Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Can the me0 interface be used to send RADIUS traffic to the authentication server on the EX-series Ethernet switches?

0

0

Article ID: KB15046 KB Last Updated: 24 Feb 2020Version: 2.0
Summary:
This article explains how the Out of band management port 'me0' can be used to send authentication requests to the RADIUS server.
Solution:
The me0 port on the EX-series ethernet switch is the out of band port located at the rear of the switch and used for management of the switch. The IP address of the me0 port must not be in the same subnet as one of the front network ports on the EX. The front network ports must be in completely isolated subnet from the me0 port.


The me0 port can be used to send RADIUS traffic to the authentication server on the EX switches. An IP address must be defined on this interface. It can be configured using the following configuration statements:
 
root# set interfaces me0.0 family inet address 10.3.217.12/24
root#commit

The Remote Authentication Dial-In User Service (RADIUS) provides a centralized method for authenticating users on the EX switch. RADIUS uses a client/server model. All transactions between the server and the client are authenticated by a password called a shared secret. The RADIUS server can be configured on the EX using the following configuration statements:
 
root#set system authentication-order [radius password ];
root#set system radius-server 10.3.217.150 secret "$ABC123"
root#set system radius-server 10.3.217.150 source-address 10.3.217.12
root#commit

NOTE: For more details on configuring alternate authentication methods and backup RADIUS server on EX, you may refer to Knowledge Base article KB15045


It must be ensured that if the RADIUS server is reachable via the Out of Band management port me0 then it must not be reachable from any of the front network ports on the EX. In effect, in order to avoid a loop, the networks reachable from the me0 port must be completely isolated from networks reachable from the front network ports. In this example, the IP Address of the RADIUS server is 10.3.217.150 and the IP Address of the me0 port on EX is 10.3.217.12. The RADIUS server is only reachable from the me0 port on the EX and not the front network ports (ge-0/0/0 -ge-0/0/23)

In this example, the USER PC resides in vlan 'finance'. This vlan also has a Routed Virtual Interface (RVI) vlan.50 defined with an IP Address 10.10.10.1/24. The vlan is configured on the EX using the following configuration statements:
 
root#set vlans finance vlan-id 50
root#set vlans finance l3-interface vlan.50
root#set vlans finance interface ge-0/0/0.0
root#set interfaces vlan unit 50 family inet address 10.10.10.1/24
root#set interfaces ge-0/0/0.0 family ethernet-switching
root#commit
 
A remote template will also need to be defined on the EX switch for remote users trying to log in via RADIUS/TACACS. These user accounts are not defined locally on the EX. Please ensure that the following configuration snippet is included in the EX configuration:
 
root# set system login user remote class <class>
root# commit

NOTE: where <class> is a well defined login class with specific permissions on the EX. The defined classes with their permissions are:
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]

NOTE: User login will fail if the remote template is not configured on the EX as displayed above

In this example, the user PC is connected at port ge-0/0/0 on the EX switch. The IP address of the user PC is 10.10.10.40/24. When the user tries to access the EX using a telnet/ssh session to the EX IP Address 10.10.10.1, the EX will send RADIUS requests to the server for authentication. The route to get to the RADIUS server is using the me0 port hence the EX will send the RADIUS Access request with a source IP Address of the me0 port ( 10.3.217.12). When the RADIUS server replies with a RADIUS -Access -Accept message, the EX will allow the user login to complete successfully.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search