Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX/SBR/QFX] Dot1x configuration for EX-Series switches that authenticate via the Steel Belt Radius server

0

0

Article ID: KB24293 KB Last Updated: 25 Feb 2020Version: 3.0
Summary:
This article provides the dot1x configuration for EX-switches with supplicant multiple, in which a phone and a PC are connected to the switch that authenticates via the SBR server.
Symptoms:
Supplicant multipe is used, as there are two supplicants (phone and PC) are connected on the ge-0/0/0 port.

Requirements:
 
  • Junos 9.0 or later on the EX switch.

  • Phone.

  • PC that has the Odyssey client or equivalent installed on it.

Topology:

Solution:
Cofiguration on the EX switch:
set protocols dot1x authenticator authentication-profile-name test
set protocols dot1x authenticator interface ge-0/0/0.0 supplicant multiple
set protocols dot1x authenticator interface ge-0/0/0.0 mac-radius
set protocols access radius-server 30.30.30.2 port 1812
set protocols access radius-server 30.30.30.2 secret "$ABC123"
set protocols access profile test authentication-order radius
set protocols access profile test radius authentication-server 30.30.30.2
set protocols system authentication-order radius
set protocols interfaces ge-0/0/0 unit 0 family ethernet-switching
set protocols ethernet-switching-options voip vlan voice

SBR configuration:
  1. Verify if the license is valid and not expired in the SBR main tab, as shown below:

    Note: You must see Licensed for Enterprise Edition and not 'expired on xx/xx/xxxx'.


  2. Configure the EX switch as the Radius client on SBR. The Shared Secret should be the same as configured on the EX switch. The IP Address should be the address that is configured as RVI/L3 on the EX switch for the port, to which the SBR is connected. The Make/Model should always be Standard Radius:


  3. Configure the users on the Users - Native tab:
     
    1. For the PC, users are authenticated via the EAP protocol.
       
      • Name: The name that is used for authentication on the PC.

      • Password: The password which we would be using to authenticate.

      • Attributes under the Return List:
         
        • Tunnel-Medium-Type: It is always 802.

        • Tunnel-Private-Group-ID: Name of the VLAN, in which the PC should fall.

        • Tunnel-Type: It is always VLAN.

        •  

    2. For the phone, users are authenticated via MAC-Radius.
       
      • Name: MAC Address of the phone.

      • Password: MAC Address of the phone.

      • Attributes under return list:
         
        • Tunnel-Medium-Type: It is always 802.

        • Tunnel-Private-Group-ID: Name of the VLAN, in which the phone should fall.

        • Tunnel-Type: It is Always VLAN.

        •  

  4. Configure the Authentication Policies Order of methods and include all the authentication methods:


  5. EAP Methods: All of the methods have to be selected under Authentication Policies.

    Note:Configuration of the settings on the phone is Configuring any settings on the Phone is not necessary as it does not do EAP and authenticates through MAC.

Odyssey configuration on the PC:
  1. Under Adapters, select the NIC that should be used for authentication:


  2. Under the Configuration Profile, create a profile:

    1. Create the same user name and password, as configured on SBR for the PC user:


    2. Order of authentication:


    3. EAP authentication order:


Verification:

On the EX switch:

The following command will illustrate if the supplicant mode is multiple and the authenticated VLANs are data and voice respectively for PC and Phone:
user@switch# run show dot1x interface detail    
ge-0/0/0.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 30 seconds
  Mac Radius: Enabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Guest VLAN member: 
  Number of connected supplicants: 2
    Supplicant: 0096E1128A6, 00:09:6E:11:28:A6 > Phone Operational state: Authenticated
      Backend Authentication state: Idle
      Authentcation method: Mac Radius
      Authenticated VLAN: voice
      Session Reauth interval: 60 seconds
      Reauthentication due in 33 seconds
    Supplicant: TEST1, 00:E0:4C:4D:11:88 > PC Operational state: Authenticated
      Backend Authentication state: Idle
      Authentcation method: Radius
      Authenticated VLAN: data      
      Session Reauth interval: 60 seconds
      Reauthentication due in 33 seconds
 
On the SBR server:

You can check the statistics under Statistics > Radius Clients, as illustrated in the following image:

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search