Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure the interface as a supplicant for 802.1X authentication. You can configure an interface to act as both an authenticator and as a supplicant on a link connecting switches or routers. This can be a switch-to-switch, switch-to-router, or router-to-router link. This enables the devices to authenticate each other, which is required to secure the link using MACsec in dynamic connectivity association key (CAK) mode.

MACsec in dynamic CAK mode relies on certificate-based validation using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS). You must configure the supplicant interface to use EAP-TLS and assign a digital certificate to the interface.

Supplicant interfaces do not support captive portal or MAC RADIUS authentication.


local-certificate certificate-id

Specify the the local certificate for the supplicant interface when the local device has multiple loaded certificates.

authentication-method (eap-tls | eap-md5)

Configure the authentication method for the supplicant. To support MACsec in dynamic CAK mode, you must configure EAP-TLS authentication.

user-id user-id

Configure the user ID.

password password

Configure the password.

Required Privilege Level

routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 22.2R1.