Knowledge Search


×
 

Configuring Dynamic VLAN assignment on the EX Switch/SRX with standard Windows XP2 client and Steel Belted RADIUS (SBR)

  [KB12688] Show Article Properties


Summary:
This article provides a method of configuring Dynamic VLAN assignment on the EX Switch/SRX with standard Windows XP2 client and Steel Belted RADIUS (SBR). The EX Switch/SRX acts as authenticator in 802.1X environment. The end user, also known as supplicant, uses Windows XP SP2, and the Authentication Server is SBR.
Symptoms:
 
Cause:
 
Solution:
The following steps are used to configure the EX Switch, Windows XP SP2 client and Steel Belted RADIUS (SBR)

EX Switch/SRX configuration

Radius server connection details

set access radius-server 192.168.10.100 secret "$9$gUaGi/9pEcl9AEyrlXxbs2oUH"
set access radius-server 192.168.10.100 source-address 192.168.10.1
set access profile prof1 authentication-order radius
set access profile prof1 radius authentication-server 192.168.10.100


Dot1x interface details (Supplicant mode can be any single, single-secure or multiple)

set protocols dot1x authenticator authentication-profile-name prof1
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single


Create VLANs with no interface associated with it { after successful authentication the port is moved to the VLAN specified on the return attribute from the radius server}

set vlans engg vlan-id 600
set vlans jtac vlan-id 700
set vlans sales vlan-id 500


Steel Belted Radius (SBR) Configuration

  • Add the Radius clients to the SBR server
  • Add Native users to the user list for Authentication
  • Return to following attributes in the Return List for dynamic VLAN assignment.
-Tunnel-Medium-Type = 802
-Tunnel-Private-Group-ID = sales(Please note that the value of this attribute is name of the VLAN i.e. sales as configured above)
-Tunnel-Type = VLAN
  • Set the authentication method and order
Order of Methods
-Name = Native User
-EAP Methods = MD5 Challenge

Windows XP SP 2 client configuration

  • Go to network connections
  • Go to properties of LAN card
  • Go to Authentication TAB
  • Check "Enable 802.1X authentication for this network"
  • Set EAP type as MD5-Challenge

VERIFICATION

Once configuration is done and client is connected to the EX switch/SRX, the client port will be authenticated and dynamically put into the sales VLAN on authentication as show below.

root@user# run show dot1x interface
802.1X Information:
Interface Role State MAC address User

ge-0/0/1.0 Authenticator Authenticated 00:15:58:2F:AD:57 JNPR\narang

root@user# run show vlans
Name Tag Interfaces
default     None
sales     100      ge-0/0/1.0*, ge-0/0/4.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/22.0
Related Links: