EX-series switches support a new set of filtering attributes that are used in conjunction with 802.1X authentication to further define access to a LAN.
The following procedure uses Free RADIUS to configure a RADIUS server. For specifics on configuring your server, consult the accompanying AAA documentation that was included with your server.
EX-series switches support the configuration of RADIUS attributes specific to Juniper Networks. These attributes are known as vendor-specific attributes (VSAs) and are described in RFC 2138, Remote Authentication Dial In User Service (RADIUS) and RLI 4583, AAA RADIUS BRAS VSA Support. These attributes specific to Juniper Networks are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636.
EX-series switches support a new set of VSAs that are used in conjunction with 802.1X authentication. This set of filtering attributes further defines a supplicant's access to the LAN. It is called the Juniper-Switching-Filter and is listed under attribute ID number 48 in the dictionary.juniper found on your RADIUS server.
802.1X authentication prevents unauthorized user access by blocking a supplicant at the port until the supplicant is authenticated by the RADIUS server. Once the supplicant is authenticated, the switch stops blocking and opens the port.
VSAs are only supported for 802.1X single-supplicant configurations—not for multiple-supplicant configurations.
The following procedure uses FreeRADIUS to configure a RADIUS server. For specifics on configuring your server, consult the accompanying AAA documentation that was included with your server.
- Load the Juniper Dictionary containing the set of filtering attributes: called Juniper-Switching-Filter, attribute ID 48.
- Load the Juniper Dictionary:
[root@freeradius]# cd usr/share/freeradius/dictionary.juniper
# dictionary.juniper
#
# Version: $Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25 aland Exp
$
# VENDOR Juniper 2636
BEGIN-VENDOR Juniper
ATTRIBUTE Juniper-Local-User-Name 1 string
ATTRIBUTE Juniper-Allow-Commands 2 string
ATTRIBUTE Juniper-Deny-Commands 3 string
ATTRIBUTE Juniper-Allow-Configuration 4 string
ATTRIBUTE Juniper-Deny-Configuration 5 string
ATTRIBUTE Juniper-Firewall-Filter 44 string
ATTRIBUTE Juniper-Switching-Filter 48 string <—
- If the attribute Juniper-Switching-Filter is not displayed in the dictionary, you can copy and paste it under the dictionary, and close the file:
[root@freeradius]# cd usr/share/freeradius/dictionary.juniper
# dictionary.juniper
#
# Version: $Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25 aland Exp
$
# VENDOR Juniper 2636
BEGIN-VENDOR Juniper
ATTRIBUTE Juniper-Local-User-Name 1 string
ATTRIBUTE Juniper-Allow-Commands 2 string
ATTRIBUTE Juniper-Deny-Commands 3 string
ATTRIBUTE Juniper-Allow-Configuration 4 string
ATTRIBUTE Juniper-Deny-Configuration 5 string
ATTRIBUTE Juniper-Firewall-Filter 44 string
----- copy and paste the entire string here -----