Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX/SRX] Bypassing 802.1x authentication using MAC static list

0

0
Article ID: KB11429 KB Last Updated: 04 Mar 2017Version: 4.0 Summary:
The static MAC list provides an authentication bypass mechanism for clients connecting to a 802.1x enabled port.  The MAC address of the client is checked in the local database, if a match is found, the client is assumed to be successfully authenticated and the port is opened for the client.  No further authentication is necessary. If the match is not found, 802.1x authentication is initiated.   The VLAN that the client should be moved to or the interfaces on which the MAC addresses should be allowed can be configured. This will enable devices like printers, which do not support 802.1x to be connected to 802.1x enabled ports.
Symptoms:
Cause:

Solution:
Below is a configuration example for setting up MAC static list for bypassing 802.1x authentication.

The desired goal: When device with MAC 00:0a:0b:0c:0d:0e is connected to port ge-0/0/10, the device will bypass 802.1x authentication and port ge-0/0/10 will be assigned to VLAN 'support'

Known Considerations:
  1. The EX-series Ethernet switch is installed and initial configuration has been performed
  2. VLAN 'support' has been created
  3. 802.1x authentication will be enabled for interfaces ge-0/0/10.0, ge-0/0/11.0, ge-0/0/12.0
  4. The device with MAC 00:0a:0b:0c:0d:0e will be connected to interface ge-0/0/10
  5. ge-0/0/10.0 is currently provisioned to be in VLAN 'default'

Configuration:
  1. 802.1x authentication is enabled for interfaces ge-0/0/10.0 , ge-0/0/11.0, ge-0/0/12.0:
    user@switch# set protocols dot1x authenticator interface ge-0/0/10.0
    user@switch# set protocols dot1x authenticator interface ge-0/0/11.0
    user@switch# set protocols dot1x authenticator interface ge-0/0/12.0
  2. Set up MAC static List. A MAC address to VLAN assignment is created here:
    user@switch# set protocols dot1x authenticator static 00:0a:0b:0c:0d:0e vlan-assignment support
    user@switch# commit

This completes the configuration.

NOTE: In the example above, the MAC 00:0a:0b:0c:0d:0e is allowed on any interface on the switch. When device with MAC 00:0a:0b:0c:0d:0e is connected to any interface on the switch and traffic is initiated from it, it will bypass 802.1x authentication and the interface will be assigned to the configured VLAN; provided that the interface has 802.1x enabled on it.

NOTE: It is possible to configure the interfaces on which MAC 00:0a:0b:0c:0d:0e will be allowed. This can be done in the following manner:
user@switch#set protocols dot1x authenticator static 00:0a:0b:0c:0d:0e vlan-assignment support interface ge-0/0/10.0

Verification:
  1. Execute the following operational mode command:
    user@switch> show vlans
    Name    Tag Interfaces
    finance 400
                ge-0/0/37.0
    default
                ge-0/0/0.0,  ge-0/0/1.0,  ge-0/0/2.0,  ge-0/0/3.0,
                ge-0/0/4.0,  ge-0/0/5.0,  ge-0/0/6.0,  ge-0/0/7.0,
                ge-0/0/8.0,  ge-0/0/9.0,  ge-0/0/10.0, ge-0/0/11.0,
                ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0,
                ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0,
                ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0,
                ge-0/0/24.0, ge-0/0/25.0, ge-0/0/26.0, ge-0/0/27.0,
                ge-0/0/28.0, ge-0/0/29.0, ge-0/0/30.0, ge-0/0/31.0,
                ge-0/0/32.0, ge-0/0/33.0, ge-0/0/34.0, ge-0/0/35.0,
                ge-0/0/39.0, ge-0/0/40.0, ge-0/0/41.0, ge-0/0/42.0,
                ge-0/0/43.0, ge-0/1/0.0,  ge-0/1/1.0,  ge-0/1/2.0,
                ge-0/1/3.0
    support 200
                ge-0/0/36.0*, ge-0/0/38.0*

    This display shows that ge-0/0/10.0 is currently assigned to VLAN 'default'

  2. Connect the device with MAC 00:0a:0b:0c:0d:0e to interface ge-0/0/10 and initiate traffic from the device

  3. Execute the following operational mode command:
    user@switch> show vlans
    Name    Tag Interfaces
    finance 400
                ge-0/0/37.0
    default
                ge-0/0/0.0,  ge-0/0/1.0,  ge-0/0/2.0,  ge-0/0/3.0,
                ge-0/0/4.0,  ge-0/0/5.0,  ge-0/0/6.0,  ge-0/0/7.0,
                ge-0/0/8.0,  ge-0/0/9.0,  ge-0/0/11.0, ge-0/0/12.0,
                ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0,
                ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0,
                ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0, ge-0/0/24.0,
                ge-0/0/25.0, ge-0/0/26.0, ge-0/0/27.0, ge-0/0/28.0,
                ge-0/0/29.0, ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0,
                ge-0/0/33.0, ge-0/0/34.0, ge-0/0/35.0, ge-0/0/39.0,
                ge-0/0/40.0, ge-0/0/41.0, ge-0/0/42.0, ge-0/0/43.0,
                ge-0/1/0.0,  ge-0/1/1.0,  ge-0/1/2.0,  ge-0/1/3.0
    support 200
                ge-0/0/10.0*, ge-0/0/36.0*, ge-0/0/38.0*

    This display shows interface ge-0/0/10.0 is now assigned to VLAN 'support'. The device with MAC 00:0a:0b:0c:0d:0e has bypassed 802.1x authentication.

  4. Execute the following command to view the MAC Static List:
    user@switch> show dot1x static-mac-address
    MAC address        VLAN-Assignment Interface
    00:0a:0b:0c:0d:0e  support
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search