[Prev][Next][Report an Error]

Example: Configuring Options for RADIUS Server Failure or Timeout (CLI)

This example describes how to configure an interface to move a supplicant to a different VLAN in the event of a RADIUS server timeout. The example goes on to show methods of verifying that a supplicant is assigned to the appropriate VLAN and that after a failure the supplicant has been moved to the alternate VLAN.

Before configuring the options, be sure that the following set up is complete:

The following procedure configures the ge-0/0/1 interface to divert supplicants to the VLAN vlan-sf when a RADIUS timeout occurs. It includes verification of the configuration settings and displays confirming the VLAN assignments in normal operation:

  1. Define the VLAN to which supplicants are diverted:
    [edit protocols dot1x authenticator]
    user@host# set interface server-fail vlan-name vlan-sf
  2. Display the configuration:
    [edit protocols dot1x authenticator]
    user@host> top
    [edit]
    user@host> show configuration
    interfaces {
    ge-0/0/1 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members default;
    }
    }
    }
    }
    protocols {
    dot1x {
    authenticator {
    authentication-profile-name profile52;
    interface {
    ge-0/0/1.0 {
    server-fail vlan-name vlan-sf;
    }
    }
    }
    }
    }
    }
  3. Display the VLANs configured on the switch; the interface ge-0/0/1.0 is a member of the default VLAN:
    user@host> show vlans
    Name           Tag     Interfaces
    default       
                           ge-0/0/0.0, ge-0/0/1.0*, ge-0/0/5.0*, ge-0/0/10.0,
                           ge-0/0/12.0*, ge-0/0/14.0*, ge-0/0/15.0, ge-0/0/20.0
    v2             77     
                           None
    vlan—sf        50     
                           None
    mgmt          
                           me0.0*
      

    In this example, the show vlans command shows that interface ge-0/0/1.0 is a member of the default VLAN.

  4. Display 802.1X protocol information on the switch to view supplicants that are authenticated on interface ge-0/0/1.0:
    user@host> show dot1x interface brief
    802.1x Information:
    Interface     Role           State           MAC address          User
    ge-0/0/1.0    Authenticator  Authenticated   00:00:00:00:00:01    abc     
    ge-0/0/10.0   Authenticator  Initialize     
    ge-0/0/14.0   Authenticator  Connecting     
    ge-0/0/15.0   Authenticator  Initialize     
    ge-0/0/20.0   Authenticator  Initialize     
    

    The output shows that a supplicant (abc) is authenticated on interface ge-0/0/1.0 and has the MAC address 00:00:00:00:00:01.

A RADIUS server timeout occurs, and the authentication server cannot be reached by the device. The next procedure demonstrates how the supplicant is diverted to the VLAN vlan-sf after the timeout occurs.

  1. Display the Ethernet switching table.
    user@host> show ethernet-switching table
    Ethernet-switching table: 3 entries, 1 learned
      VLAN              MAC address       Type         Age Interfaces
      v1                *                 Flood          - All-members
      vlan—sf           00:00:00:00:00:01 Learn       1:07 ge-0/0/1.0
      default           *                 Flood          - All-members
    

    The supplicant with the MAC address 00:00:00:00:00:01 that was previously accessing the LAN through the default VLAN is now being learned on the VLAN named vlan-sf

  2. Display the 802.1X protocol information.

    user@host> show dot1x interface brief
         
    802.1x Information:
    Interface     Role           State           MAC address          User
    ge-0/0/1.0    Authenticator  Connecting     
    ge-0/0/10.0   Authenticator  Initialize     
    ge-0/0/14.0   Authenticator  Connecting     
    ge-0/0/15.0   Authenticator  Initialize     
    ge-0/0/20.0   Authenticator  Initialize     
    

    Interface ge-0/0/1.0 is connecting and will open LAN access to supplicants.


[Prev][Next][Report an Error]