Authentication and Access Control

Support for selective server-reject VLAN in dot1x authentication —You can enhance authentication processes with the Dot1x selective server-reject-vlan feature. When the RADIUS server rejects authentication, this feature allows 802.1x clients to attempt alternative authentication methods before being placed in the server-reject VLAN. [See https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/concept/understand-802.1X-selective-server-reject-vlan.html]

LLDP-MED bypass for 802.1X authentication— You can bypass the 802.1X authentication procedure for connecting multiple LLDP-MED end devices on dot1x enabled interfaces. [See https://www.juniper.net/documentation//us/en/software/junos/user-access/virtual-chassis/topics/concept/understanding-lldp-med-bypass.html]

Retaining dot1x cache information across reboots for persistent sessions—You can ensure network access for clients authenticated via MAC-radius even after a device reboot using the persistent cache option. Enable this feature with the set protocol dot1x authenticator cache persistent command. This option saves session attributes to persistent storage, allowing clients to reconnect based on previously authenticated details, ensuring continuous access during power outages or server unavailability.

[See https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/concept/understanding-server-fail-persistent-cache.html]

GRES support for 802.1X protocol—You can ensure uninterrupted traffic flow during a Routing Engine failure using Graceful Routing Engine Switchover (GRES) support for the 802.1X protocol. The feature maintains client authentication states, preventing traffic loss and MAC learning disruptions. Use the CLI command show dot1x sync-pending-sessions to view unsynced authenticated sessions post-switchover and ensure proper session synchronization. This enhancement allows seamless transitions without client disconnections, ensuring continuous network access and stability. [See https://www.juniper.net/documentation/us/en/software/junos/user-access/understanding-graceful-routing-engine-switchover-support-for-802.1X.html]

Enhancements to per-service accounting over RADIUS and default service activation —You can specify RADIUS accounting servers and intervals for individual services, enhancing control over service-specific accounting configurations. Additionally, you can configure a default service to activate when external RADIUS authentication servers are unreachable, ensuring service continuity. These configurations improve flexibility and reliability in managing service sessions and subscriber accounting. [See https://www.juniper.net/documentation/us/en/software/junos/user-access/understanding-per-service-radius-accounting-override-default-service-activation.html]