How to Connect An EX Series Switch to the JumpCloud Cloud RADIUS Service Using IEEE 802.1X Authentication
About This Network Configuration Example
This network configuration example (NCE) shows how to configure an EX Series switch to connect to JumpCloud’s Cloud RADIUS service, which is acting as a RADIUS authentication server. A RADIUS authentication server contains information about user accounts and their permissions to access various IT resources, and those resources query the server to authenticate users trying to access the resource. Juniper Networks EX Series switches use IEEE 802.1X authentication to provide access control to devices or users.
Use Case Overview
Enterprises are increasingly migrating business workloads to public clouds. Hosting services in the cloud provides new options for scalability, resiliency, and cost optimization. RADIUS servers allow you to centrally create a consistent set of user accounts for all devices in your network, which makes managing user accounts easier. JumpCloud now offers a RADIUS server service in the cloud. Their Cloud RADIUS service manages user accounts and related employee data, such as address and phone information, profile pictures, and more. These users and their identities can then be connected to the IT resources they need through RADIUS authentication, including systems (Windows, Mac, and Linux), cloud and on-premise servers (for example, Amazon Web Services, Google Cloud, Microsoft Azure, and private data centers), web and on-premise applications through LDAP and SAML, data and file storage, and wired and WiFi networks.
Technical Overview
The EX Series switches provide network edge security with the IEEE 802.1X standard for port-based network access control, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from devices at the incoming interface until the user’s credentials are presented and matched on the authentication server. When the server authenticates the user, the switch stops blocking access and opens the interface to the user. When you configure 802.1X authentication on the switch, end devices are evaluated at the initial connection by an authentication server. To use 802.1X authentication, you must configure the connections on the switch to each authentication server you wish to use to authenticate users and devices.
A RADIUS authentication server acts as the backend database and contains credential information for end devices (supplicants) that have permission to connect to the network.
Example: How to View the Password for the JumpCloud RADIUS Server
Requirements
For JumpCloud requirements, please see Welcome to Help Center! on the JumpCloud website.
Before You Begin
For this example, we assume that you have already followed the steps at Configuring RADIUS Servers in JumpCloud to become an administrator of a RADIUS server on the JumpCloud Cloud RADIUS service. You need to know the secret password (shared secret) of the server to be able to configure that password on the switch so that you can connect the switch to the RADIUS server. The password configured for the RADIUS server on the service and on the switch must match.
View the Password for the RADIUS Server
Procedure
Step-by-Step Procedure
Log in to https://console.jumpcloud.com as a JumpCloud Administrator user. You are now on the Users page.
In the left-nav bar, click the icon for RADIUS.
Click > to edit the information for the RADIUS server. In this example, the server’s name is Rad-Home.
Click the eye icon on the Shared Secret field to see the server password.
Example: How to Connect the EX Series Switch to the JumpCloud Cloud RADIUS Service
Requirements
This example uses the following hardware and software components:
One EX4300, EX3400, or EX2300 switch running Junos OS Release 18.4R2 or later.
Overview
For this example, we assume that your switch is already configured and functioning in your network, and that the network can send and receive traffic from the Internet. You should review your own requirements and change the steps below as needed.
To connect the switch to the JumpCloud Cloud RADIUS service, you:
Configure the RADIUS server information.
Create an access profile.
Configure the 802.1X authentication process to use the access profile.
Configure the interface connected to the end device.
Configure 802.1X authentication on that interface.
Verify the configuration.
Topology
Configuration
Procedure
Step-by-Step Procedure
Configure information about the JumpCloud RADIUS server—the IP address, the RADIUS server authentication port number, the secret password, the timeout value, and retry count. The secret password must match the “Shared Secret” configured on the JumpCloud RADIUS server.
See Configuring a Wireless Access Point (WAP), VPN or Router for JumpCloud's RADIUS on the JumpCloud website for current IP addresses for the JumpCloud Cloud RADIUS service; in this example, we have used the IP address for the US West RADIUS service, 54.203.27.225. (The JumpCloud service does not support accounting at this time, so no need to configure the
accounting-portstatement.)set access radius-server 54.203.27.225 port 1812 set access radius-server 54.203.27.225 secret "SharedSecret" set access radius-server 54.203.27.225 timeout 3 set access radius-server 54.203.27.225 retry 3 set access radius-server 54.203.27.225 accounting-retry 3
Configure an access profile to specify the authentication order, which specifies RADIUS as the method of authentication. You also configure the IP address of the RADIUS server to be associated with the profile and configure the revert interval, which is the amount of time the switch waits after a server has become unreachable. (The JumpCloud service does not support accounting at this time, so no need to configure the
accounting-serverstatement.)set access profile jumpcloud authentication-order radius set access profile jumpcloud radius authentication-server 54.203.27.225 set access profile jumpcloud radius options revert-interval 60
Configure the RADIUS server to be used for IEEE 802.1X authentication by specifying the access profile name.
set protocols dot1x authenticator authentication-profile-name jumpcloud
Configure the interface connected to the end device.
set interfaces ge-0/0/8 unit 0 family ethernet-switching
Configure the logical interface connected to the end device (supplicant) with the 802.1X authentication mode (for example, single) and some of the best practices, such as configuring EAP-PEAP authentication. Replace
ge-0/0/8.0with the correct interface for your end device.set protocols dot1x authenticator interface ge-0/0/8.0 supplicant single set protocols dot1x authenticator interface ge-0/0/8.0 retries 3 set protocols dot1x authenticator interface ge-0/0/8.0 quiet-period 60 set protocols dot1x authenticator interface ge-0/0/8.0 transmit-period 30 set protocols dot1x authenticator interface ge-0/0/8.0 mac-radius authentication-protocol eap-peap set protocols dot1x authenticator interface ge-0/0/8.0 reauthentication 3600 set protocols dot1x authenticator interface ge-0/0/8.0 supplicant-timeout 30 set protocols dot1x authenticator interface ge-0/0/8.0 server-fail deny
Commit the configuration.
Verify that the supplicant is being authenticated on the interface (ge-0/0/8.0) using the
show dot1x interface briefcommand. The output shows thatjcuser1has been successfully authenticated using the JumpCloud Cloud RADIUS server.root@exswitch> show dot1x interface brief 802.1X Information: Interface Role State MAC address User ge-0/0/8.0 Authenticator Authenticated 00:00:5E:00:53:01 jcuser1
Verify that 802.1X authentication is configured as intended using the
show dot1x interface detailcommand.root@exswitch> show dot1x interface detail ge-0/0/8.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Restrict: Disabled Mac Radius Authentication Protocol: PEAP/MSCHAPv2 Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: not configured Number of connected supplicants: 1
In most cases, no further configuration is necessary, and users may connect to the network with their JumpCloud credentials. However, for some clients and end devices, the JumpCloud server may not be able to auto-negotiate the RADIUS server certificate. You may need to configure these clients using the PEAP settings at Configuring your WiFi Clients to use JumpCloud RADIUS on the JumpCloud website.