Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuring Dynamic VLAN assignment on the EX Switch/SRX with standard Windows XP2 client and Steel Belted RADIUS (SBR)

0

0
Article ID: KB12688 KB Last Updated: 26 Feb 2020Version: 5.0 Summary:
This article provides a method of configuring Dynamic VLAN assignment on the EX Switch/SRX with standard Windows XP2 client and Steel Belted RADIUS (SBR). The EX Switch/SRX acts as authenticator in 802.1X environment. The end user, also known as supplicant, uses Windows XP SP2, and the Authentication Server is SBR.
Solution:
The following steps are used to configure the EX Switch, Windows XP SP2 client and Steel Belted RADIUS (SBR)

EX Switch/SRX configuration

Radius server connection details
 

set access radius-server 192.168.10.100 secret "$ABC123"
set access radius-server 192.168.10.100 source-address 192.168.10.1
set access profile prof1 authentication-order radius
set access profile prof1 radius authentication-server 192.168.10.100
 


Dot1x interface details (Supplicant mode can be any single, single-secure or multiple)
 
set protocols dot1x authenticator authentication-profile-name prof1
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single
 
Create VLANs with no interface associated with it { after successful authentication the port is moved to the VLAN specified on the return attribute from the radius server}
 
set vlans engg vlan-id 600
set vlans jtac vlan-id 700
set vlans sales vlan-id 500


Steel Belted Radius (SBR) Configuration

  • Add the Radius clients to the SBR server
  • Add Native users to the user list for Authentication
  • Return to following attributes in the Return List for dynamic VLAN assignment.
  • Tunnel-Medium-Type = 802
  • Tunnel-Private-Group-ID = sales(Please note that the value of this attribute is name of the VLAN i.e. sales as configured above, Or, a vlan-id number)
  • Tunnel-Type = VLAN
  • Set the authentication method and order
Order of Methods
  • Name = Native User
  • EAP Methods = MD5 Challenge
 

Windows XP SP 2 client configuration

  • Go to network connections
  • Go to properties of LAN card
  • Go to Authentication TAB
  • Check "Enable 802.1X authentication for this network"
  • Set EAP type as MD5-Challenge

VERIFICATION

Once configuration is done and client is connected to the EX switch/SRX, the client port will be authenticated and dynamically put into the sales VLAN on authentication as show below.
 
root@user# run show dot1x interface
802.1X Information:
Interface Role State MAC address User

ge-0/0/1.0 Authenticator Authenticated 00:00:00:00:AD:57 JNPR\user1
 
root@user# run show vlans
Name Tag Interfaces
default     None
sales     100      ge-0/0/1.0*, ge-0/0/4.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/22.0
Modification History:
2020-02-19: minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search