TechLibrary

Navigation

Supported Platforms

EX Series

Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch

802.1X is the IEEE standard for Port-Based Network Access Control (PNAC). You use 802.1X to control network access. Only users and devices providing credentials that have been verified against a user database are allowed access to the network. You can use a RADIUS server as the user database for 802.1X authentication, as well as for MAC RADIUS authentication.

This example describes how to connect a RADIUS server to an EX Series switch, and configure it for 802.1X:

Requirements

This example uses the following hardware and software components:

Junos OS Release 9.0 or later for EX Series switches
One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you connect the server to the switch, be sure you have:

Performed basic bridging and VLAN configuration on the switch. See the documentation that describes setting up basic bridging and a VLAN for your switch. If you are using a switch that supports the Enhanced Layer 2 Software (ELS) configuration style, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch. For all other switches, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch.
Note: For more about ELS, see: Getting Started with Enhanced Layer 2 Software
Configured users on the RADIUS authentication server.

Overview and Topology

The EX Series switch acts as an authenticator Port Access Entity (PAE). It blocks all traffic and acts as a control gate until the supplicant (client) is authenticated by the server. All other users and devices are denied access.

Figure 1 shows one EX4200 switch that is connected to the devices listed in Table 1.

Figure 1: Topology for Configuration

Table 1: Components of the Topology

Property	Settings
Switch hardware	EX4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
VLAN name	default
One RADIUS server	Backend database with an address of 10.0.0.100 connected to the switch at port ge-0/0/10

In this example, connect the RADIUS server to access port ge-0/0/10 on the EX4200 switch. The switch acts as the authenticator and forwards credentials from the supplicant to the user database on the RADIUS server. You must configure connectivity between the EX4200 and the RADIUS server by specifying the address of the server and configuring the secret password. This information is configured in an access profile on the switch.

Note: For more information about authentication, authorization, and accounting (AAA) services, see the Junos OS System Basics Configuration Guide.

Configuration

CLI Quick Configuration

To quickly connect the RADIUS server to the switch, copy the following commands and paste them into the switch terminal window:

[edit]

set access radius-server 10.0.0.100 secret juniper

set access radius-server 10.0.0.200 secret juniper

 set access profile profile1 authentication-order
radius

 set access profile profile1 radius authentication-server
[10.0.0.100 10.0.0.200]

Step-by-Step Procedure

To connect the RADIUS server to the switch:

Define the address of the servers, and configure the secret password. The secret password on the switch must match the secret password on the server:
[edit] user@switch# set access radius-server 10.0.0.100 secret juniper
user@switch# set access radius-server 10.0.0.200 secret juniper
Configure the authentication order, making radius the first method of authentication:
[edit] user@switch# set access profile profile1 authentication-order radius
Configure a list of server IP addresses to be tried in order to authenticate the supplicant:[edit] user@switch# set access profile profile1 radius authentication-server [10.0.0.100 10.0.0.200]

`Results`

Display the results of the configuration:

user@switch> show configuration accessradius-server {10.0.0.100port 1812;secret "$9$qPT3ApBSrv69rvWLVb.P5"; ## SECRET-DATA}}profile profile1{authentication-order radius;radius {authentication-server 10.0.0.100 10.0.0.200;}}}

`Verification`

To confirm that the configuration is working properly, perform these tasks:

Verify That the Switch and RADIUS Server are Properly Connected

`Verify That the Switch and RADIUS Server are Properly Connected`

`Purpose`

Verify that the RADIUS server is connected to the switch on the specified port.

`Action`

Ping the RADIUS server to verify the connection between the switch and the server:

user@switch> ping 10.0.0.100

PING 10.0.0.100 (10.0.0.100): 56 data bytes
64 bytes from 10.93.15.218: icmp_seq=0 ttl=64 time=9.734 ms
64 bytes from 10.93.15.218: icmp_seq=1 ttl=64 time=0.228 ms

`Meaning`

ICMP echo request packets are sent from the switch to the target server at 10.0.0.100 to test whether it is reachable across the IP network. ICMP echo responses are being returned from the server, verifying that the switch and the server are connected.

`Related Documentation`

`Published: 2014-05-30`

Supported Platforms

EX Series