Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an MX Series Router

Starting with Junos OS Release 14.2, 802.1X on MX Series routers provides LAN access to users who do not have credentials in the RADIUS database.These users, referred to as guests, are authenticated and typically provided with access to the Internet.

This example describes how to create a guest VLAN and configure 802.1X authentication for it.


This example uses the following hardware and software components:

  • Junos OS Release 14.2 or later for MX240, MX480, or MX960 routers running in enhanced LAN mode.

  • One router acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.

  • One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you connect the server to the router, be sure you have:

  • Configured enhanced LAN mode on the router.

  • Performed basic bridging and VLAN configuration on the router.

  • Configured users on the RADIUS authentication server.

Overview and Topology

The MX Series router acts as an authenticator Port Access Entity (PAE). It blocks all traffic and acts as a control gate until the supplicant (client) is authenticated by the server. All other users and devices are denied access.

Consider an MX Series router that functions as an authenticator port. It is connected using the interface, ge-0/0/10, over the IP network to a RADIUS server. The router is also linked to a conference room using the interface, ge-0/0/1, to a printer using the interface, ge-0/0/20, to a hub using the interface, ge-0/0/8, and to two supplicants or clients over interfaces, ge-0/0/2 and ge-0/0/9 respectively.

Table 1: Components of the Topology
Property Settings

Router hardware

MX Series router

VLAN name


One RADIUS server

Backend database with an address of connected to the switch at port ge-0/0/10

In this example, access interface ge-0/0/1 provides LAN connectivity in the conference room. Configure this access interface to provide LAN connectivity to visitors in the conference room who are not authenticated by the corporate VLAN.

Configuration of a Guest VLAN That Includes 802.1X Authentication


CLI Quick Configuration

To quickly configure a guest VLAN, with 802.1X authentication, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure a guest VLAN that includes 802.1X authentication on MX Series routers:

  1. Configure the VLAN ID for the guest VLAN:

  2. Configure the guest VLAN under dot1x protocols:


Check the results of the configuration:


To confirm that the configuration is working properly, perform these tasks:

Verifying That the Guest VLAN is Configured


Verify that the guest VLAN is created and that an interface has failed authentication and been moved to the guest VLAN.


Use the operational mode commands:


The output from the show bridge domain command shows bridge-domain-name as the name of the VLAN and the VLAN ID as 300.

The output from the show dot1x interface ge-0/0/1.0 detail command displays the bridge domain name , indicating that a supplicant at this interface failed 802.1X authentication and was passed through to the bridge-domain-name.

Release History Table
Starting with Junos OS Release 14.2, 802.1X on MX Series routers provides LAN access to users who do not have credentials in the RADIUS database.