect to the network with their JumpCloud credentials. However, for some clients and end devices, the JumpCloud server may not be able to auto-negotiate the RADIUS server certificate. You may need to configure these clients using the PEAP settings at Configuring your WiFi Clients to use JumpCloud RADIUS on the JumpCloud website.