Configuring an EX Series Switch to Use Junos Pulse Access Control Service for Network Access Control (CLI Procedure)
You can connect the switch to Junos Pulse Access Control Service to set up a centralized, end-to-end network access control (NAC) system, which allows you to control who is admitted to the network and what resources those users are allowed to access.
The Access Control Service functions both as an authentication server (RADIUS server) and as a centralized policy management server.
Before you begin configuring the switch to connect to the Access Control Service:
- Configure a resource access policy. See Configuring Resource Access Policies.
- Obtain the password of the Access Control Service.
- Obtain the IP address of the Access Control Service.
 | Note: Specify the same IP address for the authentication server, the RADIUS server, and the infranet controller (NAC device). These components refer to the same Access Control Service. |
To configure the switch to work with the Access Control Service:
- Configure the switch to use the Access Control Service
for authentication and authorization:
[edit ethernet-switching-options]
user@switch# set uac-policy - Configure the access profile to specify the Access Control
Service. The access profile contains the authentication and authorization
configuration that aids in handling authentication and authorization
requests, including the authentication method and sequence, and the
Access Control Service address:
- Configure radius as the authentication method to be used when attempting to authenticate
a user. For each login attempt, the software tries the authentication
methods in order, starting with the first one, until the password
matches:
[edit access profile]
user@switch# set profile-name authentication-order radius - Specify the IP address of the authentication
server:
Note: Specify the same IP address that you use for the RADIUS server and the NAC device.
[edit access profile]
user@switch# set profile-name radius authentication-server ip-address
- Configure radius as the authentication method to be used when attempting to authenticate
a user. For each login attempt, the software tries the authentication
methods in order, starting with the first one, until the password
matches:
- Configure the RADIUS server to use the same IP address
that you specified for the authentication server:
[edit access]
user@switch# set radius-server ip-address - Configure the password to use for connecting
the switch with the RADIUS server:
Note: The password specified here is used for RADIUS communications between the switch and the Access Control Service. It does not need to match the password that is specified on the Access Control Service through the administrative interface on the Access Control Service.
[edit access]
user@switch# set radius-server secret password - Configure the address of the Access Control Service MAG
Series or the IC Series NAC device:
Note: Specify the hostname and IP address of the NAC device. This is the same IP address that you used for specifying the authentication server.
[edit services united-access-control infranet-controller hostname]
user@switch# set address ip-address - Configure the switch’s management Ethernet interface
for the NAC device:
[edit services united-access-control infranet-controller hostname]
user@switch# set interface me0.0 - Configure the password for connecting the switch to the
Access Control Service NAC device:
Note: This password must match the password specified on the Access Control Service though its administrative interface. It is used for Junos UAC Enforcer Protocol (JUEP) communications between the switch and the Access Control Service.
[edit services united-access-control infranet-controller hostname]
user@switch# set password password - Configure the amount of time that switch waits to receive
a response from the Access Control Service:
[edit services united-access-control]
user@switch# set timeout seconds - Specify the time between continuity-check messages for
the switch’s connection with the Access Control Service:
[edit services united-access-control]
user@switch# set interval seconds - Specify an action for the switch to take if a timeout
occurs for the connection between the switch and the Access Control
Service:
[edit services united-access-control]
user@switch# set timeout-action action - Specify the name of the access profile to use for 802.1X,
MAC RADIUS, or captive portal authentication:
Note: Use the same access profile that you configured previously (step 2).
[edit protocols dot1x]
user@switch# set authenticator authentication-profile-name profile-name - Configure the 802.1X interface that the switch will use
for communicating with the Access Control Service:
[edit protocols dot1x]
user@switch# set authenticator interface interface-name
