Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS User Access and Authentication Administration Guide for Junos OS Configuring IEEE 802.1x Port-Based Network Access Control in Enhanced LAN Mode

User Access and Authentication Administration Guide for Junos OS

Junos OS Junos OS Evolved
keyboard_arrow_up
close
keyboard_arrow_left
User Access and Authentication Administration Guide for Junos OS
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Configuring 802.1X Interface Settings on MX Series Routers in Enhanced LAN Mode

date_range 30-Nov-23
arrow_backward
arrow_forward

Starting with Junos OS Release 14.2, IEEE 802.1X authentication provides network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from a supplicant (client) at the interface until the supplicant's credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch stops blocking access and opens the interface to the supplicant.

Note:

  • You can also specify an 802.1X exclusion list to specify supplicants can that can bypass authentication and be automatically connected to the LAN.

  • You cannot configure 802.1X user authentication on interfaces that have been enabled for Q-in-Q tunneling.

  • You cannot configure 802.1X user authentication on redundant trunk groups (RTGs).

Before you begin, specify the RADIUS server or servers to be used as the authentication server.

To configure 802.1X on an interface:

  1. Configure the supplicant mode as single (authenticates the first supplicant), single-secure (authenticates only one supplicant), or multiple (authenticates multiple supplicants):
    content_copy zoom_out_map
    [edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 supplicant multiple
  2. Enable reauthentication and specify the reauthentication interval:
    content_copy zoom_out_map
    [edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5/0 dot1x reauthentication interval 5
  3. Configure the interface timeout value for the response from the supplicant:
    content_copy zoom_out_map
    [edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 dot1x supplicant-timeout 5
  4. Configure the timeout for the interface before it resends an authentication request to the RADIUS server:
    content_copy zoom_out_map
    [edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 server-timeout 5
  5. Configure how long, in seconds, the interface waits before retransmitting the initial EAPOL PDUs to the supplicant:
    content_copy zoom_out_map
    [edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 dot1x transmit-period 60
  6. Configure the maximum number of times an EAPOL request packet is retransmitted to the supplicant before the authentication session times out:
    content_copy zoom_out_map
    [edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 dot1x maximum-requests 5
  7. Configure the number of times the switch attempts to authenticate the port after an initial failure. The port remains in a wait state during the quiet period after the authentication attempt.
    content_copy zoom_out_map
    [edit protocols authentication-access-control]
user@switch# set interface ge-0/0/5 retries 1
Note:

This setting specifies the number of tries before the switch puts the interface in a “HELD” state.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
14.2
Starting with Junos OS Release 14.2, IEEE 802.1X authentication provides network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from a supplicant (client) at the interface until the supplicant's credentials are presented and matched on the authentication server (a RADIUS server).
arrow_backward PREVIOUS Configuring 802.1X RADIUS Accounting on MX Series Routers in Enhanced LAN Mode
NEXT arrow_forward Configuring LLDP-MED on MX Series Routers in Enhanced LAN Mode
external-footer-nav