Supported Platforms
Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authentication and Odyssey Access Clients
For 802.1X user authentication, EX Series switches support RADIUS authentication servers that are using Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS) to authenticate Odyssey Access Client (OAC) supplicants. OAC networking software runs on endpoint computers (desktop, laptop, or notepad computers and supported wireless devices) and provides secure access to both wired and wireless networks.
This example describes how to configure an 802.1X-enabled interface on the switch to provide fallback support for OAC users who have entered incorrect login credentials:
Requirements
This example uses the following hardware and software components:
- Junos OS Release 11.2 or later for EX Series switches
- One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
- One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
- One OAC end device acting as a supplicant.
Before you begin configuring the fallback option, ensure that you have:
- Set up a connection between the switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
- Configured EAP-TTLS on the server. See your RADIUS server documentation.
- Configured users on the RADIUS server. See your RADIUS server documentation.
Overview and Topology
OAC is networking software that runs on endpoint computers (desktop, laptop, or notepad) and supported wireless devices. OAC provides full support for EAP, which is required for secure wireless LAN access.
In this topology, OAC is deployed with an 802.1X-enabled switch and a RADIUS server. The switch functions as an enforcement point in the network security architecture. This topology:
- Ensures that only authorized users can connect.
- Maintains privacy of login credentials.
- Maintains data privacy over the wireless link.
This example includes the configuration of a server-reject VLAN on the switch, which can be used to prevent accidental lockout for users who have entered incorrect login credentials. These users can be given limited LAN access.
However, this fallback configuration is complicated by the fact that the OAC supplicant and RADIUS server are using EAP-TTLS. EAP-TTLS creates a secure encrypted tunnel between the server and the end device to complete the authentication process. When the user enters an incorrect login, the RADIUS server sends EAP failure messages directly to the client through this tunnel. The EAP failure message causes the client to restart the authentication procedure, so that the switch’s 802.1X authentication process tears down the session that was established with the switch using the server-reject VLAN. You can enable the remedial connection to continue by configuring:
- eapol-block—Enable the EAPoL block timer
on the 802.1X interface that is configured to belong to the server-reject
VLAN. The block timer causes the authentication port access entity
to ignore EAP start messages from the client, attempting to restart
the authentication procedure.
Note: The EAPoL block timer is triggered only after the retries on the 802.1X interface have been exhausted. You can configure retries to specify the number of times the switch attempts to authenticate the port after an initial failure. The default is three retries.
- block-interval—Configure the amount of time that you want the EAPoL block timer to continue to ignore EAP start messages. If you do not configure the block interval, the EAPoL block timer defaults to 120 seconds.
When the 802.1X interface ignores the EAP start messages from the client, the switch allows the existing remedial session that was established through the server-reject VLAN to remain open.
These configuration options apply to single, single-secure, and multiple supplicant authentication modes. In this example, the 802.1X interface is configured in single-supplicant mode.
Figure 1 shows an EX Series switch connecting an OAC end device to a RADIUS server, and indicates the protocols being used to connect the network entities.
Figure 1: EX Series Switch Connecting OAC to RADIUS Server Using EAP-TTLS Authentication
Table 1 describes the components in this OAC deployment:.
Table 1: Components of the OAC Deployment
| Property | Settings |
|---|---|
Switch hardware | EX Series switch |
VLANs | default server-reject-vlan: VLAN name is remedial and VLAN ID is 700 |
802.1X interface | ge-0/0/8 |
OAC supplicant | EAP-TTLS |
One RADIUS authentication server | EAP-TTLS |
Configuration
To configure fallback options for EAP-TTLS and OAC supplicants, perform this task:
CLI Quick Configuration
To quickly configure the fallback options for EAP-TTLS and OAC supplicants, copy the following commands and paste them into the switch terminal window:
[edit]
set vlans remedial vlan-id
700
set protocols dot1x
authenticator interface ge-0/0/8 retries 4
set protocols dot1x authenticator interface ge-0/0/8
server-reject-vlan remedial
set protocols dot1x authenticator interface ge-0/0/8 server-reject-vlan
eapol-block
set protocols
dot1x authenticator interface ge-0/0/8 server-reject-vlan block-interval
130 Step-by-Step Procedure
To configure the fallback options for EAP-TTLS and OAC supplicants:
 | Tip: In this example, the switch has only one server-reject VLAN. Therefore, the configuration specifies eapol-block and block-interval directly after server-reject-vlan. However, if you have configured multiple VLANs on the switch, you should include the VLAN name or VLAN ID directly after server-reject-vlan to indicate which VLAN is being modified. |
- Configure a VLAN that will function as the server-reject VLAN to provide limited LAN access for users who have entered incorrect login credentials:
- Configure the number of times for the client to be prompted
for username and password before an incorrect login is directed to
the server-reject VLAN:
[edit protocols dot1x authenticator interface ge-0/0/8]
user@switch# set retries 4 - Configure the 802.1X authenticator interface to use the
server-reject VLAN as a fallback for incorrect logins:
[edit protocols dot1x authenticator interface ge-0/0/8]
user@switch# set server-reject-vlan remedial - Enable the EAPoL block timer on the 802.1X interface that
is configured to belong to the server-reject VLAN.
[edit protocols dot1x authenticator interface ge-0/0/8]
user@switch# set server-reject-vlan eapol-block - Configure the amount of time for the EAPoL block to remain
in effect:
[edit protocols dot1x authenticator interface ge-0/0/8]
user@switch# set server-reject-vlan block-interval 130
Results
Check the results of the configuration:
Verification
To confirm that the configuration and the fallback options are working correctly, perform this task:
Verifying the Configuration of the 802.1X Interface
Purpose
Verify that the 802.1X interface is configured with the desired options:
Action
user@switch> show dot1x interface ge-0/0/8.0 detail
ge-0/0/8.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 4
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 120 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPoL requests: 2
Guest VLAN member: guest
Number of connected supplicants: 1
Supplicant: tem, 2A:92:E6:F2:00:00
Operational state: Authenticated
Backend Authentication state: Idle
Authentication method: Radius
Authenticated VLAN: remedial
Session Reauth interval: 120 seconds
Reauthentication due in 68 seconds
Meaning
The show dot1x ge-0/0/8 detail output shows that the ge-0/0/8 interface is in the Authenticated state and that it is using the remedial VLAN.
