Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

RADIUS-Based Firewall Filters

Set up access control lists (ACLs) for your Juniper Mist-managed switches by using filters that you've defined on your RADIUS server.

To ensure more granular control over network access, configure firewall filters on your RADIUS server and reference them in switch policies.

Configuring RADIUS-Based Firewall Filters

For scenarios requiring simple filter conditions, add the filters by using the Juniper-Switching-Filter attribute in the Juniper dictionary on your RADIUS server. These filters are supported on all EX Series switches that authenticate users through your RADIUS server. There's no need for you to configure anything on individual switches.

For detailed instructions, see Configuring Firewall Filters on the RADIUS Server in the User Access and Authentication Administration Guide for Junos OS.

Note: For complex filters with a large number of conditions, you will need to configure your firewall filters on each switch. For help, see Applying a Locally Configured Firewall Filter from the RADIUS Server (in the User Access and Authentication Administration Guide for Junos OS)

After adding your firewall filters, make note of the IDs. You'll need them to create the switch policies in the Juniper Mist portal.

Create Switch Policies Using Your RADIUS-Based Firewall Filters

After you configure your firewall filters on your RADIUS server, go to the Juniper Mist portal and follow these steps to create labels identifying sources and destinations and to add switch policies allowing or denying access to your network resources.

  1. In the Juniper Mist portal, navigate to your switch template or site-level switch configuration.

    • To find a switch template—From the left menu, select Organization > Wired > Switch Templates. Then click the template.

    • To find a site-level switch configuration—From the left menu, select Site > Wired > Switch Configuration. Then click the site.

  2. Scroll down to the Switch Policy Labels section, and add your source and destination tags.

    • Source—Click Add Source, and then refer to the on-screen text to enter the information. Click Add to save the new source.

      Source fields showing camera as the Name, role as the type, an IP address in the Source IP Address field, and the characters camera-axis as the Filter ID
      Note: You can leave the source IP address blank. You must provide the RADIUS AVP (filter ID).

    • Destination—Click Add Destination, and then refer to the on-screen text to enter the information. Click Add to save the new destination.

      Destination fields showing Internal_Resources as the Name, an IP address in the Destination IP Address field, Any as the Protocol, and no specified Port Range
  3. Scroll down to the Switch Policy section and add a policy that uses your new labels:
    1. If you're working on a site-level switch configuration, select Override Template Defined.
    2. Click Add Switch Policy.
      A new policy appears at the top of the policy list, with a default name such as Switch Policy 1.
    3. Click the default policy name, and then enter a short, specific name to identify this policy.
    4. Under Source, click the + button, and then select a source label from the list.
    5. Under Destination, click the + button, and then select a destination label.
      The destination label appears with a green background, indicating that this policy allows access to this destination.
    6. If you want this policy to block access to the specified destination, click the destination button, and then click Deny.
      Selecting the Destination Button to Change the Action (Allow or Deny)
      When you change the policy to deny, the destination button turns red.
      Note:

      • The default action for a new rule is allow (green button).

      • Junous processes the policies in the listed order. After the final policy is processed, Junos defaults to deny. You don't need to add an explicit deny policy at the end of the list.

    This example shows how your configuration might look after you add source labels, destination labels, and policies.

    Screenshot showing several sources, destinations, and policies
  4. If you need to change the order of the policies, position your mouse on the blue button next to the policy number and drag up or down in the list.
  5. Click Save at the top-right corner of the configuration page.
  6. Review the on-screen confirmation information, and then click Save at the bottom of the confirmation window.
The switch policy configuration is pushed to the switches. The enforcement of each policy happens via the RADIUS server.