Knowledge Search


×
 

[EX/SRX Branch] 802.1x (DOT1X) Attributes for the EX Series Switch and SRX Branch devices

  [KB11078] Show Article Properties


Summary:

This article provides the 802.1x (DOT1X) attributes for the EX-series switch and SRX branch devices.  Please refer to Juniper Technical Assistance Center for further information concerning 802.1x and current supported options.

Symptoms:

Cause:

Solution:


 RADIUS attributes used for Authentication on EX switches and SRX branch devices

Attribute number as defined by RADIUS RFCs

Attribute-Value (AV) pair name

Messages used in

1

User-Name

Access-Request

2

User-Password

Access-Request

4

NAS-IP-Address

Access-Request

5

NAS-Port

Access-Request

11

Filter-Id

Access-Accept. The value(s) refer to already existing ACL(s) defined on the switch.

12

Framed-MTU

Access-Request. The value is set to 1500 for Ethernet.

25

Class

Access-Accept

26

Vendor-specific

Access-Accept. This will be a series of ASCII characters defining an ACL to be applied on the port. Vendor-Id used will be 2636.

27

Session-Timeout

Access-Accept. This can be used to override the re-authentication timeout value configured on the switch.

Access-Challenge. This can be used to override the Supplicant timeout value configured on the switch.

29

Termination-Action

Access-Accept. The only valid value is RADIUS-Accept (This parameter is made mandatory by IEEE if Session-Timeout is used, even though it can have only one value)

30

Called-Station-Id (MAC address of switch)

Access-Request

31

Calling-Station-Id (MAC address of supplicant)

Access-Request

61

NAS-Port-Type

Access-Request

64

Tunnel-Type

Access-Accept. Used for Dynamic VLAN assignment. Should have value VLAN (type 13).

65

Tunnel-Medium-Type

Access-Accept. Used for Dynamic VLAN assignment. Should have value 802 (type 6).

79

EAP-Message

Access-Request

Access-Challenge

Access-Accept

Access-Reject

80

Message Authenticator

Access-Request

Access-Challenge

Access-Accept

Access-Reject

81

Tunnel-Private-Group-ID

Access-Accept. Used for Dynamic VLAN assignment. Has either the VLAN ID or the VLAN name to which the port has to be moved to.

Not yet defined

NAS-Traffic-Rule

Access-Accept

Change-of-Authorization (CoA)

 

Related Links: