Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX Series Switch

Requirements

• Junos OS Release 9.3 or later for EX Series switches
• One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
• One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you connect the server to the switch, be sure you have:

• Set up a connection between the switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
• Configured 802.1X authentication on the switch, with the authentication mode for interface ge-0/0/2 set to multiple. See Configuring 802.1X Interface Settings (CLI Procedure) and Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch.
• Configured users on the RADIUS authentication server (in this example, the user profiles for Supplicant 1 and Supplicant 2 in the topology are modified on the RADIUS server).

Overview and Topology

When the 802.1X configuration on an interface is set to multiple supplicant mode, you can apply a single port firewall filter configured through the Junos OS CLI on the EX Series switch to any number of end devices (supplicants) on one interface by adding the filter centrally to the RADIUS server. Only a single filter can be applied to an interface; however, the filter can contain multiple terms for separate end devices.

For more information about firewall filters, see Firewall Filters for EX Series Switches Overview.

RADIUS server attributes are applied to end devices after the devices are successfully authenticated using 802.1X. To authenticate an end device, the switch forwards the end device’s credentials to the RADIUS server. The RADIUS server matches the credentials against preconfigured information about the supplicant located in the supplicant’s user profile on the RADIUS server. If a match is found, the RADIUS server instructs the switch to open an interface to the end device. Traffic then flows from and to the end device on the LAN. Further instructions configured in the port firewall filter and added to the end device’s user profile using a RADIUS server attribute further define the access that the end device is granted. Filtering terms configured in the port firewall filter are applied to the end device after 802.1X authentication is complete.

Note: If you modify the port firewall filter after an end device is successfully authenticated using 802.1X, you must terminate and re-establish the 802.1X authentication session for the firewall filter configuration changes to be effective.

Figure 1 shows the topology used for this example. The RADIUS server is connected to an EX4200 switch on access port ge-0/0/10. Two end devices (supplicants) are accessing the LAN on interface ge-0/0/2. Supplicant 1 has the MAC address 00:50:8b:6f:60:3a. Supplicant 2 has the MAC address 00:50:8b:6f:60:3b.

Figure 1: Topology for Firewall Filter and RADIUS Server Attributes Configuration

Table 1 describes the components in this topology.

In this example, you configure a port firewall filter named filter1. The filter contains terms that will be applied to the end devices based on the MAC addresses of the end devices. When you configure the filter, you also configure the counters counter1 and counter2. Packets from each end device are counted, which helps you verify that the configuration is working. Policer policer p1 limits the traffic rate based on the values for exceeding and discard parameters. Then, you check to see that the RADIUS server attribute is available on the RADIUS server and apply the filter to the user profiles of each end device on the RADIUS server. Finally, you verify the configuration by displaying output for the two counters.

Note: For more information about authentication, authorization, and accounting (AAA) services, see the Junos OS System Basics Configuration Guide.

Configuring the Port Firewall Filter and Counters

Configure a port firewall filter and counters:

CLI Quick Configuration

To quickly configure a port firewall filter with terms for Supplicant 1 and Supplicant 2 and create parallel counters for each supplicant, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

1. Configure a port firewall filter (here, filter1) with terms for each end device based upon the MAC address of each end device:
   [edit firewall family ethernet-switching]

   
   

   user@switch# set filter filter1 term supplicant1 from source-mac-address 00:50:8b:6f:60:3a
user@switch# set filter filter1 term supplicant2 from source-mac-address 00:50:8b:6f:60:3b

2. Set policer definition:

   user@switch# show policer p1 |display set
   set firewall policer p1 if-exceeding bandwidth-limit 1m
   set firewall policer p1 if-exceeding burst-size-limit 1k
   set firewall policer p1 then discard

3. Create two counters that will count packets for each end device and a policer which limits the traffic rate:
   [edit firewall family ethernet-switching]

   
   

   user@switch# set filter filter1 term supplicant1 then count counter1
user@switch# set filter filter1 term supplicant1 then policer p1
user@switch# set filter filter1 term supplicant2 then count counter2

Results

Display the results of the configuration:

Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server

Verify that the RADIUS server attribute needed to apply a filter on the RADIUS server is on the server and then apply the port firewall filter to each end device’s user profile on the RADIUS server:

Step-by-Step Procedure

1. Display the dictionary dictionary.rfc2865 on the RADIUS server, and verify that the attribute Filter-ID is in the dictionary:
   [root@freeradius]# cd usr/share/freeradius/dictionary.rfc2865

   
   
2. Close the dictionary file.
3. Display the local user profiles of the end devices to which you want to apply the filter (here, the user profiles are called supplicant1 and supplicant2):
   [root@freeradius]# cat /usr/local/etc/raddb/users

   The output shows:

   supplicant1 Auth-Type := EAP, User-Password == "supplicant1"
           Tunnel-Type = VLAN,
           Tunnel-Medium-Type = IEEE-802,
           Tunnel-Private-Group-Id = "1005"
   
   supplicant2 Auth-Type := EAP, User-Password == "supplicant2"
           Tunnel-Type = VLAN,
           Tunnel-Medium-Type = IEEE-802,
           Tunnel-Private-Group-Id = "1005"

4. Apply the filter to both user profiles by adding the line Filter-Id = “filter1” to each profile, and then close the file:
   [root@freeradius]# cat /usr/local/etc/raddb/users

   After you paste the line into the files, the files look like this:

   supplicant1 Auth-Type := EAP, User-Password == "supplicant1"
           Tunnel-Type = VLAN,
           Tunnel-Medium-Type = IEEE-802,
           Tunnel-Private-Group-Id = "1005",
           Filter-Id = "filter1"
   
   supplicant2 Auth-Type := EAP, User-Password == "supplicant2"
           Tunnel-Type = VLAN,
           Tunnel-Medium-Type = IEEE-802,
           Tunnel-Private-Group-Id = "1005",
           Filter-Id = "filter1"

Verification

Verify that the filter has been applied to the end devices:

• Verifying That the Filter Has Been Applied to the Supplicants

Verifying That the Filter Has Been Applied to the Supplicants

Purpose

After the end devices are authenticated, verify that the filter configured on the switch and added to each end device’s user profile on the RADIUS server has been applied:

Action

Filter: filter1                                                    
Counters:
Name                                                Bytes              Packets
counter1                                              128                    2
counter2                                               64                    1

 

  

Meaning

The output of the command show firewall filter filter1 displays counter1 and counter2. Packets from Supplicant 1 are counted using counter1, and packets from Supplicant 2 are counted using counter2. The output displays packets incrementing for both counters. The filter has been applied to both end devices.