Starting with Junos
OS Release 14.2, IEEE 802.1X authentication provides network edge
security, protecting Ethernet LANs from unauthorized user access by
blocking all traffic to and from a supplicant (client) at the interface
until the supplicant's credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch stops blocking
access and opens the interface to the supplicant.
Note: You can also specify an 802.1X exclusion list to specify
supplicants can that can bypass authentication and be automatically
connected to the LAN.
You cannot configure 802.1X user authentication on interfaces
that have been enabled for Q-in-Q tunneling.
You cannot configure 802.1X user authentication on redundant
trunk groups (RTGs).
Before you begin, specify the RADIUS server
or servers to be used as the authentication server.
To configure 802.1X on an interface:
- Configure the supplicant mode as single (authenticates
the first supplicant), single-secure (authenticates only
one supplicant), or multiple (authenticates multiple supplicants):
[edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 supplicant multiple
- Enable reauthentication and specify the reauthentication
interval:
[edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5/0 dot1x reauthentication interval 5
- Configure the interface timeout value for the response
from the supplicant:
[edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 dot1x supplicant-timeout 5
- Configure the timeout for the interface before it resends
an authentication request to the RADIUS server:
[edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 server-timeout 5
- Configure how long, in seconds, the interface waits before
retransmitting the initial EAPOL PDUs to the supplicant:
[edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 dot1x transmit-period 60
- Configure the maximum number of times an EAPOL request
packet is retransmitted to the supplicant before the authentication
session times out:
[edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 dot1x maximum-requests 5
- Configure the number of times the switch attempts to authenticate
the port after an initial failure. The port remains in a wait state
during the quiet period after the authentication attempt.
[edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 retries 1
Note: This setting specifies the number of tries before the
switch puts the interface in a “HELD” state.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
14.2
Starting with Junos
OS Release 14.2, IEEE 802.1X authentication provides network edge
security, protecting Ethernet LANs from unauthorized user access by
blocking all traffic to and from a supplicant (client) at the interface
until the supplicant's credentials are presented and matched on the authentication server (a RADIUS server).