Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

802.1X Authentication on Layer 2 Interfaces

Overview

The IEEE 802.1X standard for port-based network access control (PNAC) provides a mechanism to authenticate users of devices attached to a LAN port. The 802.1X standard verifies the user's credentials in a local or remote user database. The authentication mechanism allows only users with the correct credentials to access the network. It denies access for all other users, thereby controlling network access.

The three basic components of a network with 802.1X authentication are:

  • Authenticator port access entity (PAE): A switch or router port to which a client connects. Authenticator PAEs form the control gate that blocks all traffic to and from the clients until 802.1X authenticates the clients.

  • Supplicants: Clients that are trying to access the network and need to be authenticated. Supplicants connect to authenticator PAEs.

  • Authentication server: The back-end database containing information about the users that are allowed to connect to the network. When a supplicant attempts to log in, 802.1X sends the supplicant's credentials to this server for authentication.

After the authentication server authenticates the supplicant's credentials, the device stops blocking access on the PAE. The device opens the interface to the supplicant and allows it to access the network. You (the network administrator) can configure 802.1X on Layer 2 (L2) interfaces.

The 802.1X IEEE standard allows you to use any authentication server for client authentication. RADIUS servers are most commonly used because those servers are easy to configure. RADIUS servers also provide the option to define proprietary, or vendor-specific, attributes. The device and the server can exchange these attributes.

Benefits

  • Authenticate users.

  • Prevent bad actors from accessing your network.

  • Control network access.

Platform Support

See Feature Explorer for platform and release support. Starting in Junos OS Evolved Release 23.4R2, this feature is supported on these platforms:

  • QFX5230-64CD

  • QFX5240-64OD

  • QFX5240-64QD

Configuration Statements

  1. Configure the L2 interface. For example:
  2. Enable 802.1X authentication.
    1. Single-supplicant mode:
    2. Single-secure-supplicant mode:
    3. Multiple-supplicant mode:
  3. Create the 802.1X profiles and associate the profiles to 802.1X, the RADIUS authentication server, and the RADIUS accounting server. For example:
  4. Configure the RADIUS authentication server. For example:

Verification and Troubleshooting

Related Documentation