Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Dot1x-enabled access interface part of multiple VLANs

0

0

Article ID: KB29795 KB Last Updated: 04 Mar 2017Version: 3.0
Summary:

EX Series switches use VLANs to make logical groupings of network nodes with their own broadcast domains. VLANs limit the traffic flowing across the entire LAN and reduce collisions and packet retransmissions.

There are several ways in which a VLAN can be configured:

  • Port-based VLAN asignment
  • MAC-based VLAN assignment

The 802.1X protocol is used to perform port-level authentication and control of devices connected to the 802.1X-enabled LAN ports. With the 802.1X protocol employed, a user-side device can access the LAN only after it passes the authentication. Devices that fail to pass the authentication are denied access to the LAN.

Symptoms:

The most common way of grouping VLAN members is by port through manual assignment of individual ports to specific VLANs. A user intervention is required in manually adding the ports to the specific VLANs. The port thus marked for a VLAN will always be part of the VLAN.

Another method of VLAN assignment is MAC-based. Here the grouping is not based on the ports, but is based on the MAC address. MAC-based VLANs are mostly used in conjunction with security technologies such as 802.1X to provide secure and flexible access to end devices.

This MAC-based VLAN assignment can be done using two different methods:

  • Static assignment, where MAC binding is done statically by assigning a specific MAC address to a VLAN. 

set protocols dot1x authenticator static 00:15:c5:f5:d1:d1/48 vlan-assignment 11
set protocols dot1x authenticator static 00:1c:c4:00:00:00/24 vlan-assignment 78


  • Dynamic assignment, where the MAC gets authenticated by an authentication device prior to allowing users access availability. This comes in handy for large-scale network deployments. See Configuring 802.1X Interface Settings

Cause:
 
Solution:


Scenario:

Let's say we have an EX switch connecting to an authentication device (RADIUS). This EX switch is also connected to a hub on which we have multiple PCs connected belonging to different VLANs.

PC-A belongs to VLAN vlan102, PC-B belongs to VLAN 99, and PC-C belongs to VLAN quarantine.

As the diagram shows, there is a single port from the EX switch connecting to the hub on which these PCs are connected. So as per the switch, it is a single interface connecting to multiple devices.

We are enabling dot1x configuration for security purposes. When the PCs are connected, the MAC for these PCs will not be learned initially -- they go through an authentication phase. Once the authentication is complete, all the PCs can communicate after the MAC learning occurs.

The configuration for the port connecting to the hub is as follows:

set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members VLAN99
set protocols dot1x authenticator interface ge-0/0/7.0 supplicant multiple

On checking the show dot1x interface detail, we see the following results:

root@persw9999> show dot1x interface detail (shows 3 devices authenticated devices, each in separate VLAN )
ge-0/0/7.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 10 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 3
Guest VLAN member: VLAN102
Number of connected supplicants: 3 <===================== 3 supplicants
Supplicant: No User, 1C:75:08:EE:60:9D
Operational state: Authenticated
Backend Authentication state: Idle
Authentication method: GuestVlan
Authenticated VLAN: VLAN102 <========================= 1st VLAN
Session Reauth interval: 3600 seconds
Reauthentication due in 0 seconds
Supplicant: DIR\p.rowell, 84:8F:69:F0:FB:FB
Operational state: Authenticated
Backend Authentication state: Idle
Authentication method: Radius
Authenticated VLAN: VLAN99 <========================== 2nd VLAN
Session Reauth interval: 604800 seconds
Reauthentication due in 604658 seconds
Supplicant: DIR\p.rowell, F0:1F:AF:3A:91:52
Operational state: Authenticated
Backend Authentication state: Idle
Authentication method: Radius
Authenticated VLAN: quarantine <======================== 3rd VLAN
Session Reauth interval: 604800 seconds
Reauthentication due in 604693 seconds

We see that port ge-0/0/7, even though configured as access, is authenticating users from three different VLANs and these devices are able to communicate. Even though these devices are on three different VLANs, they are able to communicate because the ethernet-switching table there have a MAC-to-VLAN mapping.

A single access port is able to authenticate users from different VLANs because it is a MAC-based VLAN assignment.

The above example will not work if the VLAN assignment method is port based.

The output of the show dot1x interface detail command, in conjunction with the MAC-based VLAN assignment, might vary from vendor to vendor; and for Juniper the above illustrated example is the expected behavior.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search