Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Providing limited access to to supplicants who fail 802.1x authentication by configuring a guest VLAN on EX-series Ethernet switches



Article ID: KB11227 KB Last Updated: 11 Aug 2010Version: 4.0
As part of IEEE 802.1X interface-Based Network Access Control (PNAC), you can provide limited network access to supplicants who do not belong to a VLAN authentication group by configuring authentication to a guest VLAN. Typically, guest VLAN access is used to provide Internet access to visitors to a corporate site.  However, you can also use the guest VLAN feature to provide supplicants that fail 802.1X authentication to a corporate LAN with access to a VLAN with limited resources.
How do I provide limited access and resources to corporate visitors who do not belong to a corporate authentication group?
Before proceeding with the configuration please verify that the following requirements have been fulfilled.
  1. The EX series Ethernet switch has been installed.
  2. The EX series Ethernet switch is running JUNOS 9.0 or later and initial configuration has been performed.
  3. Basic bridging and VLAN configuration has been performed.
In this example the EX-series switch is acting as an authenticator interface access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. A RADIUS authentication server is used.  The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

For users who have valid credentials on the RADIUS database , the authentication will succeed and they will be able to access resources in the network using the corporate VLAN. For users who do not have credentials in the RADIUS database, the authentication will fail and  EX-series can still provide limited LAN access by assigning the port to the guest VLAN. These users, referred to as guests, are authenticated to the guest VLAN and  typically provided with access to the Internet.

Below is a sample configuration:
  1. Create a VLAN for guest users
    user@switch# set vlans vlan-for-guests vlan-id 300

  2. Write down the required ports on the EX-series Ethernet switch that need to be configured for guest users. For example port ge-0/0/6 is to be setup for dot1x authentication.
    NOTE:  if user authentication fails on this port, the port will be placed in a guest VLAN  'vlan-for-guests'

  3. Configure guest vlan under the [protocols dot1x] hierarchy for the chosen switch interfaces/ports
    user@switch# set protocols dot1x authenticator interface ge-0/0/6 guest-vlan vlan-for-guests

    NOTE :  If this needs to be set for all interfaces, you can use the command:    set protocols dot1x authenticator interface all guest-vlan vlan-for-guests

  4. Set the required 802.1x supplicant mode for the port
    user@switch# set protocols dot1x authenticator interface ge-0/0/6 supplicant single

If user authentication is successful on this port  (ge-0/0/6 in this example), the port will continue to be in the VLAN as per the configuration on the port. However, if user authentication fails, the port will get assigned to the guest vlan ( vlan-for-guests in this example).

  • Verify that the guest VLAN has been created and that the interface/port that failed authentication has moved to the guest VLAN from its original VLAN assignment.
    user@switch>  show vlans

    Name                   Tag                         Interfaces

                           ge-0/0/0.0*,  ge-0/0/1.0*, ge-0/0/2.0*,    ge-0/0/3.0*,
                           ge-0/0/4.0,   ge-0/0/5.0,   ge-0/0/7.0,      ge-0/0/8.0,
                           ge-0/0/9.0,   ge-0/0/10.0, ge-0/0/11.0,   ge-0/0/21.0,
                           ge-0/0/22.0, ge-0/0/23.0, ge-0/0/24.0,   ge-0/0/25.0,
                           ge-0/0/26.0, ge-0/0/27.0, ge-0/0/28.0,   ge-0/0/29.0,
                           ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0,   ge-0/0/33.0,
                           ge-0/0/34.0, ge-0/0/35.0, ge-0/0/36.0,   ge-0/0/37.0,
                           ge-0/0/38.0, ge-0/0/39.0, ge-0/0/40.0,   ge-0/0/41.0,
                           ge-0/0/42.0, ge-0/0/43.0, ge-0/1/0.0,     ge-0/1/1.0,
                           ge-0/1/2.0,   ge-0/1/3.0

    vlan10                         10

                           ge-0/0/12.0*, ge-0/0/13.0,  ge-0/0/14.0

    vlan20                         20

                           ge-0/0/15.0, ge-0/0/16.0,    ge-0/0/17.0

    vlan30                         30

                           ge-0/0/18.0, ge-0/0/19.0,     ge-0/0/20.0

    vlan-for-guests          300            

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search