Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on EX-series switches

0

0

Article ID: KB11758 KB Last Updated: 04 Mar 2017Version: 4.0
Summary:
EX-series switches support a new set of filtering attributes that are used in conjunction with 802.1X authentication to further define access to a LAN.

The following procedure uses Free RADIUS to configure a RADIUS server. For specifics on configuring your server, consult the accompanying AAA documentation that was included with your server.
Symptoms:
 
Solution:

EX-series switches support the configuration of RADIUS attributes specific to Juniper Networks. These attributes are known as vendor-specific attributes (VSAs) and are described in RFC 2138, Remote Authentication Dial In User Service (RADIUS) and RLI 4583, AAA RADIUS BRAS VSA Support. These attributes specific to Juniper Networks are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636.

EX-series switches support a new set of VSAs that are used in conjunction with 802.1X authentication. This set of filtering attributes further defines a supplicant's access to the LAN. It is called the Juniper-Switching-Filter and is listed under attribute ID number 48 in the dictionary.juniper found on your RADIUS server.

802.1X authentication prevents unauthorized user access by blocking a supplicant at the port until the supplicant is authenticated by the RADIUS server. Once the supplicant is authenticated, the switch stops blocking and opens the port.

VSAs are only supported for 802.1X single-supplicant configurations—not for multiple-supplicant configurations.


The following procedure uses FreeRADIUS to configure a RADIUS server. For specifics on configuring your server, consult the accompanying AAA documentation that was included with your server.

  • Load the Juniper Dictionary containing the set of filtering attributes: called Juniper-Switching-Filter, attribute ID 48.

  • Load the Juniper Dictionary:
    [root@freeradius]# cd usr/share/freeradius/dictionary.juniper

    #  dictionary.juniper
    #
    # Version:      $Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25 aland Exp
    $
    #  VENDOR          Juniper                     2636
    BEGIN-VENDOR    Juniper
    ATTRIBUTE       Juniper-Local-User-Name        1       string
    ATTRIBUTE       Juniper-Allow-Commands         2       string
    ATTRIBUTE       Juniper-Deny-Commands          3       string
    ATTRIBUTE       Juniper-Allow-Configuration    4       string
    ATTRIBUTE       Juniper-Deny-Configuration     5       string
    ATTRIBUTE       Juniper-Firewall-Filter        44      string
    ATTRIBUTE       Juniper-Switching-Filter       48      string  <—
  • If the attribute Juniper-Switching-Filter is not displayed in the dictionary, you can copy and paste it under the dictionary, and close the file:
    [root@freeradius]# cd usr/share/freeradius/dictionary.juniper

    #  dictionary.juniper
    #
    # Version:      $Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25 aland Exp
    $
    #  VENDOR          Juniper                     2636
    BEGIN-VENDOR    Juniper
    ATTRIBUTE       Juniper-Local-User-Name        1       string
    ATTRIBUTE       Juniper-Allow-Commands         2       string
    ATTRIBUTE       Juniper-Deny-Commands          3       string
    ATTRIBUTE       Juniper-Allow-Configuration    4       string
    ATTRIBUTE       Juniper-Deny-Configuration     5       string
    ATTRIBUTE       Juniper-Firewall-Filter        44      string

    -----  copy and paste the entire string here    -----
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search