Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

802.1X authentication fails as the EX Switch does not send out RADIUS Access Request to the UAC controller

0

0

Article ID: KB15323 KB Last Updated: 20 Feb 2020Version: 3.0
Summary:
This Knowledge Base (KB) item will help troubleshoot a scenario where the EX Switch fails to send out a RADIUS Access Request towards the UAC (Unified Access Controller)
Symptoms:
802.1x authentication fails. Executing the command   "monitor traffic interface <interface-name> " on the interface on the EX that connects to the UAC shows that EX Switch is not sending out RADIUS Access Request packets.
Solution:
Unified Access Control (UAC) is a standards-based, scalable solution for adaptive access control that reduces threat exposure and mitigates risks. It protects your network, guarding mission-critical applications and sensitive data, and providing comprehensive control, visibility, and monitoring.The IC (Infranet Controller) device through the UAC Agent or UAC agent-less mode, can gather user authentication, endpoint security state, and device location data in order to implement dynamic access and security policies that it distributes to enforcement points across the network. These enforcement points can include any vendor-independent 802.1X-enabled access point and switch, such as EX Series Ethernet Switches, and any Juniper Networks firewalls.


NOTE: For a basic understanding on 802.1x authentication on the EX series ethernet switches please refer to the "Related Links" section below.


802.1X works by using an Authenticator Port Access Entity (the EX series Switch) to block all traffic to and from a supplicant (client) at the interface until the supplicant's credentials are presented and matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking and opens the interface to the supplicant.

To configure 802.1X authentication:
 
*   Specify the RADIUS server to be used as the authentication server.
*   Specify 802.1X interface settings on the switch.
*   Specify the 802.1X exclusion list, used to specify which supplicants can bypass 802.1X authentication and be automatically connected to the LAN.

Basic configuration required for 802.1x on the EX series switches is displayed below. Single supplicant mode is used on interface ge-0/0/6 as an example.

user@switch>configure
user@switch# set access radius-server <UAC IP address> port 1812
user@switch# set access radius-server <UAC IP address> secret <secret>
user@switch# set access radius-server <UAC IP address> source-address <EX source IP address>
user@switch# set access profile <profile-name> authentication-order radius
user@switch# set access profile <profile-name> radius authentication-server <UAC IP address>

user@switch# set protocols dot1x authenticator authentication-profile-name <profile-name>
user@switch# set protocols dot1x authenticator interface ge-0/0/6.0 supplicant single
user@switch# commit synchronize

Terms:
<profile-name> -  This is the name of profile being created. Ensure that the same profile name is being used under access profile as well as under protocols dot1x.
<UAC IP address> - This is the IP address of the IC or radius server being used
<EX source IP address> - This is the EX interface IP that it uses to connect to the UAC
<secret> - This is the shared secret between the EX and UAC. It MUST be the same on the EX and the UAC.

To configure a 802.1X exclusion list you may use the following statement:

user@switch# set authenticator static <MAC-address> interface <interface-name> vlan-assignment <vlan-name>
user@switch# commit synchronize

For example, to exclude a PC with MAC address "00:00:00:00:ac:fe" connected to interace "ge-0/0/5" and then assign it to vlan "default-vlan" you may use the following statement:

user@switch# set authenticator static 00:00:00:00:ac:fe interface ge-0/0/5 vlan-assignment default-vlan


Please verify that all the specified IP addresses in the configuration on the EX are accurate.

NOTE:
The source-address (EX source IP address) defined under the access radius-server stanza is the IP address that resides on the EX switch. The EX will use this IP Address to send the RADIUS Access Request towards the IC (infranet Controller). If an incorrect source-address is specified here, the EX will not be able to locate this address and as a result will not send out the RADIUS Access Request.  Please verify this IP address defined is accurate.

snippet of the configuration -
access {
        radius-server {
                        192.168.10.20 {
                        port 1812;
                        secret "$ABC123"; ## SECRET-DATA
                        timeout 5;
                        retry 3;
                        source-address 192.168.10.1;
                                 }
             }

Ensure that the correct source-address is defined.  Defining an incorrect source-address can result in the EX Switch not sending out RADIUS Access Request  to the UAC.

 
Modification History:
2020-02-20: minor non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search