802.1X Authentication on Layer 2 Interfaces
Overview
The IEEE 802.1X standard for port-based network access control (PNAC) provides a mechanism to authenticate users of devices attached to a LAN port. The 802.1X standard verifies the user's credentials in a local or remote user database. The authentication mechanism allows only users with the correct credentials to access the network. It denies access for all other users, thereby controlling network access.
The three basic components of a network with 802.1X authentication are:
-
Authenticator port access entity (PAE): A switch or router port to which a client connects. Authenticator PAEs form the control gate that blocks all traffic to and from the clients until 802.1X authenticates the clients.
-
Supplicants: Clients that are trying to access the network and need to be authenticated. Supplicants connect to authenticator PAEs.
-
Authentication server: The back-end database containing information about the users that are allowed to connect to the network. When a supplicant attempts to log in, 802.1X sends the supplicant's credentials to this server for authentication.
After the authentication server authenticates the supplicant's credentials, the device stops blocking access on the PAE. The device opens the interface to the supplicant and allows it to access the network. You (the network administrator) can configure 802.1X on Layer 2 (L2) interfaces.
The 802.1X IEEE standard allows you to use any authentication server for client authentication. RADIUS servers are most commonly used because those servers are easy to configure. RADIUS servers also provide the option to define proprietary, or vendor-specific, attributes. The device and the server can exchange these attributes.
Benefits
-
Authenticate users.
-
Prevent bad actors from accessing your network.
-
Control network access.
Platform Support
See Feature Explorer for platform and release support. Starting in Junos OS Evolved Release 23.4R2, this feature is supported on these platforms:
-
QFX5230-64CD
-
QFX5240-64OD
-
QFX5240-64QD
Configuration Statements
Verification and Troubleshooting
show vlans show ethernet-switching table show mac-vrf forwarding mac-table show dot1x interface detail