Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure multi-domain authentication to restrict the number of authenticated data and VoIP sessions on the port. Multi-domain authentication is an extension of multiple supplicant mode for 802.1X authentication, and is designed to support VoIP and data clients on the same interface. The interface is divided into two domains; one is the data domain and the other is the voice domain.

In multiple supplicant mode, any number of VoIP or data sessions can be authenticated; the number of sessions can be restricted using MAC limiting, but there is no way to apply the limit specifically to either data or VoIP sessions. Multi-domain authentication maintains separate session counts based on the domain type.

The data device can be authenticated using 802.1X authentication or MAC RADIUS authentication. Multi-domain authentication does not enforce the order of authentication. For best results, the VoIP device should be authenticated before the data device.

You can configure the maximum number of authenticated data sessions allowed on the interface using the max-data-session statement. The number of VoIP sessions is not configurable; only one authenticated VoIP session is allowed.

If a new client attempts to authenticate on the interface after the maximum session count has been reached, the default action is to drop the packet and generate an error log message. You can also configure the action to shut down the interface. The port can be manually recovered from the down state by issuing the clear dot1x recovery-timeout command, or can recover automatically after a recovery timeout period. To configure automatic recovery, use the recovery-timeout option.


max-data-session max-data-sessions

The maximum number of authenticated data sessions allowed in the data domain on the 802.1X-enabled interface.

  • Range: 1 through 1,000 sessions

  • Default: 1

packet-action (drop-and-log | shutdown)

Specify the action the device should take on packets that exceed the limit of authenticated sessions allowed on the interface. The limit for data sessions is configured using the max-data-session option. The number of VoIP sessions is not configurable; only one authenticated VoIP session is allowed.

  • Values: Specify one of the following:

    • drop-and-log—Drop the packet and generate an error syslog message.

    • shutdown—Shut down the interface.

  • Default: drop-and-log

recovery-timeout seconds

If you configure the packet action with the shutdown option and you configure the recovery timeout, the interface is temporarily disabled when the maximum number of authenticated sessions is reached. The interface will recover automatically after the number of seconds specified.

  • Range: 60 through 3600 seconds

  • Default: none

Required Privilege Level

routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 18.3R1.