server-reject-bridge-domain | server-reject-vlan

Syntax

Hierarchy Level

Description

For a device configured for 802.1X authentication, specify that when the device receives an Extensible Authentication Protocol Over LAN (EAPoL) Access-Reject message during the authentication process between the device and the RADIUS authentication server, supplicants attempting to access the LAN are granted access and moved to a specific bridge domain or VLAN. Any bridge domain, VLAN name or VLAN ID sent by a RADIUS server as part of the EAPoL Access-Reject message is ignored.

When you specify the bridge domain, VLAN ID, or VLAN name, bridge domain or VLAN must already be configured on the device.

Default

None

Options

server-reject-bridge-domain bridge-domain

(MX Series only) Move the supplicant on the interface to the bridge domain specified by this name or numeric identifier.

server-reject-vlan (vlan-id | vlan-name

(MX Series in enhanced LAN mode, EX, QFX, and SRX Series only) Move the supplicant on the interface to the VLAN specified by this name or numeric identifier.

block-interval seconds

Specify the number of seconds that the 802.1X interface ignores Extensible Authentication Protocol (EAP) start messages from the client when an EAPoL block has been enabled on the 802.1X interface.

Range: 120 through 65,535 seconds

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

routing—To view this statement in the configuration.routing-control—To add this statement to the configuration.

Release Information

server-reject-vlan introduced in Junos OS Release 9.3 for EX Series.

block-interval introduced in Junos OS Release 11.2 for EX Series.

server-reject-vlan introduced in Junos OS Release 14.2 for MX240, MX480, and MX960 routers in enhanced LAN mode.

ON THIS PAGE