Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

EX Switch 802.1x MAC based authentication and MAC address table (MAC FDB) aging timer



Article ID: KB16319 KB Last Updated: 24 Feb 2010Version: 1.0
This article explains the default behavior of EX Switches when using 802.1x MAC based authentication. It also explains the relation between 802.1x based MAC authentication and MAC adresses table.
Non responsive host using MAC based authentication gets removed from 802.1X authentication table when FDB aging timer expires (default 300 seconds)
You can configure MAC-based authentication while excluding all other forms, or as a fallback when EAP is not supported. This mode is generally used for non-responsive hosts (printers, servers etc.)
In this mode, the username and password are set to the client's MAC address, requiring that a matching entry be defined on the authentication server. By adding "restrict" to the mac-radius statement, you force MAC based authentication exclusively. This eliminates the 90 seconds delays that must normally elapse before the switch assumes that the host is non-responsive to EAP and falls back to a MAC based approach.

MAC based authentication makes use of RADIUS, but technically it is not a defined EAP method. Any traffic from client connected to switch interface is sufficient to trigger 802.1x authentication. When the 802.1x RADIUS authentication is successful, switch will put the interface into 802.1x authentication table with state as "authenticated".  The EX Switch will maintain the entry of the interfaces in "authenticated" state as long as it has the same MAC entry available in it's ethernet switching table (MAC FDB table). If the device is not active for the time of MAC aging timer (300 seconds), it's entry will be flushed out from ethernet switching table which will cause switch to remove the device from 802.1x authentication table.

In case if the interface is configured to operate in "VLAN A" by default and then to "VLAN B" on succesful 802.1x authentication, the device connected to that interface will be put into VLAN B after 802.1x authentication. If the same device is not operational for 300 seconds (default MAC aging timer), the EX Switch will remove it from the 802.1x authentication table and it will also move that interface back into VLAN A (default VLAN).

Devices such printers or servers (listening mode) do not generate packets on their own and will need to be reauthenticated. To avoid such an issue the following are recommendations:
  • You can increase MAC aging timer to highest level
  • Do not use 802.1x authentication on interfaces connected to non-responsive devices.
  • Configure script (Keepalive) on the device to keep always active by sending some packets to switch

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search