Knowledge Search


Configuring Dynamic VLAN assignment on the EX Switch/SRX with standard Windows XP2 client and Steel Belted RADIUS (SBR)

  [KB12688] Show Article Properties

This article provides a method of configuring Dynamic VLAN assignment on the EX Switch/SRX with standard Windows XP2 client and Steel Belted RADIUS (SBR). The EX Switch/SRX acts as authenticator in 802.1X environment. The end user, also known as supplicant, uses Windows XP SP2, and the Authentication Server is SBR.
The following steps are used to configure the EX Switch, Windows XP SP2 client and Steel Belted RADIUS (SBR)

EX Switch/SRX configuration

Radius server connection details

set access radius-server secret "$9$gUaGi/9pEcl9AEyrlXxbs2oUH"
set access radius-server source-address
set access profile prof1 authentication-order radius
set access profile prof1 radius authentication-server

Dot1x interface details (Supplicant mode can be any single, single-secure or multiple)

set protocols dot1x authenticator authentication-profile-name prof1
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single

Create VLANs with no interface associated with it { after successful authentication the port is moved to the VLAN specified on the return attribute from the radius server}

set vlans engg vlan-id 600
set vlans jtac vlan-id 700
set vlans sales vlan-id 500

Steel Belted Radius (SBR) Configuration

  • Add the Radius clients to the SBR server
  • Add Native users to the user list for Authentication
  • Return to following attributes in the Return List for dynamic VLAN assignment.
-Tunnel-Medium-Type = 802
-Tunnel-Private-Group-ID = sales(Please note that the value of this attribute is name of the VLAN i.e. sales as configured above)
-Tunnel-Type = VLAN
  • Set the authentication method and order
Order of Methods
-Name = Native User
-EAP Methods = MD5 Challenge

Windows XP SP 2 client configuration

  • Go to network connections
  • Go to properties of LAN card
  • Go to Authentication TAB
  • Check "Enable 802.1X authentication for this network"
  • Set EAP type as MD5-Challenge


Once configuration is done and client is connected to the EX switch/SRX, the client port will be authenticated and dynamically put into the sales VLAN on authentication as show below.

root@user# run show dot1x interface
802.1X Information:
Interface Role State MAC address User

ge-0/0/1.0 Authenticator Authenticated 00:15:58:2F:AD:57 JNPR\narang

root@user# run show vlans
Name Tag Interfaces
default     None
sales     100      ge-0/0/1.0*, ge-0/0/4.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/22.0
Related Links: