Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Authentication and Access Control

  • 802.1Xauthentication with EVPN-VXLAN (EX4650, QFX5120)—Starting in Junos OS Release 22.4R1, the EX4650, QFX5120-32C, QFX5120-48T, QFX5120-48Y, and QFX5120-48YM switches that act as access switches can use 802.1X authentication to protect an EVPN-VXLAN network from unauthorized end devices.

    These switches support the following 802.1X authentication features on access and trunk ports:

    • Access ports: single, single-secure, and multiple supplicant modes

    • Trunk ports: single and single-secure supplicant modes

    • Guest VLAN

    • Server fail

    • Server reject

    • Dynamic VLAN

    • Dynamic firewall filters

    • RADIUS accounting

    • Port bounce with Change of Authorization (CoA) requests

    • MAC RADIUS client authentication

    • Central Web Authentication (CWA) with redirect URL

    • Captive portal client authentication

    • Flexible authentication with fallback scenarios

    [See 802.1X Authentication

  • OpenSSH certificate support (PTX1000, PTX5000)—Starting in Junos OS Release 22.4R1, you can configure SSH certificate-based authentication for users and hosts. This lets you setup SSH access to a device with password-less login for users, and gives the capability to trust hosts without the need to verify key fingerprints.

    The following new CLI configuration statements can be used to configure SSH certificate-based authentication:

    • [system services ssh trusted-user-ca-key-file filename]—Configure the TrustedUserCAKey file at /etc/ssh/sshd_config which contains the public keys of an SSH certificate.

    • [system services ssh host-certificate-file filename]—Configure the HostCertificatefile at /etc/ssh/sshd_config which contains the signed host certificate.

    • [system services ssh authorized-principals-file filename]—Configure the AuthorizedPrincipalsFile at /var/etc which contains a list of names, one of which must appear in the certificate for it to be accepted for authentication.

    • [system services ssh authorized-principals-command program-path]—Specify a program to be used for generating the list of allowed certificate principals found in the AuthorizedPrincipalsFile.

    [See Configure SSH Service for Remote Access to the Router or Switch.]