Configuring Server Fail Fallback on MX Series Routers in Enhanced LAN Mode
Starting with Junos OS Release 14.2, server fail fallback allows you to specify how end devices connected to the router are supported if the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message.
802.1X and MAC RADIUS authentication work by using an authenticator port access entity (the router) to block all traffic to and from an end device at the interface until the end device's credentials are presented and matched on the authentication server (a RADIUS server). When the end device has been authenticated, the router stops blocking and opens the interface to the end device.
When you set up 802.1X or MAC RADIUS authentication on the router, you specify a primary authentication server and one or more backup authentication servers. If the primary authentication server cannot be reached by the router and the secondary authentication servers are also unreachable, a RADIUS server timeout occurs. Because the authentication server grants or denies access to the end devices awaiting authentication, the router does not receive access instructions for end devices attempting access to the LAN and normal authentication cannot be completed. Server fail fallback allows you to configure authentication alternatives that permit the router to take appropriate actions toward end devices awaiting authentication or reauthentication.
The authentication fallback method called server-reject VLAN provides limited access to a LAN, typically just to the Internet, for responsive end devices that are 802.1X-enabled but that have sent the wrong credentials. If the end device that is authenticated using the server-reject VLAN is an IP phone, voice traffic is not allowed.
To configure basic server fail fallback options using the CLI:
Configure an interface to allow traffic to flow from a supplicant to the LAN if a RADIUS server timeout occurs (as if the end device had been successfully authenticated by a RADIUS server):
[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-fail permit
Configure an interface to prevent traffic flow from an end device to the LAN (as if the end device had failed authentication and had been rejected by the RADIUS server):
[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-fail deny
Configure an interface to move an end device to a specified VLAN if a RADIUS server timeout occurs (in this case, the VLAN name is vlan1):
[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-fail vlan-name vlan1
Configure an interface to recognize already connected end devices as reauthenticated if there is a RADIUS timeout during reauthentication (new users will be denied access):
[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-fail use-cache
Configure an interface that receives a RADIUS access-reject message from the authentication server to move end devices attempting LAN access on the interface to a specified VLAN already configured on the router (in this case, the VLAN name is vlan-sf):
[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-reject-vlan vlan-sf
Note:If an IP phone is authenticated in the server-reject VLAN, voice traffic is not allowed.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.