This article provides a method of configuring Dynamic VLAN assignment on the EX Switch/SRX with standard Windows XP2 client and Steel Belted RADIUS (SBR). The EX Switch/SRX acts as authenticator in 802.1X environment. The end user, also known as supplicant, uses Windows XP SP2, and the Authentication Server is SBR.
The following steps are used to configure the EX Switch, Windows XP SP2 client and Steel Belted RADIUS (SBR)
EX Switch/SRX configuration
Radius server connection details
set access radius-server 192.168.10.100 secret "$ABC123"
set access radius-server 192.168.10.100 source-address 192.168.10.1
set access profile prof1 authentication-order radius
set access profile prof1 radius authentication-server 192.168.10.100
Dot1x interface details (Supplicant mode can be any single, single-secure or multiple)
set protocols dot1x authenticator authentication-profile-name prof1
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single
Create VLANs with no interface associated with it { after successful authentication the port is moved to the VLAN specified on the return attribute from the radius server}
set vlans engg vlan-id 600
set vlans jtac vlan-id 700
set vlans sales vlan-id 500
Steel Belted Radius (SBR) Configuration
- Add the Radius clients to the SBR server
- Add Native users to the user list for Authentication
- Return to following attributes in the Return List for dynamic VLAN assignment.
- Tunnel-Medium-Type = 802
- Tunnel-Private-Group-ID = sales(Please note that the value of this attribute is name of the VLAN i.e. sales as configured above, Or, a vlan-id number)
- Tunnel-Type = VLAN
- Set the authentication method and order
Order of Methods
- Name = Native User
- EAP Methods = MD5 Challenge
Windows XP SP 2 client configuration
- Go to network connections
- Go to properties of LAN card
- Go to Authentication TAB
- Check "Enable 802.1X authentication for this network"
- Set EAP type as MD5-Challenge
VERIFICATION
Once configuration is done and client is connected to the EX switch/SRX, the client port will be authenticated and dynamically put into the sales VLAN on authentication as show below.
root@user# run show dot1x interface
802.1X Information:
Interface Role State MAC address User
ge-0/0/1.0 Authenticator Authenticated 00:00:00:00:AD:57 JNPR\user1
root@user# run show vlans
Name Tag Interfaces
default None
sales 100 ge-0/0/1.0*, ge-0/0/4.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/22.0